Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
23 Sep 2005
The [email protected]
is a mass mailing worm that can cause the system to become unstable.
W32.Rontokbro Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Rontokbro from your computer.
More details about W32.Rontokbro
When the [email protected]
worm is opened, it duplicates itself as “C:\Windows\PIF\CVT.exe”, “%UserProfile%\APPDATA\IDTemplate.exe”, “%UserProfile%\APPDATA\services.exe”, “%UserProfile%\APPDATA\lsass.exe”, “%UserProfile%\APPDATA\inetinfo.exe”, “%UserProfile%\APPDATA\csrss.exe”, “%UserProfile%\Programs\Startup\Empty.pif”, “%UserProfile%\Templates\A.kotnorB.com”, and “%System%\3D Animation.scr”. Then, it creates the folder “%UserProfile%\Local Settings\Application Data\Bron.tok-24”. This worm then modifies a certain registry key entry so that it opens each time the Windows starts. The worm appends a task to the scheduler of Windows to open the file “%UserProfile%\Templates\A.kotnorB.com” at 5:08 PM every day. The [email protected]
worm will reboot the PC when it finds a window whose title contains one of the following strings: [email protected]
, “@.”, “.ASP”, “.EXE”, “.HTM”, “.JS”, “.PHP”, “ADMIN”, “ADOBE”, “AHNLAB”, “AVIRA”, and etc. The worm could also open a ping attack.
The [email protected]
application is also considered as a self-replicating computer worm. It may spread over the network without the remote user’s intervention. The program creates copies of itself in removable media or disks that are commonly used for file transfer. The copies automatically executes when it detects a new network connection. It may also spread in the local area network of computers. This is done by having a downloader component of the worm application imbedded in the shared folders of other computers. The downloader component will download the main body of the program from a remote server if the computer connects to the Internet.