Wednesday, March 08, 2006

Brontok e-mail worm

I recently had an encounter with an infected Windows XP Pro with SP2 machine which annoyingly restarted whenever a download was initiated and opened on the default browser the link about Brontok.A. The page that was appearing had the following text:

BRONTOK.A [ By: H[REMOVED]Community ]
-- Hentikan kebobrokan di negeri ini --
1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")
2. Stop Free Sex, Absorsi, & Prostitusi
3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!
-- KIAMAT SUDAH DEKAT --

This was my clue, so I searched for the brontok.a reference, and came up with the following aliases for the e-mail worm that had infected the system when the user opened a certain e-mail attachment.

A.K.A. : Email-Worm.Win32.Brontok.a (Kaspersky Lab) is also known as: W32/Rontokbro.gen@MM (McAfee), W32.Rontokbro@mm (Symantec), BackDoor.Generic.1138 (Doctor Web), W32/Korbo-B (Sophos), Worm/Brontok.a (H+BEDV), Win32.Brontok.A@mm (SOFTWIN), Worm.Mytob.GH (ClamAV), W32/Brontok.C.worm (Panda), Win32/Brontok.E (Eset)

An Anti-virus was present on the system, but was not updated (lesson no. 1 !!!), and scanning the system did not find anything. Apparently, upon infection the virus creates registry keys that enable it to run at startup, and edits and sets registry entries that disable the use of regedit, msconfig, folder options, etc. (More info from Sophos.)

On the Sophos website, there is an available removal tool, but running it did not remove the worm variant. Badly enough, there was no anti-spyware software on the system, and downloading was not an option as the system would restart at every attempt to download one. The Anti-virus software was also unable to do auto-update. I downloaded Spybot from a different machine, and was able to install it on the infected one. It found and reverted changes made to the registry by the virus. Now this allowed the Anti-virus software to update itself and on restart was able to clean the machine after scan.


11 comments:

L. Smith said...

purelocke,

I came to your site from a google search for Brontok.A Browser, as I was looking at my wordpress stats (recent operating system) and noticed this entry Brontok.A Browser for my site. Your entry is informative. Was wondering if you would know if this means that someone who viewed my site has this malware on their machine? Or, if Brontok.A is looking for sites to infect? I would like to warn the user if possible, but it sounds like they should know from your description of how an infected machine works.

Thanks in advance for your time and consideration,

L. Smith

l. smith said...

Forgot to leave my e-mail address.

drinkingclub@gmail.com

Anonymous said...

Need avast anti virus software?

If your computer is running stupid avast anti virus will help
Click here to download avast anti virus now!

titular said...

purelocke,

i also had the same experience although it has a different effect. mine was a brontok that will restart the computer everytime it reaches my desktop. so, what i did was, i tried to disable brontok before it restarts my pc. once it was disabled, i can use the pc normally. though i can surf and do everything (except running msconfig, regedit and so on) i cannot download anything from the net cause once the downloading process starts, the pc automatically restarts.. i tried downloading a spybot program from another computer but it never really cleaned my registry, the spybot will delete a registry file by disabling my folder option. once it has finished, and i try to scan it again it will just rewrite the same file in the registry, im still in the process of how i can reach the regedit and change it from there. wishful thinking, i know.. oh, did i mention i dont have an anti-virus program in my pc :) i'll install it once i get a copy. from there, maybe the anti-virus can detect it while running the spybot program in the pc.

reeti said...

hi reeti here
i got the same worm my computer and i've tried installing the OS twice on the partion where the virus is located but no go ... it comes up again and again ....

Cute Guys From India said...

I am also get this type of virus in my system. When i tried to download or install any anti virus on my comuter it begins restart. Very big problem. It makes too much files of bronto.a. Which software removes it?
I am unable to download anything. even when i write the name of antivirus in search engine even then it restarts my computer

Anonymous said...

Avish here,

I too have the same problem. If anyone knows how to remove this virus please help.

purelocke said...

If you have an anti-spyware software, run it first, in my case it was spybot search and destroy. After some registry keys have been fixed, run an update on your anti-virus system. Run an av scan afterwards. Also, this worm can infect removable drives, so be wary in trying to backup your data using usb drives. What I did was booted to a knoppix cd just google for it) instead of windows. There I was able to see the files that the brontok worm created, backed up the important files and booted back to windows to do the scan.

Anonymous said...

Hi,
I have the same problem on my pc every time i start downloading Spybot it restarts by itself...i dont know what exactly to be done to clear the virus...help me in simple steps what to be done....!!!

Suneel

Eurritimia said...

I also had a problem with this worm. It created applications with "this folder name.exe" on every folder of my computer and when I clicked on them, it opened the Windows Explorer. Also, I had that strange page on a language I couldn't understand at all. And my WinXP would restart with no reason at all...

But then I use an anti-spyware program (the AVG one, I guess), and after five uses of it the worm disappeared from my computer.

Anonymous said...

Nice website ! Thank you for maintaining it. Keep working that way.