WORM_RONTOKBRO.R

This worm spreads as an attachment to email messages. The email message it sends out has the following details:

Subject: (blank)

Attachment: (any of the following)

• CINTA.EXE
• DATA-TEMEN.EXE
• HATI.EXE
• JANGKARU.EXE
• KANGEN.EXE
• PATAH.EXE
• RIYANI.EXE
• UNTUKMU.EXE

It gathers target email addresses by searching for files with certain extensions.

Upon execution, this memory-resident worm drops copies of itself in different folders using different file names. It uses a Windows folder icon to trick users into thinking that it is a valid folder.

It modifies the affected system's registry to disable services such as command prompt, Registry Editor, and removal of the Folder Options from the drop-down menu of Windows Explorer. It also hides files and extension names.

On Windows ME systems, this worm causes the affected system to pause during startup.

It also restarts the affected system upon detection of an active window containing certain strings on the title bar.

Related Items