¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Virus:Worm/Rontok.D
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:41.385 Bytes
MD5 checksum:5a1e3b99e00dd5df99cc316ecfff5fb9

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: W32/Rontokbro.gen@MM
   •  Sophos: W32/Brontok-DB
   •  Bitdefender: Worm.Generic.73749
   •  Panda: W32/Brontok.CX.worm
   •  GData: Worm.Generic.73749


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Uses its own Email engine

 Files It copies itself to the following locations:
   • %SYSDIR%\%current username%'s Setting.scr
   • %HOME%\Local Settings\Application Data\smss.exe
   • %HOME%\Local Settings\Application Data\lsass.exe
   • %HOME%\Local Settings\Application Data\csrss.exe
   • %WINDIR%\eksplorasi.exe
   • %HOME%\Local Settings\Application Data\winlogon.exe
   • %HOME%\Start Menu\Programs\Startup\Empty.pif
   • %HOME%\Templates\WowTumpeh.com
   • %SYSDIR%\drivers\etc\hosts-Denied By-%current username%.com
   • %HOME%\Local Settings\Application Data\services.exe
   • %HOME%\Local Settings\Application Data\inetinfo.exe
   • %WINDIR%\ShellNew\bronstab.exe



It overwrites a file.
– C:\autoexec.bat



The following files are created:

– %HOME%\Local Settings\Application Data\ListHost9.txt
– %HOME%\Local Settings\Application Data\Update.9.Bron.Tok.bin



It tries to execute the following files:

– Filename:
   • explorer.exe


– Filename:
   • %HOME%\Local Settings\Application Data\smss.exe


– Filename:
   • %HOME%\Local Settings\Application Data\winlogon.exe


– Filename:
   • at /delete /y


– Filename:
   • at 17:08 /every:M,T,W,Th,F,S,Su "%HOME%\Templates\WowTumpeh.com"


– Filename:
   • %HOME%\Local Settings\Application Data\services.exe


– Filename:
   • %HOME%\Local Settings\Application Data\lsass.exe


– Filename:
   • %HOME%\Local Settings\Application Data\inetinfo.exe

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Tok-Cirrhatus"=""%HOME%\Local Settings\Application Data\smss.exe""

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Bron-Spizaetus"=""%WINDIR%\ShellNew\bronstab.exe""



The following registry keys are added:

– [HKCU\software\microsoft\windows\currentversion\Policies\System]
   • "DisableCMD"=dword:0x00000000
   • "DisableRegistryTools"=dword:0x00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   • "NoFolderOptions"=dword:0x00000001



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • "Shell"="Explorer.exe "%WINDIR%\eksplorasi.exe""

– [HKCU\Software\Microsoft\Internet Explorer\Toolbar\Explorer]
   New value:
   • "ITBarLayout"=hex:11,00,00,00,4C,00,00,00,00,00,00,00,34,00,00,00,1B,00,00,00,4E,00,00,00,01,00,00,00,20,07,00,00,A0,0F,00,00,05,00,00,00,62,05,00,00,26,00,00,00,02,00,00,00,21,07,00,00,A0,0F,00,00,04,00,00,00,21,01,00,00,A0,0F,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "Hidden"=dword:0x00000000
   • "HideFileExt"=dword:0x00000001
   • "ShowSuperHidden"=dword:0x00000000

– [HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
   New value:
   • "{01E04581-4EEE-11D0-BFE9-00AA005B4383}"=hex:81,45,E0,01,EE,4E,D0,11,BF,E9,00,AA,00,5B,43,83,10,00,00,00,00,00,00,00,01,E0,32,F4,01,00,00,00

– [HKCU\Software\Microsoft\Internet Explorer\Toolbar]
   New value:
   • "Locked"=dword:0x00000001

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)


Body:
– Contains HTML code.

The attachment is a copy of the malware itself.

 Hosts The host file is modified as explained:

– Access to the following domain is effectively blocked:
   • %gathered from the internet%


– Access to the following domain is redirected to another destination:
   • %gathered from the internet%


 Miscellaneous Accesses internet resources:
   • http://www.geocities.com/sembilstabok/**********
   • http://www.geocities.com/sembilstabok/**********

 File details Programming language:
The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Descripción insertada por Petre Galan el lunes, 11 de abril de 2011
Descripción actualizada por Petre Galan el lunes, 11 de abril de 2011

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.