Home » Virus List
Worm.Generic
Risk Level 1
 
File Size : 15915012 KB
File Type : Portable Executable file
File Name

RontokBrowC03.exe

MD5

3a822ed84896436eeea9f6432aa249a9

SHA1

5061bd7002395e7e8089f6ba963fbe56ee1fc29b

SHA256

7f3d83f430999b9a7cd1f2219df1256225e85b235058d4d68d

General information:

* File name: C:\Users\vmware\Desktop\RontokBrowC03.exe

Changes to registry :

* Modifies value "(Default)=loadexe.exe %1" in key HKEY_LOCAL_MACHINE\software\Classes\exefile\shell\open\command
binary data=6C006F00610064006500780065002E006500780065002000250031000000
old value "(Default)="%1" %*"
binary data=2200250031002200200025002A000000
* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Creates value "ASR Log File=30000000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
* Creates value "ASR Error File=30000000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
* Creates value "Client Side Cache=30000000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
* Modifies value "Internet Explorer=30000000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
old value "Internet Explorer=%UserProfile%\index.dat /s"
binary data=25005500730065007200500072006F00660069006C00650025005C0069006E006400650078002E0064006100740020002F00730000000000
* Modifies value "Memory Page File=30000000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
old value "Memory Page File=5C005000610067006500660069006C0065002E0073007900730000000000"
* Creates value "Microsoft Writer (Bootable State)=30000000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
* Creates value "Microsoft Writer (Service State)=30000000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
* Modifies value "NetLogon=30000000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
old value "NetLogon=%SystemRoot%\netlogon.chg"
binary data=2500530079007300740065006D0052006F006F00740025005C006E00650074006C006F0067006F006E002E0063006800670000000000
* Modifies value "Power Management=30000000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
old value "Power Management=\hiberfil.sys"
binary data=5C0068006900620065007200660069006C002E0073007900730000000000
* Modifies value "VSS Default Provider=30000000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
old value "VSS Default Provider=\System Volume Information\*{3808876B-C176-4e48-B7AE-04046E6CC752} /s"
binary data=5C00530079007300740065006D00200056006F006C0075006D006500200049006E0066006F0072006D006100740069006F006E005C002A007B00330038003000380038003700360042002D0043003100370036002D0034006500340038002D0042003700410045002D003000340030003400360045003600430043003700350032007D0020002F00730000000000
* Creates value "Task Scheduler=30000000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
* Modifies value "Temporary Files=30000000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
old value "Temporary Files=%TEMP%\* /s"
binary data=2500540045004D00500025005C002A0020002F00730000000000
* Creates value "Winlogon debug=30000000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
* Creates value "WMI Writer=30000000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
* Creates value "Catalog Database=30000000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
* Modifies value "MS Distributed Transaction Coordinator=30000000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
old value "MS Distributed Transaction Coordinator=C:\Windows\system32\MSDtc\MSDTC.LOGC:\Windows\system32\MSDtc\trace\dtctrace.log"
binary data=43003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C004D0053004400740063005C004D0053004400540043002E004C004F004700000043003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C004D0053004400740063005C00740072006100630065005C00640074006300740072006100630065002E006C006F00670000000000
* Creates value "DRM=30000000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
* Creates value "System Restore=30000000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
* Empties value "DependOnService" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Spooler
old value "DependOnService=520050004300530053000000680074007400700000000000"
* Empties value "Description" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Spooler
old value "Description=40002500730079007300740065006D0072006F006F00740025005C00730079007300740065006D00330032005C00730070006F006F006C00730076002E006500780065002C002D0032000000"
* Empties value "Displayname" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Spooler
old value "Displayname=40002500730079007300740065006D0072006F006F00740025005C00730079007300740065006D00330032005C00730070006F006F006C00730076002E006500780065002C002D0031000000"
* Empties value "Group" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Spooler
old value "Group=530070006F006F006C0065007200470072006F00750070000000"
* Empties value "ImagePath" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Spooler
old value "ImagePath=2500530079007300740065006D0052006F006F00740025005C00530079007300740065006D00330032005C00730070006F006F006C00730076002E006500780065000000"
* Empties value "ObjectName" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Spooler
old value "ObjectName=4C006F00630061006C00530079007300740065006D000000"
* Empties value "ErrorControl" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Spooler
old value "ErrorControl=00000001"
* Empties value "FailureActions" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Spooler
old value "FailureActions=80510100000000000000000003000000140000000100000060EA00000100000060EA00000000000000000000"
* Empties value "Start" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Spooler
old value "Start=00000002"
* Empties value "Type" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Spooler
old value "Type=00000110"
* Empties value "Close" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Spooler\Performance
old value "Close=500065007200660043006C006F00730065000000"
* Empties value "Collect" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Spooler\Performance
old value "Collect=500065007200660043006F006C006C006500630074000000"
* Empties value "Library" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Spooler\Performance
old value "Library=770069006E00730070006F006F006C002E006400720076000000"
* Empties value "Object List" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Spooler\Performance
old value "Object List=31003400350030000000"
* Empties value "Open" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Spooler\Performance
old value "Open=50006500720066004F00700065006E000000"
* Empties value "Collect TimeOut" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Spooler\Performance
old value "Collect TimeOut=000007D0"
* Empties value "Open TimeOut" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Spooler\Performance
old value "Open TimeOut=00000FA0"
* Empties value "Security" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Spooler\Security
old value "Security=010014807800000084000000140000003000000002001C000100000002801400FF010F000101000000000001000000000200480003000000000014008D01020001010000000000050B00000000001800FF010F000102000000000005200000002002000000001400FD010200010100000000000512000000010100000000000512000000010100000000000512000000"

Changes to filesystem:

* Creates file (hidden) C:\Windows\System32\01.txt
* Creates file (hidden) C:\Windows\System32\12.ini
* Creates file (hidden) C:\Windows\System32\13.htt
* Creates file C:\Windows\System32\loadexe.exe
* Changes file attributes C:\Windows\System32\spoolsv.exe

Network services:

no change

Process/window/string information:

* Gets system default language ID.
* Checks for debuggers.
* Creates an event named "OleDfRootFA59183C9C5DD370".
* Enumerates running processes.
* Creates process "null, , null".
* Contains string Checked for AVG security software presence ("AVGW")

Additional Information:

How To Remove RontokBrowC03.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where RontokBrowC03.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top