W32rontokbro@mm size:90kb
Type:Worm
Affected system:Window Platform
Mode of spread:Removable disk
W32rontokbro@mm is a worm for the Windows platform. W32rontokbro@mm will attempt to copy itself to network and removable drives, using filenames including Open.exe, Music.exe and Empty.pif. The worm will also create an autorun.inf file so that it is automatically run when the drive is accessed.
When first run W32rontokbro@mm copies itself to some of the following: filenames:\fonts\smss.exe\oobe\isperror\shell.exe\IExplorer.exe\System32.exe\Empty.pif and creates the following file:\Autorun.inf - may be deleted.W32rontokbro@mm also attempts to copy itself to existing filenames with EXE extensions, but with an extra space between the filename and the extension, eg if it finds the file "Example.exe" it may copy itself to the same folder as "Example .exe" W32rontokbro@mm attempts to terminate process, close windows and delete registry entries related to security and anti-virus applications, and may restart an infected computer. W32rontokbro@mm may also display a fake error message with the title "Warning" and the text "Illegal Application", before attempting to terminate processes related to security and anti-virus applications.
The following registry entries are set to run the W32rontokbro@mm on startup:HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogonservices\fonts\smss.exe HKLM\SYSTEM\CurrentControlSet\Control\SafeBootAlternateShell\fonts\smss.exe HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonUserinit\userinit.exe, \fonts\smss.exe HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogonshell HKLM\Software\Microsoft\Windows\CurrentVersion\Runkb HKLM\Software\Microsoft\Windows\CurrentVersion\RunservicesW32/RontokBr may set the following registry entries to run files other than itself on
startup:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebugDebugger\Shell.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Runkbdrivers\AUTO.txt Some of the following registry entries are set or modified, so that W32rontokbro@mm is run when files are run with the extensions listed:HKCR\exefile\shell\open\command(default) \fonts\smss.exe %1 %*HKCR\lnkfile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*HKCR\piffile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*HKCR\batfile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*HKCR\comfile\shell\open\command(default)\oobe\isperror\shell.exe %1 %*Some of the following registry entries may also be set, usually to one of two values:HKCR\exefile(default)
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AeDebugAuto HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerHideClock HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoControlPanel HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoControlPanel HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoFind HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoRun HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoShellSearchButton HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableCMD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableTaskMgr HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemDisableTaskMgr HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoFolderOptions HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoFolderOptions HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableRegistryTools HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemDisableRegistryTools HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDesktop HKLM\SOFTWARE\Policies\Microsoft\WindowsNT\SystemRestoreDisableConfig HKLM\SOFTWARE\Policies\Microsoft\WindowsNT\SystemRestoreDisableSR HKLM\SOFTWARE\Policies\Microsoft\Windows\InstallerLimitSystemRestoreCheckpointing HKLM\SOFTWARE\Policies\Microsoft\Windows\InstallerDisableMSI HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetStateFullPathAddress HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHideFileExt HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHidden HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedShowSuperHidden HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonLegalNoticeCaption HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonLegalNoticeText HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldAppDisable HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldAppDisable
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment