W32.Brontok worm is a mass mailing worm that infects computers and USBs/Pen Drives. Most anti-virus vendors had rated the W32.Brontok worm as LOW in threat assessment, MEDIUM in potential damage associated to the worm and HIGH in distribution of the worm. The W32.Brontok worm was first discovered on 23rd September 2005 (UTC Time) and until yesterday the latest variant is W32.Brontokbro.U@mm.



The worm spreads through email attachments and file sharing over the network. The characteristics of this worm, with regard to file names, folders created, port numbers used will differ from one variant to another.



Based on assessment of number of reports received, we believe there is a widespread infection in our constituency and MyCERT advises users and organizations to update their anti-virus softwares with latest signature file and patch their systems and take the prevention actions as provided below to prevent against the current and future worm infection.



System Affected

Windows 2000

Windows 95

Windows 98

Windows Me

Windows NT

Windows Server 2003

Windows XP

Payload

(Payloads varies from different variants)



Large scale e-mailing: Sends a mass-mailing of itself.



Mass-mailing may degrade performance.



It may lead to machine or system instability.



Overwrites the c:\autoexec.bat file.



Restarts the system.



Disable Registry Editor.



How to Tell if your Computer is Infected

Presence of the worm related file in your system folder.



Modifications to file viewing settings.



Removal of Folder Option on Windows Explorer.



Unusual instability of your system.



Detection

Scan the infected computer with an updated Anti-virus softwares to detect the presence of the worm on infected machine.



NOTE: Users MUST update their Anti-virus softwares in order to detect/delete the worm.



Removal Steps

Manual removal steps:

Disconnect your computer from the network and disable file sharings, if any.



Disable System Restore (for Windows XP/Windows Me only).



For Windows XP:



Click Start.



Right-click My Computer, and then click Properties.



Click the System Restore tab.



Select "Turn off System Restore" or "Turn off System Restore on all drives" check box.



For Windows Me:



Click Start, point to Settings, and then click Control Panel.



Double-click the System icon. The System Properties dialog box appears.



Click the Performance tab, and then click File System. The File System Properties dialog box appears.



Click the Troubleshooting tab, and then check Disable System Restore.



Click OK. Click Yes, when you are prompted to restart Windows.



Start your machine in Safe mode.



How to start a computer in safe mode, pls refer to:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam



Update your Anti-virus software with the latest signature files and scan your computer withthe Anti-virus to detect the worm and delete any files detected as the worm by clicking the DELETE button.



Delete the value from the registry.



You need to back up the registry before making any changes to it. In correct changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only.



How to make a backup of the Windows registry, pls refer at:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617?OpenDocument&src=sec_doc_nam



Click Start > Run.

Type regedit

Click OK.



Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. You can used a tool to resolve this problem.



Download this tool. Once downloaded, ‘right-click’ the UnHookExec.inf file and click install. Then continue with the removal steps.

http://securityresponse.symantec.com/avcenter/venc/data/tool.to.reset.shellopencommand.registry.keys.html



Other alternative way to enable registry, please refer to:

http://www.patheticcockroach.com/mpam4/index.php?p=28



Navigate to the subkey that was detected by the anti-virus and delete the value.



Exit the Registry Editor.



If you are still unable to open your registry, you may try the following steps.



Boot up the infected computer, but do not login to the server, leave it at the login prompt.



Start up another clean computer, worm-free computer which has an updated anti-virus software running and an active firewall running preventing all inbound connections.



From the clean computer, start REGEDIT.EXE and click on File -> File -> Connect Network Registry. Connect to the infected computer.



Modify the following values in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\NT\CurrentVersion\Winlogon to the following values:



"Userinit" = "C:\WINNT\system32\userinit.exe,"

"Shell" = "Explorer.exe"



(make sure that you enter the correct path to where Windows is installed. For example on NT4.0 it is WINNT)



After completing the above steps, reboot the infected computer.



Using the clean computer, map the C$ share and scan it using the up to date anti-virus to remove any infected files on the infected computer. Then, you should be able to boot to the computer and then follow Steps 6 - Steps 11.



Run a full system scan using an updated version of Anti-virus software and delete any files detected as worm.



