My brush with Rontokbro virus
By Murray Bourne, 01 May 2006
We have 2 computers, used mostly by my progeny and me.
Progeny (aka multitasking millennial) called me to say that her computer was slow and she couldn’t do anything on it. Fine, I said, I’ll look at it when I get home.
The PC was clearly sick, with a process (sass.exe) hogging the CPU and causing the computer to thrash away. Every now and then the machine would shutdown by itself and reboot.
I noticed an odd thing. The desktop had a folder on it called “Desktop”. Also, the My Documents folder had a folder in it called “My Documents”. In fact, all directories had the same curious addition of a folder with the same name. I found out later that it was not a directory at all - it was an application, 56kB in size.
Anyway, I suspected spyware and tried to do a scan with Spybot Search and Destroy. But as I tried to open Spybot, the computer shut itself down and rebooted.
Then I tried to run AntiVir (the freebie antivirus that I was using) scan and yep, the PC shut itself down and rebooted.
By now I was getting mad. I had spent over an hour and the condition of the computer was getting worse on every reboot.
While I was trying to get some application to do a scan, ZoneAlarm would ask if I wanted to allow sass.exe, lsass.exe or inetinfo.exe to access the Internet. I most certainly didn’t. It turns out that these are the names of legitimate Windows system applications that do not access the Internet. But the virus (or whatever it was) had created applications with the same names as the legit files. On each reboot it was getting these applications to run in the background.
So, I tried using msconfig to disable all startup items. But you guessed it, shutdown and reboot.
Waah - this was getting bad. By this stage, the computer had become impossibly slow. I couldn’t even open Explorer to find anything, I couldn’t open any virus - or spyware-killer software and worse - now I couldn’t even shut down.
Anyway, to cut a very long story short, it turned out to be W32/Rontokbro@mm virus. After it infected my daughter’s computer first and that computer slowed to a crawl, she went to my computer with - yep - the same thumb drive and infected my computer too.
I got hers clean, reloaded her files and finally she was up and running.
Then on to my computer. One of the problems with clearing this virus was that both McAffee and Norton websites give misleading advice. Both of them advised to scan the HDD and then fix the registry and other items changed by the virus - and all should be sweet. But that doesn’t work. If the virus is still anywhere in the HDD, it can be reactivated on the next boot (or at the next scheduled activation time).
Proper solution: The only way I found to rid the computer of the virus is to use another HDD as the master drive and set the infected HDD as a slave drive. Then scan using the master drive. This removes the virus completely, since there is no virus active in the master drive’s memory during the scan.
So I finally managed to scan everything, remove all instances of the virus and reset the cleaned HDD as the master drive.
Why didn’t I have virus protection? But I did - I was using open source antivirus on both computers: Antivir on one and ClamWin on the other. But both missed picking up this virus.
So now I have Norton antivirus on both computers. That was the one that found the virus and killed it.
I hate viruses.
See the 2 Comments below.