According to warnings from security experts at Misoft and Trend Micro, network systems in Vietnam are currently infected with two types of worms: WORM_RONTOKBRO.B and WORM_RBOT.AZM.
Below, we provide information on these two types of viruses to help you protect your computers and network systems.
The WORM_RONTOKBRO.B worm is considered highly dangerous. It has a high infection rate and infects operating systems: Windows 95, 98, ME, NT, 2000, XP, and Server 2003. It spreads by sending a copy of itself in an email attachment. The infected file uses the Microsoft folder icon to trick users into opening it, allowing the worm to launch attacks. Quite sophisticated, it also opens a Windows Explorer window to hide the processes it executes on the victim’s computer. The worm drops multiple copies of itself into folders with different names. On infected machines running Windows 2000, XP, and Server 2003, it drops a copy into a hard-coded encrypted path under the User Profile folder, then creates a folder within that path.
Symptoms of WORM_RONTOKBRO.B Infection
This worm will restart the victim’s computer when it detects phrases like “.EXE” and “REGISTRY” in the title bar of any window. WORM_RONTOKBRO.B inserts a PAUSE command into the AUTOEXEC.BAT file (in drive C:), causing infected machines running Windows 95, 98, and ME to halt during the boot process, forcing users to press any key to start Windows. Meanwhile, the worm also alters the Registry values, causing the Folder Options entry to disappear from all Windows Explorer and Control Panel menus, preventing users from opening the Folder Options dialog. Notably, WORM_RONTOKBRO.B disables the Registry, preventing users from opening the Registry window to change values that the worm has inserted.
Manual Removal Steps
Step 1: Boot into Safe Mode
» On Windows 95
1. Restart your computer.
2. Press F8 on the Starting Windows 95 screen.
3. Select Safe Mode from the Windows 95 Startup Menu and then press Enter.
» On Windows 98 and ME
1. Restart your computer.
2. Hold down the CTRL key until the startup menu appears.
3. Select Safe Mode then press Enter.
» On Windows NT (VGA mode)
1. Click Start > Settings > Control Panel.
2. Double-click the System icon.
3. Click on the Startup/Shutdown tab.
4. Set the Show List field to 10 seconds and click OK to save this change.
5. Turn off the computer and restart.
6. Choose VGA mode from the startup menu.
» On Windows 2000
1. Restart your computer.
2. Press F8 until you see the Starting Windows bar at the bottom of the screen.
3. Select Safe Mode from the Windows Advanced Options Menu and then press Enter.
» On Windows XP
1. Restart your computer.
2. Press F8 after the Power-On Self Test (POST) completes. If the Windows Advanced Options Menu doesn’t appear, try restarting and pressing F8 multiple times after the POST screen.
3. Select Safe Mode from the Windows Advanced Options Menu and then press Enter.
Step 2: Remove traces affecting the boot process in the Registry.
1. Open the Registry Editor.
Click Start > Run, type Regedit, and press Enter.
2. In the left pane, double-click to select the following path:
HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Run
3. In the right pane, find and delete the entry.
• For Windows ME, 2000, XP & Server 2003:
Bron-Spizaetus = “%Windows%INFnorBtok.exe”
• For Windows 98 & NT:
Bron-Spizaetus = “INFnorBtok.exe”
(Note: %Windows% is the default path to the Windows folder, usually C:Windows or C:WINNT.)
4. In the left pane, double-click to select the following path:
HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Run
5. In the right pane, find and delete the entry:
• For Windows 2000, XP & Server 2003:
Tok-Cirrhatus = “%UserProfile%Application Datasmss.exe”
• For Windows ME:
Tok-Cirrhatus = “%Windows%Application Datasmss.exe”
Step 3: Remove traces of the worm from the Registry
1. Still in the Registry window, in the left pane, double-click to select the following path:
HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Policies > Explorer
2. In the right pane, find and delete the entry:
NoFolderOptions = “dword:00000001”
3. In the left pane, double-click to select the following path:
HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Policies > System
4. In the right pane, find and delete the entry:
DisableRegistryTools = “dword:00000001”
5. Close the Registry window.
Step 4: Restore the AUTOEXEC.BAT file
1. Open the AUTOEXEC.BAT file with Notepad. Click Start > Run, type:
notepad c:autoexec.bat
2. Press Enter.
3. Delete the following value:
pause
4. Close the AUTOEXEC.BAT file.
5. Click Yes to save changes.
Note: For systems running Windows XP/ME, disable the System Restore feature.
About WORM_RBOT.AZM
The WORM_RBOT.AZM worm has a high infection rate. It infects operating systems: Windows 95, 98, ME, NT, 2000, XP, and Server 2003. The worm spreads over shared networks. WORM_RONTOKBRO.B drops copies and shares default folders:
• ADMIN$system32
• C$Windowssystem32
• C$WINNTsystem32
If a folder has password protection, the worm compiles a list of predefined user names and passwords to attempt access. Even more dangerously, WORM_RONTOKBRO.B exploits vulnerabilities to spread its copies across the network:
• LSASS Vulnerability
• RPC/DCOM Vulnerability
Additionally, this type of worm can steal Windows IDs from the victim’s computer and CD keys from many popular games like FIFA, Command and Conquer, James Bond 007, Half-Life, etc., if they are installed on the infected machine.
Manual Removal Steps
Step 1: Identify and stop the worm’s processes:
Stop the worm’s processes
1. Open Windows Task Manager.
» On Windows 95, 98, and ME, press
CTRL+ALT+DELETE
» On Windows NT, 2000, 2003 and XP, press
CTRL+SHIFT+ESC, then click on Processes.
2. In the list of running programs, click End Task or End Process, depending on the Windows version running with the process scrtkfg.exe.
3. To check if the virus programs have stopped, close Task Manager, then open it again.
4. Close Task Manager.
Step 2: Remove traces affecting the boot process in the Registry.
1. Open the Registry Editor.
Click Start > Run, type Regedit, and press Enter.
2. In the left pane, double-click to select the following path:
HKEY_CURRENT_USER > Software > Microsoft > OLE
3. In the right pane, find and delete the entry
System CSRSS Patch = “scrtkfg.exe”
4. In the left pane, double-click to select the following path
HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Run
5. In the right pane, find and delete the entry:
System CSRSS Patch = “scrtkfg.exe”
6. In the left pane, double-click to select the following path
HKEY_LOCAL_MACHINE > Software > Microsoft > Windows > CurrentVersion > RunServices
7. In the right pane, find and delete the entry:
System CSRSS Patch = “scrtkfg.exe”
8. Close the Registry window.
Step 3: Restore the values changed by the worm in the Registry
1. Still in the Registry window, in the left pane, double-click to select the following path:
HKEY_LOCAL_MACHINE > Software > Microsoft > OLE
2. In the right pane, right-click on EnableDCOM and select Modify:
3. In the left pane, double-click to select the following path:
HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Run
4. In the text box under Value Data, type Y:
5. Close the Registry window.
Note: For systems running Windows XP/ME, disable the System Restore feature.
If you do not have any Trend Micro antivirus software, you can visit http://housecall.trendmicro.com/ to download it.
L.Quang
