Rontokbro

Posted: March 28, 2006

Rontokbro is a rapidly spreading Internet worm that propagates by e-mail in messages with infected attachments. Once the user executes such an attachment, the spyware installs itself to the computer and runs its spreading routine. It scans the entire computer for e-mail addresses and sends itself there using own mail engine. Rontokbro modifies essential computer settings in order to disable standard Windows tools such as the Registry Editor or Command Prompt. It also immediately restarts a PC when it detects certain software running. Such software can be many antivirus and anti-malware applications, web browsers, applicationming tools and many other popular softwares. Rontokbro may launch an attack against several well-known web sites. The worm's activity severely degrades overall computer performance and Internet connection speed and causes general computer instability. The spyware runs on every Windows startup.

File System Modifications

The following files were created in the system:

# File Name

1 3danimation.scr

2 a.kotnorb.com

3 csrss.exe

4 cvt.exe

5 empty.pif

6 idtemplate.exe

7 inetinfo.exe

8 kangent.exe

9 lsass.exe

10 services.exe

#	File Name
1	3danimation.scr
2	a.kotnorb.com
3	csrss.exe
4	cvt.exe
5	empty.pif
6	idtemplate.exe
7	inetinfo.exe
8	kangent.exe
9	lsass.exe
10	services.exe

Registry Modifications

The following newly produced Registry Values are:
HKEY..\..\..\..{RegistryKeys}HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoFolderOptions=1HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableCMD=2HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools=1HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunron-spizaetus

One Comment

stefanus says:

February 4, 2009 at 8:52 am

just trying to use spyware removal

Rontokbro

File System Modifications

Registry Modifications

Related Posts

One Comment

Leave a Reply