WORM_RONTOKBRO.K

Similar to other variants of WORM_RONTOKBRO, this worm propagates as an attachment to email messages. It sends to itself to email addresses it harvests from local drives of an affected system. The email message it sends out has the following details:

Subject: (blank)

Message body:

-- Hentikan kebobrokan di negeri ini --
1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")

2. Stop Free Sex, Aborsi, & Prostitusi
( Go To HELL )

3. Stop pencemaran lingkungan, pembakaran hutan & perburuan liar.

4. SAY NO TO DRUGS !!!

YIfpqElpq taskkill /f /im -- KIAMAT SUDAH DEKAT --

Terinspirasi oleh:
Elang Brontok (Spizaetus Cirrhatus) yang hampir punah

-- JowoBot #VM Community --
!!! Akan Kubuat Mereka (VM lokal yg cengeng & bodoh) Terkapar !!!

Attachment: (any of the following)

• CCAPPS.EXE
• JANGAN DIBUKA.EXE
• KANGEN.EXE
• MY HEART.EXE
• MYHEART.EXE
• SYSLOVE.EXE
• UNTUKMU.EXE
• WINWORD.EXE

Upon execution, it drops a copy of itself using different file names in different locations. The file name it uses and the folder where it drops a copy of itself varies depending on the operating system of the affected machine.

It removes the Folder Options, and disables the Registry Editor and command prompt. It also hides files and file extension names. It does the said actions by modifying the affected system's registry.

It uses the Windows folder icon to trick users into thinking that this is a valid folder. It also opens the Windows Explorer folder upon execution to hide its malicious routines.

In addition, this worm restarts the system when it detects certain strings in an active window's title bar.

Furthermore, it launches PING attacks against certain Web sites.

Related Items