Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


INETINFO.EXE PROCESS INFORMATION

Process Name  : Inetinfo.exe

Process Path : <User>\Local Settings\Application Data\windows\csrss.exe [ please note that Windows csrss.exe will load from C:\WINDOWS\system32\inetsrv\inetinfo.exe ]

Malware Name  : W32.Rontokbro.Z@mm

Alias             : I-Worm.Brontok.n, WORM_RONTKBR, W32/Rontokbro, Email-Worm.Win32.Brontok, W32/Rontokbro.gen@MM, W32/Korbo-B, W32/Brontok.C.worm

Process Type    : Mass mailing Internet worm

Threat level : Medium

Process details :

                     Inetinfo.exe is dropped by Brontok aka Rontokbro worm. It is a mass mailing worm, uses e-mail addresses collected from the infected system to distribute infected messages. Brontok worm arrives as an e-mail attachment.

The infected mail subject will be one of the following

Fotoku yg Paling Cantik
My Best Photo

The infected mail Message body will be one of the following

Hi,
Aku lg iseng aja pengen kirim foto ke kamu.
Jangan lupain aku ya !.
Thanks,

Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,

The infected mail Attachment will be

photo.zip

                     When the worm file is executed it copies itself to Windows system folder and other folders as

csrss.exe
inetinfo.exe
lsass.exe
services.exe
smss.exe
norBtok.exe
cvt.exe
IDTemplate.exe
3D Animation.scr
A.kotnorB.com
Empty.pif
KANGEN.EXE
winlogon.exe

in the background. Then it modifies registry run section to load automatically on the next startup.

The registry modification is given below

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus = "%UserProfile%\Application Data\smss.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bron-Spizaetus = "%Windows%\INF\norBtok.exe"

                    This worm also modifies the following registry entries to disable Windows folder options and Registry editor.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFolderOptions = "dword:00000001"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools = "dword:00000001"

                    Brontok worm tries to terminate security programs in the infected system. When the payload is activated, it displays texts in the command prompt window. Several variants of brontok variants reported in the wild.

                   This worm is also known as I-Worm.Brontok, WORM_RONTKBR, W32/Rontokbro, Email-Worm.Win32.Brontok.

How can I protect my system?

                   Solo has incorporated Brontok infected inetinfo.exe and its variants in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this Worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this Worm?

                   If you are already infected with brontok infected inetinfo.exe process, you can remove it from your computer using Solo Antivirus software. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link