W32.Brontok worm is a mass mailing worm that
infects computers and USBs/Pen Drives. Most anti-virus vendors
had rated the W32.Brontok worm as LOW in threat assessment,
MEDIUM in potential damage associated to the worm and HIGH in
distribution of the worm. The W32.Brontok worm was first
discovered on 23rd September 2005 (UTC Time).
The worm spreads through email attachments and
file sharing over the network. The characteristics of this worm,
with regard to file names, folders created, port numbers used
will differ from one variant to another.
Windows 2000,Windows 95 ,Windows 98 ,Windows Me ,Windows
NT,Windows Server 2003 ,Windows XP
(Payloads varies from different variants)
- Large scale e-mailing: Sends a mass-mailing of itself.
- Mass-mailing may degrade performance.
- It may lead to machine or system instability.
- Overwrites the c:autoexec.bat file.
- Restarts the system.
- Disable Registry Editor.
How to Tell if your Computer is Infected
- Presence of the worm related file in your system folder.
- Modifications to file viewing settings.
- Removal of Folder Option on Windows Explorer.
- Unusual instability of your system.
Scan the infected computer with an updated
Anti-virus softwares to detect the presence of the worm on
NOTE: Users MUST update their
Anti-virus softwares in order to detect/delete the worm.
Manual removal steps:
Disconnect your computer from the network
and disable file sharings, if any.
Disable System Restore (for Windows
XP/Windows Me only).
For Windows XP:
- Click Start.
- Right-click My Computer, and then click Properties.
- Click the System Restore tab.
- Select “Turn off System Restore” or “Turn off System
Restore on all drives” check box.
For Windows Me:
- Click Start, point to Settings, and then click Control
- Double-click the System icon. The System Properties
dialog box appears.
- Click the Performance tab, and then click File System.
The File System Properties dialog box appears.
- Click the Troubleshooting tab, and then check Disable
- Click OK. Click Yes, when you are prompted to restart
Start your machine in Safe mode.
Update your Anti-virus software with the latest signature
files and scan your computer withthe Anti-virus to detect the
worm and delete any files detected as the worm by clicking the
Delete the value from the registry.
You need to back up the registry before
making any changes to it. In correct changes to the registry
can result in permanent data loss or corrupted files. Modify
the specified subkeys only.
- Click Start > Run.
- Type regedit
- Click OK.
Note: If the registry editor fails to open
the threat may have modified the registry to prevent access
to the registry editor. You can used a tool to resolve this
Navigate to the subkey that was detected by the anti-virus
and delete the value.
- Exit the Registry Editor.
If you are still unable to open your registry, you may try
the following steps.
Boot up the infected computer, but do not
login to the server, leave it at the login prompt.
Start up another clean computer, worm-free
computer which has an updated anti-virus software running and
an active firewall running preventing all inbound
From the clean computer, start REGEDIT.EXE
and click on File -> File -> Connect Network Registry.
Connect to the infected computer.
Modify the following values in
to the following values:
- “Userinit” = “C:WINNTsystem32userinit.exe,” “Shell” = “Explorer.exe”(make sure that you enter the correct path to where
Windows is installed. For example on NT4.0 it is WINNT)
After completing the above steps, reboot
the infected computer.
Using the clean computer, map the C$ share
and scan it using the up to date anti-virus to remove any
infected files on the infected computer. Then, you should be
able to boot to the computer and then follow Steps 6 – Steps
Run a full system scan using an updated
version of Anti-virus software and delete any files detected as
Download and run a process management tool
or process viewer to kill all worm processes running on the
infected machine. The process management tool or the process
viewer is available according to the machine’s platform and can
be downloaded free from the Internet. For example users can
download and use the following process viewer:
Delete the scheduled tasks added by the
worm. Click Start, and then click Control Panel. (In Windows
XP, switch to Classic View.) In the Control Panel window,
double click Scheduled Tasks. Right click the task icon and
select Properties from pop-up menu. The properties of the task
is displayed. Delete the task if the contents of the Run text
box in the task pane matches the worm.
Enable the System Restore (for Windows
XP/Windows Me only).
Re-scan your computer with an updated
version of Anti-virus to confirm the computer is clean.
Re-connect your computer to the network once
NOTE: As your computer is disconnected from
the network, use a clean computer connected to the network to
download tools and references.