WORM_RONTKBR.D

This worm propagates by sending a copy of itself as an attachment to email messages using its own Simple Mail Transfer Protocol (SMTP) engine. The email it sends out has the following details:

Subject: {blank}

Attachment: Kangen.exe

It gathers target email addresses by searching the affected system for files with specific extension names, such as DOC, HTML, PHP, TXT, and XLS. However, it avoids sending email messages to addresses that contain particular substrings, most of which are related to certain antivirus and security companies. It does the said routine to prevent its early detection on the compromised system.

It also uses a Windows folder icon in an attempt to trick users into opening the attachment, effectively executing this worm. Upon execution, it opens the My Documents folder process to hide its process.

This worm employs different techniques to make itself almost invisible on the affected system. One of the said techniques is to disable the Registry Editor to make its detection harder for the affected user. Another technique is hiding file extension names and files with certain attributes to cover its tracks.

Furthermore, it terminates running processes on the system containing specific strings.

Related Items