Re: W32.RontokBro.B@mm

On 15 May 2006 02:05:10 -0700, "Changeez" <changeez@xxxxxxxxx> wrote:

i found W32.RontokBro.B@mm on my company's workgroup. i scanned it with
a strong iranian antivirus named IMEN. it remove the EXE files. then i
go to registery and remove some keys and values from registery. then i
isntall norton anti virus 2005 and update it with last virus
definitions i downloaded from symantec web site free. everything is
Looking good . until i plug in the Network Cable.

That suggests you're being re-infected from outside the system, rather
than re-infection from inside the system (e.g. "opening" hidden email
attachments, doing a System Restore) or malware persistence.

Google( W32.RontokBro.B@mm )

Many of these give enough info to kill it...

One tactic suggests itself:

"This worm is compiled with Visual Basic. It needs the file
MSVBVM60.DLL to run properly."

What I'm looking for, but not finding, is a way the malware can
exploit the OS or email app into automatically running.

Without that, it's the user who needs to be patched, a la "Think
before you click". Effectively, the user needs to perform the Turing
Test; yes, this may be "from someone I know", but was it sent by a
human user or an anonymous machine process?

after one or two hours norton virus alert apears several times.

That's a quick re-infection time if human perusal of email is the
vector - perhaps you are dealing with persistence after all, and the
av catches it only when it tries to smtp out malware email (which it
would do when online, possibly not attempted otherwise).

hard drives. in system32 or windows\temp . it causes to make my
computer slow down. and make me to restart windows

Yes, it's coded to do that on a number of triggers that include many
attempts to clean it from inside the PC.

It's not an intrafile infector, may be dependent on explicit
integration via registry settings you can delete, and if it doesn't
use random file names in "busy" locations like System32, you can
probably kill it by hand as per links and your own Google.

However - shock, horror! - it may try to defend itself if you attempt
this while it's running, so do this when it is not. Safe Mode Cmd
Only may or may not be safe enough; if not, then I'd do this from a
Bart PE CDR boot - Google( Bart PE ).

the only remaining solution is Remove and install a fresh
copy of Windows XP.

That's not a solution.

Re-infection vectors:

1) New incoming attachments

Your email addresses are out there on infected PCs you can't reach or
clean, so you are going to get more of the same. Hopefully your email
service provider will scan your mail and trap it, but this may fail
for a number of reasons. All it takes is one successful exploit (of
either code or the human "opening" the mail) and bingo!

2) Hidden email attachments already received

Most email apps hide incoming email attachments in the mailboxes,
where your av cannot find and eradicate them. So even if your ISP
strips the attacks out of new incoming mail, your exploitable users or
code base can re-launch the malware you already have received.

As long as you preserve or restore your email data, you will have this
problem, which is why I don't recommend "just" wiping and
re-installing Windows as a "solution".

I'd do the following:

a) Upgrade your users on "safe hex" skills

Back this up with a stick; "infections will be traced back to point of
entry, and that user will be assessed as in breah of company policy". is one place to start.

b) Rename away the malware's runtime library

IF you don't have apps that require Visual Basic runtime, you can
rename away or remove MSVBVM60.DLL in the hope that this will prevent
the malware from running. But there may be side-effects!

c) Get rid of the active malware

Google( Bart PE ) as well as swot up the malware itself.

d) Manage hidden stores to prevent self-re-infection

I'd import email into Eudora, then scan the ATTACH directory where
Eudora stores all attachments as separate manageable files. I'd
repeat this for the EMBEDDED directory too. After that I'd purge the
original mail stores and carry on using Eudora instead, or I'd delete
(from mailbox then Trash) the messages that contain what was found.

I'd also make sure infected material was purged from System Restore,
then create a new clean restore point.

e) Scan and filter incoming email

I'd do this at as many points as possible, especially under your
present circumstances:
- ISP scanning of mail before you get it
- scan the mail stream as it arrives
The second is usually more hassle than it's worth, but in your case it
may be well worth the hassle :-)

If you have your own internal mail server, impliment scanning there.
Many email server apps spool messages as one message per file, rather
than wadded into proprietary mailboxes; that could be a good point at
which the message can be deleted without trashing a whole mailbox.

In addition, you may be able to set your email app to delete of server
if the malware always uses a predictable subject line, or delete on
arrival if there's always unique body text.

f) Practice email address hygiene

The goal is to limit the visibility of your email address, and thus
suffer less spam and malware attack:
- use BCC: if sending to multiple recipients
- do NOT automatically add addresses to address book
- mung addresses like this; exam at in your text
- don't use "real" email address in online forums and newsgroups
- don't give email address when "registering" software etc.
- create disposable aliases for different contexts
- use an alias for "junk", amputate when busy
- filter incoming mail by address (unaddressed = BCC'd or forged)
- whitelist any elists etc. you need from the above

g) Protect the rest of us

Scan and block the malware in both directions, so your systems don't
make the rest of the Internet's problem worse. This is for reason (g)
as well; every system you infected out there is one that "knows" your
address and has live malware that will use it to infect you back.

In addition, teach you users not only to not open stuff that fails the
Turing Test, but not to send "real" messages that fail this test.
Your "safe hex" training can be ruined by one dumb-ass boss who sends
Office "documents" as attachments with zero covering message text, and
who shouts at staffers who correctly refuse to open them.

You'd retire old PCs that couldn't be kept patched and safe. For
users that can't be patched and safe, Google( Silicon Pines ) <g>

-------------------- ----- ---- --- -- - - - -
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -

Relevant Pages

  • Re: PC VERY slow, 100% CPU useage, 90 processes
    ... With reference to "safe and informed E-mail practice" it is not just ... Some very difficult to detect malware gain access in this ... attachments," not "exclusively regarding the opening of attachments." ...
  • Re: baffled by efs
    ... and then I "restore" them to an arbitrary PC. ... I'm waiting for the first such malware to claim legitimate ... your assailant's hand warm and safe as it does yours. ... ...and what I call "risk WYSIWYG"... ...
  • Re: Attachments
    ... Ted Zieglar ... "Backup is a computer user's best friend." ... Software is useful to attack malware that gets past ... A problem arises when attachments from friends. ...
  • Re: HTML.ObjectDataHTA
    ... >most malware is actively in use during Regular Mode. ... >Safe Mode Command Prompt only because it has hooked into the gui. ... Some email apps break file attachments out of the message "text" and ... store these outside the mailbox storage in another location as files ...
  • Re: Another Newbie asking "Which Anti-Virus Sofware is the Best?"
    ... are easy enough for average users, ... malware checking aren't suitable for average users. ... "safe hex" and some basic prevention knowledge ...