W32.Rontokbro@mm

Aliases: Win32/Brontok.F [Nod32], WORM_RONTOKBRO.F [Trend Micro], Worm.Win32.Brontok.q [Kaspersky]

Type: Worm

Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000

Overview: W32.Rontokbro@mm worm spreads via the Internet as an attachment to infected messages, and it attempts to send a copy of itself to email addresses harvested from the computer.

Symptoms of W32.Rontokbro@mm:

1. Once launched, the worm would copy itself as the following:
%System%\3D Animation.scr
%UserProfile%\APPDATA\IDTemplate.exe
%UserProfile%\APPDATA\services.exe
%UserProfile%\APPDATA\lsass.exe
%UserProfile%\APPDATA\inetinfo.exe
%UserProfile%\APPDATA\csrss.exe
%UserProfile%\Programs\Startup\Empty.pif
%UserProfile%\Templates\A.kotnorB.com
Note:%UserProfile% is a variable location and refers to the user's profile folder.

2. It may modifies the following registry entries to run at system startup:
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\System\"DisableRegistryTools" = "1"
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\System\"DisableCMD" = "2"
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\Explorer\"NoFolderOptions" = "1"

3. It may modifies the HOSTS file to re-direct security related websites:
mcafee.com
nai.com
kaspersky.com
grisoft.com
norton.com
symantec.com
norman.com
trendmicro.com
sophos.com
perantivirus.com
virusalert.nl
antivirus.pagina.nl
virustotal.com

Related trojan:Rontokbro, Wotron, Wozer, Xema

Remove W32.Rontokbro@mm:

You can use antivirus software with latest updates to remove the worm quickly:
Norton Internet Security 2009