2).......suffering from RONTOKBRO

Here is the details that can be usefull to U


CATEGORY DESCRIPTION


Virus-like program that spreads automatically to other computers by sending itself out by email or by any other means. A program that propagates itself by attacking other machines and copying itself to the affected machine.

Worms have self-replicating code that travels from machine to machine by various means. A worms first objective is merely propagation. Worms can be destructive depending on what payload they have been given. Worms may replace files, but do not insert themselves into files.



COMMENT

This is a mass mailing worm. It makes system unstable.





When W32.Rontokbro.K@mm is executed, it performs the following actions:


Copies itself as:


%UserProfile%\Local Settings\Application Data\csrss.exe
%UserProfile%\Local Settings\Application Data\inetinfo.exe
%UserProfile%\Local Settings\Application Data\lsass.exe
%UserProfile%\Local Settings\Application Data\services.exe
%UserProfile%\Local Settings\Application Data\smss.exe
%UserProfile%\Local Settings\Application Data\winlogon.exe
%UserProfile%\Start Menu\Programs\Startup\Empty.pif
%UserProfile%\Templates\Brengkolang.com
%Windir%\eksplorasi.exe
%Windir%\ShellNew\sempalong.exe
%System%\[USER NAME]'s Setting.scr

Notes:
%UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


#(2#)Creates the following folder, where the variables [X]-[Y] are two random numbers:

%UserProfile%\Local Settings\Application Data\Bron.tok-[X]-[Y]


#(3#)Overwrites C:\Autoexec.bat with the following text:

pause


#(3)#Adds the values:

"Bron-Spizaetus" = ""%Windir%\ShellNew\sempalong.exe""
"Tok-Cirrhatus" = "%UserProfile%\Local Settings\Application Data\smss.exe""

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.


#(4)#Adds the value:

"Tok-Cirrhatus" = "%UserProfile%\Local Settings\Application Data\smss.exe""

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.


#(5)#Adds the value:

"Shell" = "Explorer.exe "%Windir%\eksplorasi.exe""

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

so that it runs every time Windows starts.


#(6)#Adds the value:

"NoFolderOptions" = "1"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer

in an attempt to hide itself from the user.


#(7)#Adds the values:

"DisableRegistryTools" = "1"
"DisableCMD" = "0"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\System

in an attempt to hide itself from the user.


#(8)#Adds the values:

"Hidden" = "0"
"HideFileExt" = "1"
"ShowSuperHidden" = "0"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced

in an attempt to hide itself from the user.


#(10)#Adds a task to the Windows scheduler to execute the following file at 5:08 PM every day:

%UserProfile%\Templates\Brengkolang.com


#(11)# Restarts the computer when it detects a window whose title contains one of the
following strings:

1)..
2).@
3) @.
4).ASP
5).EXE
6).HTM
7).JS
8).PHP
9)ADMIN
10)ADOBE
11)AHNLAB
12)ALADDIN
13)ALERT
14)ALWIL
15)ANTIGEN
16)APACHE
17)APPLICATION
18)ARCHIEVE
19)ASDF
20)ASSOCIATE
21)AVAST
22)AVG
23)AVIRA
24)BILLING@
25)BLACK
26)BLAH
27)BLEEP
28)BUILDER
29)CANON
30)CENTER
31)CILLIN
32)CISCO
33)CMD.
34)CNET
35)COMMAND
36)COMMAND PROMPT
37)CONTOH
38)CONTROL
39)CRACK
40)DARK
41)DATA
42)DATABASE
43)DEMO
44)DETIK
45)DEVELOP
46)DOMAIN
47)DOWNLOAD
48)ESAFE
49)ESAVE
50)ESCAN
51)EXAMPLE
52)FEEDBACK
53)FIREWALL
54)FOO@
55)FUCK
56)FUJITSU
57)GATEWAY
58)GOOGLE
59)GRISOFT
60)GROUP
61)HACK
62)HAURI
63)HIDDEN
64)HP.
65)IBM.
66)INFO@
67)INTEL.
68)KOMPUTER
69)LINUX
70)LOG OFF WINDOWS
71)LOTUS
72)MACRO
73)MALWARE
74)MASTER
75)MCAFEE
76)MICRO
77)MICROSOFT
78)MOZILLA
79)MYSQL
80)NETSCAPE
81)NETWORK
82)NEWS
83)NOD32
84)NOKIA
85)NORMAN
86)NORTON
87)NOVELL
88)NVIDIA
89)OPERA
90)OVERTURE
91)PANDA
92)PATCH
93)POSTGRE
94)PROGRAM
95)PROLAND
96)PROMPT
97)PROTECT
98)PROXY
99)RECIPIENT
100)REGISTRY
101)RELAY
102)RESPONSE
103)ROBOT
104)SCAN
105)SCRIPT HOST
106)SEARCH R
107)SECURE
108)SECURITY
109)SEKUR
110)SENIOR
111)SERVER
112)SERVICE
113)SHUT DOWN
114)SIEMENS
115)SMTP
116)SOFT
117)SOME
118)SOPHOS
119)SOURCE
120)SPAM
121)SPERSKY
122)SUN.
123)SUPPORT
124)SYBARI
125)SYMANTEC
126)SYSTEM CONFIGURATION
127)TEST
128)TREND
129)TRUST
130)UPDATE
131)UTILITY
132)VAKSIN
133)VIRUS
134)W3.
135)WINDOWS SECURITY.VBS
136)WWW
137)XEROX
138)XXX
139)YOUR
140)ZDNET
141)ZEND
142)ZOMBIE


