Saturday, April 08, 2006

After Action Report - W32.Rontokbro.Z@mm

After Action Report - W32.Rontokbro.Z@mm


Symptoms: Subject complained of the computer shutting itself down.

In most situations, auto restart on Windows XP is caused by the 'Restart after failure' option checked in the error settings of My Computer. This was found to be true, and was left for simplicity as subject does not know the Three Finger Salute.

The possibility of the root of the problem being a virus infection is very high as the Rontokbro virus is spreading across Malaysian universities and campuses. This virus prevents any attemps to clean it (except in Safe Mode) and lowers the overall security settings. It infects itself onto thumbdrives as well.

My first attempt to clean up the virus was to use the pre-installed Trend PC-cillin, only to find the virus definition fikle for it unupdated as the copy of anti-virus was illegal. I then proceeded to uninstall it and put AVG Anti-Virus in its place instead. The virus must have detected the process because as I attempted to update the definition file (for AVG), the computer restarted.

Instead of starting up normally, I went to Safe Mode only to find that the update process was not completed. Hoping for the best, I restarted the computer in normal mode. The update process went well, then I restarted the computer yet again for the clean up process in Safe Mode, as the virus masquaredes itself as importantn Windows Processes.

On its first run, AVG detected 28 viruses of which none was healed and 21 deleted. Since it is possible that several files escaped detection during the first run of the test, I restarted Windows and entered Safe Mode again. This round, 16 viruses were found and 12 healed. Attempts to access msconfig and regedit failed because the virus has locked both application.

I started the Microsoft System Recovery console and deleted several of the virus known file. This opens up the door to further clean the system. I downloaded regtmcmdrestore.vbs and showhiddenfiles.vbs from This unlocks msconfig and regedit, and I was able to neutralise the virus more. The worse part is registry editing, since I basically have to navigate through a lot of stuff to get to the correct registry key.

I have run the sixth scan and I am pleased to say that the number of infected files has dwindled down to two. Both were deleted. Afterwards, I logged into the normal mode and ran a scan. No more anamolies detected. The system is cleaned.

I re-enabled System Restor and made a restore poin. I leave AVG Anti-Virus and Spybot Search & Destroy in place to ward off any further attempts, hopefully.

Infected/virus' files (may vary according to computer and infected users):
C:\Documents and Settings\Administrator\Local Settings\Application Data\csrss.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\inetinfo.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\lsass.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\services.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\smss.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\winlogon.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Empty.pif
C:\Documents and Settings\Administrator\Templates\
C:\Documents and Settings\NetworkService\Local Settings\Application Data\csrss.exe
C:\Documents and Settings\NetworkService\Local Settings\Application Data\inetinfo.exe
C:\Documents and Settings\NetworkService\Local Settings\Application Data\lsass.exe
C:\Documents and Settings\NetworkService\Local Settings\Application Data\services.exe
C:\Documents and Settings\NetworkService\Local Settings\Application Data\smss.exe
C:\Documents and Settings\NetworkService\Local Settings\Application Data\winlogon.exe
C:\Documents and Settings\NetworkService\Start Menu\Programs\Startup\Empty.pif
C:\WINDOWS\system32\Administrator's Setting.scr
C:\WINDOWS\system32\System's Setting.scr
C:\WINDOWS\system32\user's Setting.scr
F:\Data USER.exe

Resources: (Older version of Rontok) (Older version of Rontok)

1 comment:

fred said...

duh... UMS got hit hard by those brontok and it already evolve into something more dangerous... and some freaking people are getting some money by cleaning it...

The problem start when some of the network users don't freaking care to update their definition... my Laptop almost infected but my Norton warn me and I unplugged from the network ASAP... save me the problem...

now my room is banned from unknown Pendrive ;)

what a trouble....