WORM_RONTOKBRO.D

This memory-resident worm propagates by attaching a copy of itself to email messages. It gathers target email addresses by searching an affected system for files with certain extensions.

The following are the details of the email message it sends:

Subject: {blank}
Attachment: Kangen.exe

The said attached file uses an icon identical to the Windows Explorer icon, which increases its chance to be opened because it tricks users into thinking that they are viewing a legitimate application.

It drops several copies of itself into various folder locations on the affected system. Also, it causes the affected system to pause on startup, requiring the user to press any key to resume.

In addition, this worm disables the Folder Options item in the Tools drop-down menu from the main menu bar of Windows Explorer and Control Panel. The said action prevents the affected user from changing settings such as displaying hidden folders and displaying file paths in title bars. It also disables the command prompt and Registry Editor by modifying the system registry.

As part of its malicious routines, this worm creates a task using Microsoft Job Scheduler to execute itself on a scheduled basis. It also overwrites the HOSTS file into an .HTML file.

Furthermore, it restarts the affected system if it finds an open window with the strings .EXE or Registry in the title bar. Hence, if a user opens Registry Editor, or any other executable file, this worm restarts the system. The said action can result to a loss of unsaved data.

Related Items