Aliases: W32/Brontok-AJ, W32/Brontok-AZ,
Variants: Email-Worm:W32/Brontok.N

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 22 Apr 2006
Damage: Low

Characteristics: The W32.Rontokbro.AN@mm is a mass mailing worm that lessens the computer's security settings.

More details about W32.Rontokbro.AN@mm

When the W32.Rontokbro.AN@mm threat is launched, it duplicates itself as the files “%Windir%\j[RANDOM].exe”, “%Windir%\o[RANDOM].exe”, “%Windir%\_default[RANDOM].pif”, “%System%\c_[RANDOM]k.com”, and “%UserProfile%\Local Settings\Application Data\jalak-93[RANDOM]15-bali.com”. The worm then changes the name “%System%\msvbvm60.dll” to “%System%\msvbvm60.dll.[RANDOM]”. After that, the worm makes the file “C:\Baca Bro!!!.txt” as a marker of infection. Then, the worm creates the folders “%System%\s87[RANDOM]”, “%Windir%\ad[RANDOM]”, and “%UserProfile%\Local Settings\Application Data\dv6[RANDOM]0x”. The worm then duplicates itself into the folders above as one or more of the following files: “c.bron.tok.txt”, “getdomlist.txt”, “csrss.exe”, “lsass.exe”, “services.exe”, and “smss.exe”.

The W32.Rontokbro.AN@mm program may also gather email addresses stored on computer’s hard disk. The program will automatically send itself through email by directly connecting to the recipient's Simple Mail Transfer Protocol (SMTP) server. An unsuspecting user typically installs the W32.Rontokbro.AN@mm program by unintentionally opening an email attachment or message containing executable scripts. The program replicates itself on the user's system until the time that it does take up all the available memory on the computer. This may cause the system to slow down. It may even cause the system to crash. The W32.Rontokbro.AN@mmmay worm also consumes the hard disk’s available space and this will restrict the user from saving or creating new files.