W32.Brontok worm is a mass mailing worm that
infects computers and USBs/Pen Drives. Most anti-virus vendors
had rated the W32.Brontok worm as LOW in threat assessment,
MEDIUM in potential damage associated to the worm and HIGH in
distribution of the worm. The W32.Brontok worm was first
discovered on 23rd September 2005 (UTC Time).

The worm spreads through email attachments and
file sharing over the network. The characteristics of this worm,
with regard to file names, folders created, port numbers used
will differ from one variant to another.

System Affected

Windows 2000,Windows 95 ,Windows 98 ,Windows Me ,Windows
NT,Windows Server 2003 ,Windows XP

Payload

(Payloads varies from different variants)

  1. Large scale e-mailing: Sends a mass-mailing of itself.
  2. Mass-mailing may degrade performance.
  3. It may lead to machine or system instability.
  4. Overwrites the c:autoexec.bat file.
  5. Restarts the system.
  6. Disable Registry Editor.

How to Tell if your Computer is Infected

  1. Presence of the worm related file in your system folder.
  2. Modifications to file viewing settings.
  3. Removal of Folder Option on Windows Explorer.
  4. Unusual instability of your system.

Detection

Scan the infected computer with an updated
Anti-virus softwares to detect the presence of the worm on
infected machine.

NOTE: Users MUST update their
Anti-virus softwares in order to detect/delete the worm.

Removal Steps

Manual removal steps:

  1. Disconnect your computer from the network
    and disable file sharings, if any.

  2. Disable System Restore (for Windows
    XP/Windows Me only).

    For Windows XP:

    1. Click Start.
    2. Right-click My Computer, and then click Properties.
    3. Click the System Restore tab.
    4. Select “Turn off System Restore” or “Turn off System
      Restore on all drives” check box.

    For Windows Me:

    1. Click Start, point to Settings, and then click Control
      Panel.
    2. Double-click the System icon. The System Properties
      dialog box appears.
    3. Click the Performance tab, and then click File System.
      The File System Properties dialog box appears.
    4. Click the Troubleshooting tab, and then check Disable
      System Restore.
    5. Click OK. Click Yes, when you are prompted to restart
      Windows.
  3. Start your machine in Safe mode.

    Update your Anti-virus software with the latest signature
    files and scan your computer withthe Anti-virus to detect the
    worm and delete any files detected as the worm by clicking the
    DELETE button.

  4. Delete the value from the registry.

    You need to back up the registry before
    making any changes to it. In correct changes to the registry
    can result in permanent data loss or corrupted files. Modify
    the specified subkeys only.

    1. Click Start > Run.
    2. Type regedit
    3. Click OK.

      Note: If the registry editor fails to open
      the threat may have modified the registry to prevent access
      to the registry editor. You can used a tool to resolve this
      problem.

      Download this
      tool
      .

      Navigate to the subkey that was detected by the anti-virus
      and delete the value.

    4. Exit the Registry Editor.

    If you are still unable to open your registry, you may try
    the following steps.

    1. Boot up the infected computer, but do not
      login to the server, leave it at the login prompt.

    2. Start up another clean computer, worm-free
      computer which has an updated anti-virus software running and
      an active firewall running preventing all inbound
      connections.

    3. From the clean computer, start REGEDIT.EXE
      and click on File -> File -> Connect Network Registry.
      Connect to the infected computer.

    4. Modify the following values in
      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersion
      Winlogon
      to the following values:

    5. “Userinit” = “C:WINNTsystem32userinit.exe,” “Shell” = “Explorer.exe”(make sure that you enter the correct path to where
      Windows is installed. For example on NT4.0 it is WINNT)
    6. After completing the above steps, reboot
      the infected computer.

    7. Using the clean computer, map the C$ share
      and scan it using the up to date anti-virus to remove any
      infected files on the infected computer. Then, you should be
      able to boot to the computer and then follow Steps 6 – Steps
      11.

  5. Run a full system scan using an updated
    version of Anti-virus software and delete any files detected as
    worm.

  6. Download and run a process management tool
    or process viewer to kill all worm processes running on the
    infected machine. The process management tool or the process
    viewer is available according to the machine’s platform and can
    be downloaded free from the Internet. For example users can
    download and use the following process viewer:


    http://www.sysinternals.com/Utilities/ProcessExplorer.html

  7. Delete the scheduled tasks added by the
    worm. Click Start, and then click Control Panel. (In Windows
    XP, switch to Classic View.) In the Control Panel window,
    double click Scheduled Tasks. Right click the task icon and
    select Properties from pop-up menu. The properties of the task
    is displayed. Delete the task if the contents of the Run text
    box in the task pane matches the worm.

  8. Enable the System Restore (for Windows
    XP/Windows Me only).

  9. Re-scan your computer with an updated
    version of Anti-virus to confirm the computer is clean.

  10. Re-connect your computer to the network once
    confirmed clean.

NOTE: As your computer is disconnected from
the network, use a clean computer connected to the network to
download tools and references.



8 Comments to “Steps on how to remove W32.Brontok.”

  1. Rajnish Ranjan | August 24th, 2007 at 8:44 am

    my server lan network bloked for brontok w32 virus

  2. Computer Security Tips | October 25th, 2007 at 8:10 am

    Computer Security Tips…

    I couldn’t understand some parts of this article, but it sounds interesting…

  3. mykz | November 24th, 2008 at 8:46 pm

    sounds interesting…. but a little old school…… it’s a really slow process…..

  4. Robin | April 2nd, 2010 at 5:19 pm

    Please tell me the antivirus which itself remove this virus. many people r not enough literate that they can understand this meyhod.

    and my system whenreach to safe mod it restarts.

  5. neil | May 8th, 2010 at 9:36 pm

    dear robin……dont listen to those bullshit de re talkin abt just format ur pc…..or if u dont no how format call a professional

  6. Min Jarratt | May 5th, 2011 at 3:56 pm

    You made several intriguing points. I’m not sure if we see eye to eye on everything, but then again, who does? I must look into it further. Fine article at any rate, thanks and ta ta! (Added this to FeedBurner, so enjoy! :))

  7. [Method] Make Money with Virus/Worm/etc Removal Sites + CPA Content Locker | August 6th, 2012 at 8:42 pm

    […] […]

  8. [Method] Make Money with Virus/Worm/etc Removal Sites + CPA Content Locker | February 16th, 2013 at 10:49 pm

    […] of the people will get lost in the reading. Proof? Read the comments of the above article, click here. Everyone wants the fast and easy way. Something that will fix everything by a single push of the […]

Leave a Comment