Friday, October 5, 2007

w32RontokBro@mm

size:90kb
Type:Worm
Affected system:Window Platform
Mode of spread:Removable disk

W32/RontokBro is a worm for the Windows platform.
W32/RontokBro will attempt to copy itself to network and removable drives, using filenames including Open.exe, Music.exe and Empty.pif.
The worm will also create an autorun.inf file so that it is automatically run when the drive is accessed.
When first run W32/RontokBro copies itself to some of the following: filenames:\fonts\smss.exe\oobe\isperror\shell.exe\IExplorer.exe\System32.exe\Empty.pif and creates the following file:\Autorun.inf - may be deleted.W32/RontokBro also attempts to copy itself to existing filenames with EXE extensions, but with an extra space between the filename and the extension, eg if it finds the file "Example.exe" it may copy itself to the same folder as "Example .exe" W32/RontokBro attempts to terminate process, close windows and delete registry entries related to security and anti-virus applications, and may restart an infected computer.W32/RontokBro may also display a fake error message with the title "Warning" and the text "Illegal Application", before attempting to terminate processes related to security and anti-virus applications.The following registry entries are set to run the W32/RontokBro on startup:HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogonservices\fonts\smss.exe
HKLM\SYSTEM\CurrentControlSet\Control\SafeBootAlternateShell\fonts\smss.exe
HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonUserinit\userinit.exe, \fonts\smss.exe
HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogonshell
HKLM\Software\Microsoft\Windows\CurrentVersion\Runkb
HKLM\Software\Microsoft\Windows\CurrentVersion\RunservicesW32/RontokBr may set the following registry entries to run files other than itself on

startup:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebugDebugger\Shell.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Runkbdrivers\AUTO.txt Some of the following registry entries are set or modified, so that W32/RontokBro is run when files are run with the extensions listed:HKCR\exefile\shell\open\command(default)
\fonts\smss.exe %1 %*HKCR\lnkfile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*HKCR\piffile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*HKCR\batfile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*HKCR\comfile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*Some of the following registry entries may also be set, usually to one of two values:HKCR\exefile(default)

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AeDebugAuto
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerHideClock
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoControlPanel
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoControlPanel
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoFind
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoShellSearchButton
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableCMD
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableTaskMgr
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemDisableTaskMgr
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoFolderOptions
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoFolderOptions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableRegistryTools
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemDisableRegistryTools
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDesktop
HKLM\SOFTWARE\Policies\Microsoft\WindowsNT\SystemRestoreDisableConfig
HKLM\SOFTWARE\Policies\Microsoft\WindowsNT\SystemRestoreDisableSR
HKLM\SOFTWARE\Policies\Microsoft\Windows\InstallerLimitSystemRestoreCheckpointing
HKLM\SOFTWARE\Policies\Microsoft\Windows\InstallerDisableMSI
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetStateFullPathAddress
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHideFileExt
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHidden
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedShowSuperHidden
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonLegalNoticeCaption
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonLegalNoticeText
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldAppDisable
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldAppDisable
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Was this information Helpful?