Download and run a process management tool or process viewer to kill all worm processes running on the infected machine. The process management tool or the process viewer is available according to the machine's platform and can be downloaded free from the Internet. For example users can download and use the following process viewer:

http://www.sysinternals.com/Utilities/ProcessExplorer.html



Delete the scheduled tasks added by the worm. Click Start, and then click Control Panel. (In Windows XP, switch to Classic View.) In the Control Panel window, double click Scheduled Tasks. Right click the task icon and select Properties from pop-up menu. The properties of the task is displayed. Delete the task if the contents of the Run text box in the task pane matches the worm.



Enable the System Restore (for Windows XP/Windows Me only).



Re-scan your computer with an updated version of Anti-virus to confirm the computer is clean.



Re-connect your computer to the network once confirmed clean.



NOTE: As your computer is disconnected from the network, use a clean computer connected to the network to download tools and references.



You may refer to the below URL on protecting/securing your computer:

http://www.mycert.org.my/homepcsecurity.html



Prevention

Install the latest computer updates/patches.



Enable and use up-to-date antivirus software.



Close all ports except your http port otherwise you need to filter the ports to authorized users only.



Enable a personal firewall on your computer.



Practise safe email practices. You may refer at:

http://www.mycert.org.my/faq-safe_email_practices.htm



You may refer to the below URL on protecting/securing your computer:

http://www.mycert.org.my/homepcsecurity.html

Download Spybot



http://www.spybot.info/en/download/index.html

I'm no expert, but I usually visit symantec first and look for removal tools/information. You can try:



http://www.symantec.com/security_response/writeup.jsp?docid=2005-101214-5554-99&tabid=1

its simple , have a computer ingeneer at your home and give him the job!!

Try NOD32 and a spyware..it may work

Geek Squad!

The best virus removal tool is Trend Micros PC Cillian. It runs $20 at Walmart. Easy top use and it will get it off. The other option is go to the Microsoft website. The have a free program Windows Defender. It works pretty well too. Here is the link. You need to get that off as quick as possible.



http://www.microsoft.com/athome/security/spyware/software/default.mspx



Should you be on the technical side. Here is the complete step by step instructions for WindowsXP. Hopefully that is your OS.



Click Start.

Right-click the My Computer icon, and then click Properties.

Click the System Restore tab.

Check "Turn off System Restore" or "Turn off System Restore on all drives."

Click Apply.

When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.

Click OK.



Carefully Look at Windows Add/Remove programs for suspicious programs



• Many of the spyware threats actually install into your system like a program. Many appear to be utilities that you may think are helpful but in reality aren't. Look for add-an toolbars, while toolbars like those provided by Google, MSN, Yahoo and other are great utils, there are many more that aren't and if in doubt check it out to see if ones you have are parasitic. Another common exploit are the Search helpers, WinTools, Gator products, IE Helper, Comet Cursor and many others just to name a very few. Peer-to-Peer (P2P) programs are another common source for these and even the ones that doen't come with spyware themselves are a security risk that may lead to your system being infected or to spread infections like these. Remove all suspicious programs, if you are wrong, you may always re-install them later.



Run Disk Clean-Up



• This actually comes with Windows and has been installed by default since Windows 98. You can find it by clicking the Start Button and then going to Programs / Accessories / System Tools / Disk Clean-up. I recommend selecting all of its options except the ones for Office Setup Files and Compress Old Files if you have them. While you may select those if you wish, they aren't as important. This will clean up all of the temporary files so your testing will go faster, and may also delete any spyware that may hiding there if the spyware isn't already running. To clear systems that have System Restore you will need to select the second tab and click the button for clearing this.



Run CWShredder



• This is made for detecting and cleaning of the infamous CoolWebSearch exploits. Currently there are about 40 types of these, each with up to 4 variants and growing. These are some of the toughest ones to get rid of.



Run Ad-Aware Next



• This handles the next toughest types the best. When it finally presents you with the list of parasites it has found, put a check mark in the box next to the ones you want to get rid of, I suggest checking them all. If you want to select all, just right-click your mouse on the boxes to get the options menu, and left-click on Select All. If it says it can't get rid of a problem right now, it will ask if you want to run it again after you restart your computer, answer yes and restart your computer so it may test again.



Run Spybot Next



• When you run it, it will automatically select all the spyware that it finds, if there is something you don't want to get rid of for some reason, deselect it and then let Spybot fix all of the rest of the problems that it finds. This program also will ask to restart your computer so it can test again if it has problems removing something, so let it.



If you had Windows 2000 or Windows XP ( not the 64bit version ) you also have this option...