#(12)#May also launch a ping flood attack on the following sites:


1) kaskus.com
2) 17tahun.com


#(13)#Gathers email addresses from files with the following extensions on all local drives from C to Y:


1) ASP
2) CFM
3) CSV
4) DOC
5) EML
6) HTML
7) PHP
8) TXT
9) WAB


#(14)Avoids sending itself to email addresses that contain any of the following strings in the domain name:


1) PLASA
2) TELKOM
3) INDO
4) .CO.ID
5) .GO.ID
6) .MIL.ID
7) .SCH.ID
8) .NET.ID
9) .OR.ID
10) .AC.ID
11) .WEB.ID
12) .WAR.NET.ID
13) ASTAGA
14) GAUL
15) BOLEH
16) EMAILKU
17) SATU


#(15)#May append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:


1) smtp.
2) mail.
3) ns1.


#(16)#Uses its own SMTP engine to send itself to the email addresses that it finds.

The email has the following characteristics:

From: [SPOOFED]

Subject: [BLANK]

Message:

BRONTOK.A[10] [ By: H[REMOVED]nity ]
-- Hentikan kebobrokan di negeri ini --
1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")
2. Stop Free Sex, Aborsi, & Prostitusi
( Go To HELL )
3. Stop pencemaran lingkungan, pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!

Attachment:

Kangen.exe


#(17)#Copies itself to removable drives and network shares. The filename will be one of the following:


[existingfilename].exe
Data [username].exe

Example:

If calc.exe is in the destination folder, the worm copies itself as calc.exe.exe


RECOMMENDATIONS

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices

* Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.


* If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied

*Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites

*Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.

*Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.

* Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.



REMOVAL INSTRUCTIONS
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1)
Disable System Restore (Windows Me/XP).
2)
Update the virus definitions.
3)
Run a full system scan and delete all the files detected.
4)
Use the Security Response "Tool to reset shell\open\command registry subkeys."
5)
Delete any values added to the registry.
6)
Delete the scheduled task.


For specific details on each of these steps, read the following instructions.

1)To delete the value from the registry


A. Click Start > Run.
B. Type regedit
C. Click OK.

A. Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

B. In the right pane, delete the value

"Bron-Spizaetus" = ""%Windir%\ShellNew\sempalong.exe""

C. Navigate to the subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

D. In the right pane, delete the value:

"Tok-Cirrhatus" = "%UserProfile%\Local Settings\Application Data\smss.exe""

E. Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

D. In the right pane, reset the value to its default value

"Shell" = "Explorer.exe"

F. Navigate to the subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

G. In the right pane, reset the following value to its default value if required

"NoFolderOptions" = "0" or "NoFolderOptions" = "1"

H. Navigate to the subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\advanced

I. In the right pane, reset the following values to their default value if required

"Hidden" = "0" or "Hidden" = "1"
"ShowSuperHidden" = "0" or "ShowSuperHidden" = "1"
"HideFileExt" = "0" or "HideFileExt" = "1"

J. Exit the Registry Editor.


To delete the scheduled tasks added by the worm


A. Click Start, and then click Control Panel. (In Windows XP, switch to Classic View.)
B. In the Control Panel window, double click Scheduled Tasks.
C. Right click the task icon and select Properties from pop-up menu.

The properties of the task is displayed.


D. Delete the task if the contents of the Run text box in the task pane, matches the following

%UserProfile%\Templates\Brengkolang.com