Rontokbro Worm
Original issue date: November 20, 2007
It has been observed that a mass-mailing worm named Rontokbro is circulating in the wild. It propagates by attaching a copy of itself to the email messages with the subject line and message body which lures users into opening up the attachment to get malware installed on their system. It also spreads by copying itself to network shares.
Further it harvests the e-mail addresses from the infected system and sends malicious e-mails to the collected addresses using its own SMTP engine .The Worm creates the system instability by rebooting the infected machine when it detects a window whose title contains the strings like . ASP, .EXE, .HTM, .JS, .PHP .
Aliases : W32.Rontokbro@mm [Symantec], W32/Brontok-N [Sophos], Win32.Brontok.a [Kaspersky]
The e-mail contains the following :
Message : (any of the following)
- Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
- SAY NO TO DRUGS !!!
Attachment :
Upon execution , the worm :
- Copies itself in the following locations as exe file mentioned
%userprofile%\Local Settings\Application Data\winlogon.exe
%userprofile%\Local Settings\Application Data\services.exe
%userprofile%\Local Settings\Application Data\lsass.exe
%userprofile%\Local Settings\Application Data\inetinfo.exe
%userprofile%\Local Settings\Application Data\csrss.exe
%userprofile%\Local Settings\Application Data\smss.exe
%userprofile%\Local Settings\Application Data\IDTemplate.exe
%userprofile%\Start Menu\Programs\Startup\Empty.pif
%system%\3D Animation.scr
%windir%\Inf\norBtok.exe
- Creates the following registry entry to ensure its execution
at every system startup
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\"Bron-Spizaetus" = "C:\WINDOWS
\PIF\CVT.exe"
HKEY_CURRENT_USER\software\microsoft\windows\
currentversion\Policies\System\"DisableRegistryTools
" = "1"
HKEY_CURRENT_USER\software\microsoft\windows\
currentversion\Policies\System\"DisableCMD" = "2" HKEY_CURRENT_USER\software\microsoft\windows\
currentversion\Policies\Explorer\"NoFolderOptions" = "1"
- Modifies the hosts file to re-direct security related websites to
127.4.7.4 address
- Reboots the machine on detecting a window whose title contains the string “exe”
- Adds a task to the “Windows Task Scheduler” to execute itself at 5:08 PM every day.
In view of rapid propagation of the Rontokbro Worm , users are advised to implement the following countermeasures:
- Monitor for the illegitimate SMTP traffic originating from inside network and locate the originating system and disinfect the same
- Search for the malicious files and processes created/initiated by Rontokbro worm and delete the same
- Search for the registry entries made by the Rontokbro worm and delete the same
- Install and maintain an updated anti-virus software at gateway and desktop level
- Keep up-to-date on patches and fixes on the operating system and above mentioned vulnerabilities
- Exercise caution while opening emails attachments
- Install and maintain Firewall at Desktop level
References
http://www.symantec.com/security_response/writeup.jsp?docid=
2005-092311-2608-99&tabid=2
http://www.sophos.com/security/analyses/viruses-and-spyware/w32brontokn.html
http://www.viruslist.com/en/viruses/encyclopedia?virusid=96428
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
