W32/Rontokbro.gen@MM

[cefa]

Hello.
The server in our ICT classroom keeps showing signs of this virus (W32/Rontokbro.gen@MM). It deletes it, but it is annoying.
Our ICT teacher suggested we tried your forums looking for help.
Thank you.
CefA

[polonus]

Hi cefa,

Here is the link to the manual removal instructions:
http://www.precisesecurity.com/computer-virus/antivirus-0004.htm
and here is a link to a removal tool:
http://www.bitdefender.com/site/Download/downloadRemovalTool/630/

polonus

[cefa]

Thank you, sir. Our teacher will be happy. And so are we .

[CharleyO]

***

Hi cefa -

Please come back and let us know the results. This may be helpful to others.


***

[cefa]

Hello. I don't have good news. We ran the tool you suggested, but don't think it made a difference. It is detected over and over again by the antivirus. It is deleted, but alas: keeps returning.
I can't post a log now, but maybe do it tomorrow. :'(
Bye.

[polonus]

Hi cefa,

Well there are many varieties of the same malware, what we gave here is a general description as what the malware does, e.g.:
Characteristics -

W32/Rontokbro.gen is a mass mailing worm which attempts to send a copy of  itself to email addresses harvested from the computer.

The characteristics of this worm, with regard to file names, folders created, port numbers used, etc, will differ from one variant to another. Hence, this is a general description.

When executed, the following actions are performed by this worm:

1. It modifies various windows explorer settings. This includes the removal of the “Folder Options” item from all Windows Explorer menus.

    * Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion
      \Policies\Explorer\
      Data: NoFolderOptions = 1

2. It overwrites the file “C:\autoexec.bat” to include the line "pause".

    * This is so Win9x & WinME systems will pause at each Windows start up

3. It drops a copy of itself along with other files into the following folders:

    * %System%\Administrator's Setting.scr
    * %UserProfile%\Appdata\BronFoldNetDomList.txt
    * %UserProfile%\Appdata\csrss.exe
    * %UserProfile%\Appdata\inetinfo.exe
    * %UserProfile%\Appdata\Kosong.Bron.Tok.txt
    * %UserProfile%\Appdata\ListHost8.txt
    * %UserProfile%\Appdata\lsass.exe
    * %UserProfile%\Appdata\NetMailTmp.bin
    * %UserProfile%\Appdata\services.exe
    * %UserProfile%\Appdata\smss.exe
    * %UserProfile%\Appdata\Update.8.Bron.Tok.bin
    * %UserProfile%\Appdata\Update.AN.8.A.Bron.Tok
    * %UserProfile%\Appdata\winlogon.exe
    * %UserProfile%\ Start Menu\Programs\Startup\Empty.pif
    * %UserProfile%\Templates\WowTumpeh.com

Note:

%UserProfile% is a variable location and refers to the user's profile folder.
%System% is a variable location and refers to the windows system directory.

4. It modifies the following registry entries to run at system startup:

    * HKEY_Current_User\Software\Microsoft\Windows\
      CurrentVersion\Run "Tok-Cirrhatus-3444"
      Data: "C:\Documents and Settings\Administrator\Local Settings
      \Application Data\br7911on.exe"
    * HKEY_Local_Machine\Software\Microsoft\Windows\
      CurrentVersion\Run "Bron-Spizaetus"
      Data: "C:\Windows\ShellNew\RakyatKelaparan.exe"

5. It modifies the HOSTS file to re-direct security related websites to 127.4.7.4 address.

The following is a brief list of redirected websites:

    * mcafee.com
    * nai.com
    * kaspersky.com
    * grisoft.com
    * norton.com
    * symantec.com
    * norman.com
    * trendmicro.com
    * sophos.com
    * perantivirus.com
    * virusalert.nl
    * antivirus.pagina.nl
    * virustotal.com

Redirecting network traffic for these URLs to the Local-host leads to the user not being able to browse the WebPages belonging to these domains.

6. When it detects a window whose title contains the string “exe” the worm reboots the machine.

7.  It scans for open Network Shares and copies itself into the folders found. The file name becomes the name of the folder into which it was copied.

