Worm.Rontokbro.an

病毒名称(中文):

病毒别名:

威胁级别:

★☆☆☆☆

病毒类型:

蠕虫病毒

病毒长度:

35168

影响系统:

Win9xWinMeWinNTWin2000WinXPWin2003

病毒行为:

Worm.Rontokbro.an是一个能疯狂发送邮件的蠕虫病毒

1，释放病毒文件到下列目录：

%Windows%\j[RandomName].exe

%Windows%\o[RandomName].exe

%Windows%\_default[RandomName].pif

%System%\c_[RandomName]k.com

%systemroot%\BacaBro!!!.txt

2,建立名称为随机的文件夹，并释放下列病毒文件：

c.bron.tok.txt

getdomlist.txt

csrss.exe

lsass.exe

services.exe

smss.exe

winlogon.exe

m[RANDOM].exe

zh59[RANDOM].exe

yesbron.com

qm[RANDOM].exe

2，添加注册表键值

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

"AlternateShell"="c_[RANDOM]k.com"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

"[RANDOM]"=""%Windir%\j[RANDOM].exe""

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies

\Explorer\Run

"[RANDOM]"=""%Windir%\_default[RANDOM].pif""

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

"[RANDOM]"=""%System%\s[RANDOM]\zh59[RANDOM].exe""

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies

\Explorer\Run

"[RANDOM]"=""%UserProfile%\LocalSettings\ApplicationData\dv[RANDOM]0x\yesbron.com""

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

"Userinit"="%System%\userinit.exe,%Windir%\j[RANDOM].exe"

"Shell"="Explorer.exe"%Windir%\o[RANDOM].exe""

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

"Hidden"="0"

"HideFileExt"="1"

"ShowSuperHidden"="0"

3，禁用任务治理器

4，修改host文件：

127.0.0.22mcafee.com

127.0.0.22[http://]www.mcafee.com/

127.0.0.22mcafee.net

127.0.0.22[http://]www.mcafee.net/

127.0.0.22mcafee.org

127.0.0.22[http://]www.mcafee.org/

127.0.0.22mcafeesecurity.com

127.0.0.22[http://]www.mcafeesecurity.com/

127.0.0.22mcafeesecurity.net

127.0.0.22[http://]www.mcafeesecurity.net/

127.0.0.22mcafeesecurity.org

127.0.0.22[http://]www.mcafeesecurity.org/

127.0.0.22mcafeeb2b.com

127.0.0.22[http://]www.mcafeeb2b.com/

127.0.0.22mcafeeb2b.net

127.0.0.22[http://]www.mcafeeb2b.net/

127.0.0.22mcafeeb2b.org

127.0.0.22[http://]www.mcafeeb2b.org/

127.0.0.22nai.com

127.0.0.22[http://]www.nai.com/

127.0.0.22nai.net

127.0.0.22[http://]www.nai.net/

127.0.0.22nai.org

127.0.0.22[http://]www.nai.org/

127.0.0.22vil.nai.com

127.0.0.22[http://]www.vil.nai.com/

127.0.0.22vil.nai.net

127.0.0.22[http://]www.vil.nai.net/

127.0.0.22vil.nai.org

127.0.0.22[http://]www.vil.nai.org/

127.0.0.22grisoft.com

127.0.0.22[http://]www.grisoft.com/

127.0.0.22grisoft.net

127.0.0.22[http://]www.grisoft.net/

127.0.0.22grisoft.org

127.0.0.22[http://]www.grisoft.org/

127.0.0.22kaspersky-labs.com

127.0.0.22[http://]www.kaspersky-labs.com/

127.0.0.22downloads1.kaspersky-labs.com

127.0.0.22[http://]www.downloads1.kaspersky-labs.com/

127.0.0.22[http://]www.downloads4.kaspersky-labs.org/

127.0.0.22download.mcafee.com

127.0.0.22[http://]www.download.mcafee.org/

127.0.0.22norton.org

127.0.0.22[http://]www.norton.org/

127.0.0.22symantec.com

127.0.0.22[http://]www.symantec.org/

127.0.0.22liveupdate.symantecliveupdate.com

127.0.0.22[http://]www.liveupdate.symantecliveupdate.com/

127.0.0.22liveupdate.symantec.com

127.0.0.22[http://]www.liveupdate.symantec.com/

127.0.0.22liveupdate.symantec.net

127.0.0.22[http://]www.update.symantec.com/

127.0.0.22update.symantec.net

127.0.0.22securityresponse.symantec.com

127.0.0.22[http://]www.securityresponse.symantec.com/

127.0.0.22[http://]www.sarc.net/

127.0.0.22sarc.org

127.0.0.22[http://]www.vaksin.org/

127.0.0.22forum.vaksin.com

127.0.0.22[http://]www.forum.vaksin.com/

127.0.0.22[http://]www.norman.com/

127.0.0.22[http://]www.trendmicro.com/

127.0.0.22datafellows.com

127.0.0.22[http://]www.datafellows.com/

127.0.0.22datafellows.net

127.0.0.22[http://]www.datafellows.net/

127.0.0.22datafellows.org

127.0.0.22[http://]www.datafellows.org/

127.0.0.22cheyenne.com

127.0.0.22[http://]www.cheyenne.com/

127.0.0.22cheyenne.net

127.0.0.22[http://]www.cheyenne.net/

127.0.0.22[http://]www.castlecops.net/

127.0.0.22castlecops.org

127.0.0.22[http://]www.castlecops.org/

127.0.0.22anti-virus.org

127.0.0.22blogs.compactbyte.org

127.0.0.22[http://]www.blogs.compactbyte.org/

等等

5，终止含有下列字符串的进程

ahnlab

aladdin

Alicia

Anti

ash

ashmaisv

aswupdsv

avast

avg

bitdef

ccapps

cclaw

cillin

ctfmon

Dian

diary

foto

hijack

iexplorer

kangen

kill

lexplorer

machine

Mariana

mcaf

peid

untukmu

update

xpshare

zlh

taskmanager

bacabro!!!

registry

commandprompt

systemconfiguration

grouppolicy

cmd.exe

computermanagement

scheduledtask

killbox

hijack

SYSINTERNAL

PROCESSEXP

REMOVER

CLEANER

anti

washer

ertanto

BROWNIES

movzx

killer

pcmedia

pc-media

rontok

rontox

robknot

commander

windowsscript

norman

norton

symantec

taskview

peid

ahnlab

6，冲含有下列后缀名的文件中查找电子邮件地址：

.BAT

.PIF

.COM

.SCR

.EXE

.PPT

.XLS

.DOC

.CFM

.PHP

.ASP

.WAB

.EML

.CSV

.HTML

.HTM

.TXT

7用自带的smtp引擎，把自身作为福建发送出去。邮件格式为：

From:

Spoofed

Subject:

MyBestPhoto

FotokuygPalingCantik

消息内容:

Hi,

Iwanttosharemyphotowithyou.

Wishingyouallthebest.

Regards,

Hi,

Akulgisengajapengenkirimfotokekamu.

Janganlupainakuya!.

Thanks,

附件名称:

Photo.zip

• ·Win32.Troj.RpcCmd.b
• ·Win32.Troj.QqMsg.30
• ·Win32.Troj.Agent
• ·Win32.Hack.Durlen.d
• ·Win32.Troj.Banger.c
• ·Win32.Troj.PswGame.xn
• ·Win32.Hack.Rbot.oo
• ·Win32.Troj.Lmir.ge
• ·Worm.Banleed.ac
• ·Win32.Troj.Loader.d