Need help? Ask the community or hire an expert.
Go to Avira Answers
Nume:Worm/Rontok.D
Tip:Vierme
ITW:Da
Numar infectii raportate:Scazut spre mediu
Potential de raspandire:Scazut spre mediu
Potential de distrugere:Scazut spre mediu
Fisier static:Da
Marime:41.385 Bytes
MD5:5a1e3b99e00dd5df99cc316ecfff5fb9

 General Metoda de raspandire:
   • Email


Alias:
   •  Mcafee: W32/Rontokbro.gen@MM
   •  Sophos: W32/Brontok-DB
   •  Bitdefender: Worm.Generic.73749
   •  Panda: W32/Brontok.CX.worm
     GData: Worm.Generic.73749


Sistem de operare:
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Creeaza fisiere malware
   • Utilizeaza propriul motor de email

 Fisiere Se copiaza in urmatoarele locatii:
   • %SYSDIR%\%numele utilizatorului curent%'s Setting.scr
   • %HOME%\Local Settings\Application Data\smss.exe
   • %HOME%\Local Settings\Application Data\lsass.exe
   • %HOME%\Local Settings\Application Data\csrss.exe
   • %WINDIR%\eksplorasi.exe
   • %HOME%\Local Settings\Application Data\winlogon.exe
   • %HOME%\Start Menu\Programs\Startup\Empty.pif
   • %HOME%\Templates\WowTumpeh.com
   • %SYSDIR%\drivers\etc\hosts-Denied By-%numele utilizatorului curent%.com
   • %HOME%\Local Settings\Application Data\services.exe
   • %HOME%\Local Settings\Application Data\inetinfo.exe
   • %WINDIR%\ShellNew\bronstab.exe



Suprascrie un fisier.
C:\autoexec.bat



Sunt create fisierele:

%HOME%\Local Settings\Application Data\ListHost9.txt
%HOME%\Local Settings\Application Data\Update.9.Bron.Tok.bin



Incearca sa execute urmatoarele fisiere:

Numele fisierului:
   • explorer.exe


Numele fisierului:
   • %HOME%\Local Settings\Application Data\smss.exe


Numele fisierului:
   • %HOME%\Local Settings\Application Data\winlogon.exe


Numele fisierului:
   • at /delete /y


Numele fisierului:
   • at 17:08 /every:M,T,W,Th,F,S,Su "%HOME%\Templates\WowTumpeh.com"


Numele fisierului:
   • %HOME%\Local Settings\Application Data\services.exe


Numele fisierului:
   • %HOME%\Local Settings\Application Data\lsass.exe


Numele fisierului:
   • %HOME%\Local Settings\Application Data\inetinfo.exe

 Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a rula procesul la repornirea sistemului:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Tok-Cirrhatus"=""%HOME%\Local Settings\Application Data\smss.exe""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Bron-Spizaetus"=""%WINDIR%\ShellNew\bronstab.exe""



Urmatoarele chei sunt adaugate in registrii sistemului:

[HKCU\software\microsoft\windows\currentversion\Policies\System]
   • "DisableCMD"=dword:0x00000000
   • "DisableRegistryTools"=dword:0x00000001

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   • "NoFolderOptions"=dword:0x00000001



Urmatoarele chei din registri sunt modificate:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Noua valoare:
   • "Shell"="Explorer.exe "%WINDIR%\eksplorasi.exe""

[HKCU\Software\Microsoft\Internet Explorer\Toolbar\Explorer]
   Noua valoare:
   • "ITBarLayout"=hex:11,00,00,00,4C,00,00,00,00,00,00,00,34,00,00,00,1B,00,00,00,4E,00,00,00,01,00,00,00,20,07,00,00,A0,0F,00,00,05,00,00,00,62,05,00,00,26,00,00,00,02,00,00,00,21,07,00,00,A0,0F,00,00,04,00,00,00,21,01,00,00,A0,0F,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Noua valoare:
   • "Hidden"=dword:0x00000000
   • "HideFileExt"=dword:0x00000001
   • "ShowSuperHidden"=dword:0x00000000

[HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
   Noua valoare:
   • "{01E04581-4EEE-11D0-BFE9-00AA005B4383}"=hex:81,45,E0,01,EE,4E,D0,11,BF,E9,00,AA,00,5B,43,83,10,00,00,00,00,00,00,00,01,E0,32,F4,01,00,00,00

[HKCU\Software\Microsoft\Internet Explorer\Toolbar]
   Noua valoare:
   • "Locked"=dword:0x00000001

 Email Are un motor SMTP integrat. Va fi facuta o conexiune directa cu serverul destinatar. Iata caracteristicile lui:


De la:
Adresa este falsificata.


Catre:
– Adrese de email gasite pe sistem.
 Adrese de email obtinute din WAB (Windows Address Book)


Corpul email-ului:
– Contine cod HTML.

Atasamentul este o copie malware.

 Fisiere host Fisierul

Accesul la urmatorul domeniu este blocat:
   • %descarcat de pe internet%


Accesul la urmatorul domeniu este redirectionat catre o alta destinatie:
   • %descarcat de pe internet%


 Alte informatii Acceseaza resurse de pe internet:
   • http://www.geocities.com/sembilstabok/**********
   • http://www.geocities.com/sembilstabok/**********

 Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: Visual Basic.


Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Description inserted by Petre Galan on Monday, April 11, 2011
Description updated by Petre Galan on Monday, April 11, 2011

Back . . . .