Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 7/14/2007
Date Added: 7/14/2007
Origin: N/A
Length: 49,152 bytes
Type: Virus
SubType: Worm
DAT Required: 4986
Virus Characteristics
This variant of the W32/Rontokbro family will copy itself to the following directories, using the following names:
C:\Documents and Settings\[USERNAME]\My Documents\Keuangan.exe
C:\Documents and Settings\[USRNAME]\Start Menu\Programs\Startup\Data Uang.exe
C:\Documents and Settings\[USERNAME]\Start Menu\Programs\Startup\Excel Optimise.exe
C:\WINDOWS\system\System32.exe
C:\WINDOWS\system32\Isassi.exe
All the above mentioned filenames will have an Microsoft Excel icon associated with it.This trojan will also hide all Microsoft Excel files in the C:\ driver with the command:
attrib +h +s +r C:\*.xls /s
Other generic characteritics of W32/Rontokbro at :
http://vil.nai.com/vil/content/v_136318.htmIndications of Infection
The excel files will not be seeing in a normal explorer environment or at command prompt. Additionaly some executalbe files with the Excel icon will be seeing in some directories.
Other generic characteritics of W32/Rontokbro at :
http://vil.nai.com/vil/content/v_136318.htmMethod of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
Removal Instructions
To make your Excel files visible again, the following command can be issued on the command prompt:
attrib -h -s -r C:\*.xls /s
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Mcafee
Total Members: 14197