8.   It adds a task to the “Windows Task Scheduler” to execute itself at 5:08 PM every day.

Miscellaneous Information:

    * This worm is written in Visual Basic
    * It uses the windows “Folder Icon” as its icon. This is to trick users into opening it, effectively executing the worm
    * Upon execution, it opens an “Explorer” window in an attempt to hide its process
    * In order to make the dropped files harder to find, the files have their attributes changed to hidden/system files
    * It disables Registry editing tools

Symptoms
Symptoms -

    * Inability to access the security related websites listed above due to the modifications made to the HOSTS file
    * Desktop firewall program alert that a foreign program is trying to access the internet
    * Presence of the files/Registry keys mentioned above
    * Inability to run Regedit.exe
    * Inability to change the Windows folder options

What you have to do is to use a special scan, post a hijackthis log etc. But let us wait for your report first,

polonus

[polonus]

Hi cefa,

Also consider this:
==================================================
run dari safe mode log in user langsung jalanin program yg aku bikin.
[saran :program ku di taruh di desktop jadi langsung bisa di execute]
==================================================

You can try this tool against this brandal worm:

http://www.gdata.pl/kmdownload/download.php?op=getit&id=61

or use this:

Windows disinfector

BRONTGUI is a disinfector for standalone Windows computers
get it here: http://www.sophos.com/support/cleaners/brontgui.com

    * open BRONTGUI
    * run it
    * then click GO.

If you are disinfecting several computers; download it, save it to floppy disk,
write-protect the floppy disk and run it from there.

Command line disinfector

BRONTSFX.EXE is a self-extracting archive containing BRONTCLI,
a Resolve command line disinfector for use by system administrators
on Windows networks. Read the notes enclosed in the self-extractor
for details on running this program,

polonus

[polonus]

Hi cefa,

This info on the latest network variety:
W32/Brontok-DT is a worm for the Windows platform that spreads via shared network sources.

Vulnerable operational systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

   
© VirusAlert scale

Innovation:     9
Vector:     35
Logistics:     5
Damage:     5

Scalel:     13/100

Qualification: nasty





Description of infection:
When run, the worms copies itself to the following files:

\Documents\My Cv.exe
\Default.pif
\Office\Msword.exe
\Fonts\csrss.exe
\config\systemprofile\Application Data\Microsoft\Internet Explorer\smss.exe
\spool\drivers\w32x86\3\services.exe

Then the following files are being created:

\autorun.inf
\Auto.inf

The following registry key is changed, to enable the worm to start every time Windows is being started:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe,\fonts\csrss.exe

The following registry values are created to launch smss.exe and services.exe when BAT, COM and PIF files are being opened:

HKCR\lnkfile\shell\open\command
(default)
\config\systemprofile\Application Data\Microsoft\Internet Explorer\smss.exe" "%1" %*

HKCR\batfile\shell\open\command
(default)
\spool\drivers\w32x86\3\services.exe" "%1" %*

HKCR\comfile\shell\open\command
(default)
\spool\drivers\w32x86\3\services.exe" "%1" %*

HKCR\piffile\shell\open\command
(default)
\config\systemprofile\Application Data\Microsoft\Internet Explorer\smss.exe" "%1" %*

Next the following registry keys are being created:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HideClock
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDrives
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoShellSearchButton
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRecentDocsMenu
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoClose
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSimpleStartMenu
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
00

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
00

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoControlPanel
00

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
kb
kbao

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
00

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
00

HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LimitSystemRestoreCheckpointing
00

HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
DisableMSI
00

HKCR\Folder\shell\raila\command
(default)
\config\systemprofile\Application Data\Microsoft\Internet Explorer\smss.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
000

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
legalnoticecaption
RAILA ODINGA-THE KENYA,S TOP AGENT FOR CHANGE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
legalnoticetext
No single individual can pull this country out of the muck it is in. I believe in collective leadership. I think I can put together a team that can salvage this country. I have done so in the past.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
shutdownwithoutlogon
000

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
Debugger
\fonts\csrss.exe



polonus

[cefa]

Dear Sir,
Thank you for so much information. We need to study it, it's a bit complicated for us. Probably the cleaning will have to be done during the Easter interruption, after translation. If we can do something before that, we'll let you know about the results.
Our best regards,
CefA

[Lisandro]

Until Easter, maybe you should want to follow the general cleaning procedure:

1. Disable System Restore on Windows ME, XP or Vista. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3.

2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4. It will be good if you download, install, update and run SUPERantispyware or Spyware Terminator.
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
About legit antispyware applications or the bad ones: http://www.spywarewarrior.com/rogue_anti-spyware.htm#sites

5. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest Trend Micro RootkitBuster (for XP/Vista). For XP only: Panda (for XP).

6. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

7. After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

8. Finally, when you're clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.