Two computer worms spread dangerously in Vietnam

According to the warning of security experts of Misoft Company, Trendmicro, network systems in Vietnam are infected with two types of WORM_RONTOKBRO.B and WORM_RBOT.AZM.

Here we provide information about these two viruses for you to prevent your computer and network.

The worm WORM_RONTOKBRO.B is rated to be of a high degree of danger. High infection rate, infects the operating system: Windows 95, 98, ME, NT, 2000, XP, Server 2003. Spread method: send a copy of it in the email attachment. File contains worms using Microsoft's Folder Icon to deceive users into opening it and deep conducting attacks. Quite sophisticated, the worm also opens the Windows Explorer window to hide the processes it performs on the victim's computer. The worm releases lots of copies of it on folders with different names. On infectious machines running Windows 2000, XP, and Server 2003, the worm drops the copy to the hard-coded path below the User Profile folder. Then create a folder in this path.

The phenomenon of computer infection worm WORM_RONTOKBRO.B

This worm will restart the victim's computer when the title bar of the window has the words ".EXE" and "REGISTRY". WORM_RONTOKBRO.B insert PAUSE command into AUTOEXEC.BAT file (in C drive :), causing infected machines running Windows 95, 98, and ME to be paused during boot process, forcing users to press a real key period to start Windows. At the same time, the worm also changes the Registry value, losing the Folder Options entry on the menu of all Windows Explorer and Control Panel windows. Therefore, users cannot open the Folder Options dialog box. More specifically, WORM_RONTOKBRO.B disables Registry, making it impossible for users to open the Registry to change the values ​​that the worm has added.

Manual removal solution

Step 1: Start in Safe Mode
»On Windows 95
1. Restart the computer.
2. Press F8 in the Starting Windows 95 screen.
3. Select Safe Mode from Windows 95 Startup Menu then press Enter.

»On Windows 98 and ME
1. Restart the computer.
2. Press CTRL key until the startup menu appears.
3. Select Safe Mode then press Enter.

»On Windows NT (VGA mode)
1. Click Start> Settings> Control Panel.
2. Click the System icon.
3. Click on the Startup / Shutdown bar.
4. Set the Show List field to 10 seconds and click OK to save this change.
5. Turn off the computer and restart the computer.
6. Choose VGA mode from the startup menu.

»On Windows 2000
1. Restart the computer.
2. Press the F8 key until you see the Starting Windows bar at the bottom of the screen.
3. Select Safe Mode from Windows Advanced Options Menu then press Enter.

»On Windows XP
1. Restart the computer.
2. Press the F8 key after Power-On Self Test (POST) is done. If Windows Advanced Options Menu does not appear, try to restart the computer and press F8 repeatedly after the POST screen.
3. Select Safe Mode from Windows Advanced Options Menu then press Enter.

Step 2: Delete the traces that affect the process of booting the computer in the Registry.
1. Open Registry Editor.
Select Start> Run, type Regedit, press Enter.
2. On the left side of the window, double-click to select the following path:
HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows> CurrentVersion> Run
3. On the right side of the window, find and delete the entry.
• On Windows ME, 2000, XP & Server 2003:
Bron-Spizaetus = "% Windows% INFnorBtok.exe"
• On Windows 98 & NT:
Bron-Spizaetus = "INFnorBtok.exe"
(Note:% Windows% is the default path to the Windows directory, usually C: Windows or C: WINNT.)
4. On the left side of the window, double-click to select the following path:
HKEY_CURRENT_USER> Software> Microsoft> Windows> CurrentVersion> Run
5. To the right of the window, find and delete the entry:
• On Windows 2000, XP & Server 2003:
Tok-Cirrhatus = "% UserProfile% Application Datasmss.exe"
• On Windows ME:
Tok-Cirrhatus = "% Windows% Application Datasmss.exe"

Step 3: Delete traces of worms in the Registry
1. Still in the Registry window, on the left, double-click to select the following path:
HKEY_CURRENT_USER> Software> Microsoft> Windows> CurrentVersion> Policies> Explorer
2. To the right of the window, find and delete the entry:
NoFolderOptions = "dword: 00000001"
3. On the left side of the window, double-click to select the following link:
HKEY_CURRENT_USER> Software> Microsoft> Windows> CurrentVersion> Policies> System
4. To the right of the window, find and delete the entry:
DisableRegistryTools = "dword: 00000001"
5. Close the Registry window.

Step 4: Restore the AUTOEXEC.BAT file
1. Open the AUTOEXEC.BAT file in Notepad. Click Start> Run, type:
notepad c: autoexec.bat
2. Press Enter.
3. Delete the following value:
pause
4. Close the AUTOEXEC.BAT file.
5. Click Yes to record.

Note: For machines running Windows XP / ME, disable the System Restore feature.

About worm WORM_RBOT.AZM

Deep WORM_RBOT.AZM has a high infection rate. Infecting OS: Windows 95, 98, ME, NT, 2000, XP, Server 2003. Infection worm on shared network. WORM_RONTOKBRO.B drop copies and default shared folders:
• ADMIN $ system32
• C $ Windowssystem32
• C $ WINNTsystem32

If that folder has access password, deep set in the list it pre-defines user ames and passwords to try accessing again. More dangerous, WORM_RONTOKBRO.B also questions vulnerabilities to spread its copies in the network:
• LSASS Vulnerability
• RPC / DCOM Vulnerability

In addition, this worm also has the ability to steal ID of Windows on the victim's computer and CD key of many popular games such as FIFA, Command and Conquer, James Bond 007, Half-Life . if they are installed on the infected device.

Manual removal solution

Step 1: Identify and stop the operation of the worm:
Stop the operation of the worm
1. Open Windows Task Manager.
»On Windows 95, 98, and ME, press
CTRL + ALT + DELETE
»On Windows NT, 2000, 2003 and XP, press
CTRL + SHIFT + ESC, then click on Processes.
2. On the list of running programs, click the End Task button or End Process, depending on the version of Windows running with the scrtkfg.exe process.
3. To check whether the virus program has stopped, close Task Manager, then open it again.
4. Close Task Manager.

Step 2: Delete the traces that affect the process of booting the computer in the Registry.
1. Open Registry Editor.
Select Start> Run, type Regedit, press Enter.
2. On the left side of the window, double-click to select the following path:
HKEY_CURRENT_USER> Software> Microsoft> OLE
3. On the right side of the window, find and delete the entry
System CSRSS Patch = "scrtkfg.exe"
4. On the left side of the window, double-click to select the following path
HKEY_CURRENT_USER> Software> Microsoft> Windows> CurrentVersion> Run
5. To the right of the window, find and delete the entry:
System CSRSS Patch = "scrtkfg.exe"
6. On the left side of the window, double-click to select the following path
HKEY_LOCAL_MACHINE> Software> Microsoft> Windows> CurrentVersion> RunServices
7. To the right of the window, find and delete the entry:
System CSRSS Patch = "scrtkfg.exe"
8. Close the Registry window.

Step 3: Reset the deep values ​​changed in the Registry
1. Still in the Registry window, on the left, double-click to select the following path:
HKEY_LOCAL_MACHINE> Software> Microsoft> OLE
2. To the right of the window, right-click EnableDCOM and select Modify:
3. On the left side of the window, double-click to select the following link:
HKEY_CURRENT_USER> Software> Microsoft> Windows> CurrentVersion> Run
4. In the text box under Value Date, type Y:
5. Close the Registry window.

Note: For machines running Windows XP / ME, disable the System Restore feature.

If there is no antivirus software from Trend Micro, you can go to http://housecall.trendmicro.com/ to download it.

L.Quang