Wednesday, March 08, 2006

Brontok e-mail worm

I recently had an encounter with an infected Windows XP Pro with SP2 machine which annoyingly restarted whenever a download was initiated and opened on the default browser the link about Brontok.A. The page that was appearing had the following text:

BRONTOK.A [ By: H[REMOVED]Community ]
-- Hentikan kebobrokan di negeri ini --
1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")
2. Stop Free Sex, Absorsi, & Prostitusi
3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!
-- KIAMAT SUDAH DEKAT --

This was my clue, so I searched for the brontok.a reference, and came up with the following aliases for the e-mail worm that had infected the system when the user opened a certain e-mail attachment.

A.K.A. : Email-Worm.Win32.Brontok.a (Kaspersky Lab) is also known as: W32/Rontokbro.gen@MM (McAfee), W32.Rontokbro@mm (Symantec), BackDoor.Generic.1138 (Doctor Web), W32/Korbo-B (Sophos), Worm/Brontok.a (H+BEDV), Win32.Brontok.A@mm (SOFTWIN), Worm.Mytob.GH (ClamAV), W32/Brontok.C.worm (Panda), Win32/Brontok.E (Eset)

An Anti-virus was present on the system, but was not updated (lesson no. 1 !!!), and scanning the system did not find anything. Apparently, upon infection the virus creates registry keys that enable it to run at startup, and edits and sets registry entries that disable the use of regedit, msconfig, folder options, etc. (More info from Sophos.)

On the Sophos website, there is an available removal tool, but running it did not remove the worm variant. Badly enough, there was no anti-spyware software on the system, and downloading was not an option as the system would restart at every attempt to download one. The Anti-virus software was also unable to do auto-update. I downloaded Spybot from a different machine, and was able to install it on the infected one. It found and reverted changes made to the registry by the virus. Now this allowed the Anti-virus software to update itself and on restart was able to clean the machine after scan.


10 comments:

Anonymous said...

purelocke,

I came to your site from a google search for Brontok.A Browser, as I was looking at my wordpress stats (recent operating system) and noticed this entry Brontok.A Browser for my site. Your entry is informative. Was wondering if you would know if this means that someone who viewed my site has this malware on their machine? Or, if Brontok.A is looking for sites to infect? I would like to warn the user if possible, but it sounds like they should know from your description of how an infected machine works.

Thanks in advance for your time and consideration,

L. Smith

Anonymous said...

Forgot to leave my e-mail address.

drinkingclub@gmail.com

Anonymous said...

Need avast anti virus software?

If your computer is running stupid avast anti virus will help
Click here to download avast anti virus now!

Anonymous said...

hi reeti here
i got the same worm my computer and i've tried installing the OS twice on the partion where the virus is located but no go ... it comes up again and again ....

99% Bachelor said...

I am also get this type of virus in my system. When i tried to download or install any anti virus on my comuter it begins restart. Very big problem. It makes too much files of bronto.a. Which software removes it?
I am unable to download anything. even when i write the name of antivirus in search engine even then it restarts my computer

Anonymous said...

Avish here,

I too have the same problem. If anyone knows how to remove this virus please help.

purelocke said...

If you have an anti-spyware software, run it first, in my case it was spybot search and destroy. After some registry keys have been fixed, run an update on your anti-virus system. Run an av scan afterwards. Also, this worm can infect removable drives, so be wary in trying to backup your data using usb drives. What I did was booted to a knoppix cd just google for it) instead of windows. There I was able to see the files that the brontok worm created, backed up the important files and booted back to windows to do the scan.

Anonymous said...

Hi,
I have the same problem on my pc every time i start downloading Spybot it restarts by itself...i dont know what exactly to be done to clear the virus...help me in simple steps what to be done....!!!

Suneel

Anonymous said...

I also had a problem with this worm. It created applications with "this folder name.exe" on every folder of my computer and when I clicked on them, it opened the Windows Explorer. Also, I had that strange page on a language I couldn't understand at all. And my WinXP would restart with no reason at all...

But then I use an anti-spyware program (the AVG one, I guess), and after five uses of it the worm disappeared from my computer.

Anonymous said...

Nice website ! Thank you for maintaining it. Keep working that way.