Run AVG AntiSpyware Next



• This is a part of a new bread of antispyware utils and probably one of the best I've worked with. The only down side is that only certain versions of Windows can run it at this time. When you run it, it will prompt you to select to remove or keep each item or you can select to have it remove all that it finds.



Now Run The AVG Program



• All antivirus programs, including AVG, by default have their settings to only scan executable files in an attempt to speed up looking for infections. While most of the time this is just fine, the newest threats that can infect your computer have started getting sneaky on how they hide their files making it easier for them to reinfect your system if your antivirus program detected and removed their executable file. To help also detect these "backup" files that the infection leaves on your system, you should in my opinion, make a couple of changes to what your AVG scans from just executable files to all files.



• To change AVG's settings, open AVG's Test Center.

Click the Tests menu then in both of the tests labeled Complete Test Settings and Selected Area Test Settings select Scan all Files and click the Ok button.



• Now AVG will scan all of the files when you scan your computer. This will take longer to complete, but I feel it is a small price to pay for the added security it provides.



• Have it scan for the remaining parasites that the others may have missed. If you found any parasites, you need to restart your computer so you can test everything again. There are times that after cleaning certain parasites, you will need to test again because something may have been hidden earlier by the infection. So repeat this process of testing and restarting until you find no more parasites.



• Run the scans again in Safe Mode. This will keep many of the parasites from loading and being able to hide from your protection software. To access Safe Mode on most versions of Windows, start tapping the [F8] key after you first start or restart your system, start tapping it before you ever see a Windows Splash Screen and continue until you get the Menu where you may select it from the list. On WinNT, this is called VGA mode and on Win2k you actually start tapping just after the first splash screen shows. For Detailed instructions see Restarting Your Computer in Safe Mode



These procedures should have cleaned most cases of infection that you will find. Yes I said MOST because there are some infections that are very hard to detect and remove. Generally, if you have one of these, you will need the assistance of an expert to help you get rid of it.



When you believe you are finished, remember to turn System Restore back on if you had turned it off.



I recommend testing for parasites as often as you can, probably at least once a month if not more. The sooner you catch them, the less damage they can do to your computer, and the less chance of a hacker finding your sensitive information such as checking account info, passwords, etc.



Windows Tip



Windows itself, by default, hides certain files, system folders or file extentions from the user to make it easier to navigate. If you are having to find an infected file or just one you are looking for, this can cause you to not find it. If you wish you may change this to show all of the files on your computer.



Open your My Computer icon (Either from your desktop or the Start Menu)

Click the Tools menu and select Folder Options(on older systems it may be in the View menu)

Select the View tab and scroll through the Advanced settings

Enable or disable the following (using a checkmark to enable)



enable - Show hidden files and folders

disable - Hide extentions for known file types

disable - Hide protected operating system files (WinME and WinXP only)



Now click Apply and Ok



How to find an embedded infection



AVG 7 Free now detects infections in areas that it was unable to before. The most notable are ones embedded inside of archives. Since AVG can't determine if you created the archive or if it was a parasite that created it, they leave these alone so you may have a chance to recover uninfected files from the archive and then you simply delete the archive when done. Infections that are inside of an archive aren't a direct threat to your system unless the file gets extracted to allow it to run. Grisoft has chose this method because it is safer for your data that the archive may contain.



For someone that is new to looking for these embedded infections, it can be a little confusing with the way that AVG will list the file because it also must include the archive file name that contains it in the full path/filename. The following is an example that I made up to highlight the info so you will know which filename to look for so you may either extract files and or delete the correct file. I will color code these for you, but AVG will not.



AVG will give you a name like...



C:\Windows\Temp\InfectedArchive.cab:\InfectedFile.exe



The location of the file is in C:\Windows\Temp

The archive that contains the infection is InfectedArchive.cab

And the actual infected file inside of the archive is InfectedFile.exe



Note the ":\" that seperates the archive from the file it contains.

After you have recovered any files inside of the archive that you may want to keep (other than the infected one that is) just simple delete the whole archive.. in this example the file to delete would be InfectedArchive.cab



It looks harder than it really is.. just remember the file you want to look for is named just before the last ":\"



Most of the time, you won't have any files to recover inside of the archives. The only time this isn't true is if it is an archive that you had created yourself. If you didn't create it.. just delete and move on.



Best of luck.