Saturday, March 20, 2010

Rontokbro As Brontok Worm

A mass-mailing email worm that also spreads through USB and thumb drives, the Rontokbro worm - also know as Brontok - takes a numerous approach to resist the detection and removal. Rontokbro / Brontok modifies the HOSTS file to block access to antivirus vendor sites, thereby preventing access to signature updates and online scanners. It may also disable anti-virus and other security software running on the system, as well as blocking access to Registry Editor and other system tools needed to attempt manual removal of the worm.

First discovered in late September 2005, as of March 2006 over 20 variants of the Rontokbro / Brontok worm had been discovered. The worm executable often adopt either the Microsoft Word icon or the folder icon. Copies of the worm also often adopt the same name as the folder in which it was dropped. For instance, if Rontokbro / Brontok copied itself to a folder named "New Folder", it would do so using the filename "New Folder". Because Windows disables executable file extensions by default, and the worm may use a folder icon, this will sometimes be seen as if the infected file were merely a nested new folder. More so, the worm typically modifies the Registry to cause the Folder Options menu item to disappear from the Windows Explorer Tools menu.

No comments:

Post a Comment