Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 23 Sep 2005
Damage: Low

Characteristics: The W32.Rontokbro@mm is a mass mailing worm that can cause the system to become unstable.

More details about W32.Rontokbro

When the W32.Rontokbro@mm worm is opened, it duplicates itself as “C:\Windows\PIF\CVT.exe”, “%UserProfile%\APPDATA\IDTemplate.exe”, “%UserProfile%\APPDATA\services.exe”, “%UserProfile%\APPDATA\lsass.exe”, “%UserProfile%\APPDATA\inetinfo.exe”, “%UserProfile%\APPDATA\csrss.exe”, “%UserProfile%\Programs\Startup\Empty.pif”, “%UserProfile%\Templates\A.kotnorB.com”, and “%System%\3D Animation.scr”. Then, it creates the folder “%UserProfile%\Local Settings\Application Data\Bron.tok-24”. This worm then modifies a certain registry key entry so that it opens each time the Windows starts. The worm appends a task to the scheduler of Windows to open the file “%UserProfile%\Templates\A.kotnorB.com” at 5:08 PM every day. The W32.Rontokbro@mm worm will reboot the PC when it finds a window whose title contains one of the following strings: .@, “@.”, “.ASP”, “.EXE”, “.HTM”, “.JS”, “.PHP”, “ADMIN”, “ADOBE”, “AHNLAB”, “AVIRA”, and etc. The worm could also open a ping attack.

The W32.Rontokbro@mm application is also considered as a self-replicating computer worm. It may spread over the network without the remote user’s intervention. The program creates copies of itself in removable media or disks that are commonly used for file transfer. The copies automatically executes when it detects a new network connection. It may also spread in the local area network of computers. This is done by having a downloader component of the worm application imbedded in the shared folders of other computers. The downloader component will download the main body of the program from a remote server if the computer connects to the Internet.