W32.Brontok worm is a mass mailing worm that
infects computers and USBs/Pen Drives. Most anti-virus vendors
had rated the W32.Brontok worm as LOW in threat assessment,
MEDIUM in potential damage associated to the worm and HIGH in
distribution of the worm. The W32.Brontok worm was first
discovered on 23rd September 2005 (UTC Time).

The worm spreads through email attachments and
file sharing over the network. The characteristics of this worm,
with regard to file names, folders created, port numbers used
will differ from one variant to another.

System Affected

Windows 2000,Windows 95 ,Windows 98 ,Windows Me ,Windows
NT,Windows Server 2003 ,Windows XP

Payload

(Payloads varies from different variants)

1. Large scale e-mailing: Sends a mass-mailing of itself.
2. Mass-mailing may degrade performance.
3. It may lead to machine or system instability.
4. Overwrites the c:autoexec.bat file.
5. Restarts the system.
6. Disable Registry Editor.

How to Tell if your Computer is Infected

1. Presence of the worm related file in your system folder.
2. Modifications to file viewing settings.
3. Removal of Folder Option on Windows Explorer.
4. Unusual instability of your system.

Detection

Scan the infected computer with an updated
Anti-virus softwares to detect the presence of the worm on
infected machine.

NOTE: Users MUST update their
Anti-virus softwares in order to detect/delete the worm.

Removal Steps

Manual removal steps:

1. Disconnect your computer from the network
   and disable file sharings, if any.

2. Disable System Restore (for Windows
   XP/Windows Me only).

   For Windows XP:

   1. Click Start.
   2. Right-click My Computer, and then click Properties.
   3. Click the System Restore tab.
   4. Select “Turn off System Restore” or “Turn off System
      Restore on all drives” check box.

   For Windows Me:

   1. Click Start, point to Settings, and then click Control
      Panel.
   2. Double-click the System icon. The System Properties
      dialog box appears.
   3. Click the Performance tab, and then click File System.
      The File System Properties dialog box appears.
   4. Click the Troubleshooting tab, and then check Disable
      System Restore.
   5. Click OK. Click Yes, when you are prompted to restart
      Windows.

3. Start your machine in Safe mode.

   Update your Anti-virus software with the latest signature
   files and scan your computer withthe Anti-virus to detect the
   worm and delete any files detected as the worm by clicking the
   DELETE button.

4. Delete the value from the registry.

   You need to back up the registry before
   making any changes to it. In correct changes to the registry
   can result in permanent data loss or corrupted files. Modify
   the specified subkeys only.

   1. Click Start > Run.
   2. Type regedit
   3. Click OK.

      Note: If the registry editor fails to open
      the threat may have modified the registry to prevent access
      to the registry editor. You can used a tool to resolve this
      problem.

      Download this
      tool.

      Navigate to the subkey that was detected by the anti-virus
      and delete the value.

   4. Exit the Registry Editor.

   If you are still unable to open your registry, you may try
   the following steps.

   1. Boot up the infected computer, but do not
      login to the server, leave it at the login prompt.

   2. Start up another clean computer, worm-free
      computer which has an updated anti-virus software running and
      an active firewall running preventing all inbound
      connections.

   3. From the clean computer, start REGEDIT.EXE
      and click on File -> File -> Connect Network Registry.
      Connect to the infected computer.

   4. Modify the following values in
      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersion
      Winlogon
      to the following values:

   5. “Userinit” = “C:WINNTsystem32userinit.exe,” “Shell” = “Explorer.exe”(make sure that you enter the correct path to where
      Windows is installed. For example on NT4.0 it is WINNT)

   6. After completing the above steps, reboot
      the infected computer.

   7. Using the clean computer, map the C$ share
      and scan it using the up to date anti-virus to remove any
      infected files on the infected computer. Then, you should be
      able to boot to the computer and then follow Steps 6 - Steps
      11.

5. Run a full system scan using an updated
   version of Anti-virus software and delete any files detected as
   worm.

6. Download and run a process management tool
   or process viewer to kill all worm processes running on the
   infected machine. The process management tool or the process
   viewer is available according to the machine’s platform and can
   be downloaded free from the Internet. For example users can
   download and use the following process viewer:

   
   http://www.sysinternals.com/Utilities/ProcessExplorer.html

7. Delete the scheduled tasks added by the
   worm. Click Start, and then click Control Panel. (In Windows
   XP, switch to Classic View.) In the Control Panel window,
   double click Scheduled Tasks. Right click the task icon and
   select Properties from pop-up menu. The properties of the task
   is displayed. Delete the task if the contents of the Run text
   box in the task pane matches the worm.

8. Enable the System Restore (for Windows
   XP/Windows Me only).

9. Re-scan your computer with an updated
   version of Anti-virus to confirm the computer is clean.

10. Re-connect your computer to the network once
    confirmed clean.

NOTE: As your computer is disconnected from
the network, use a clean computer connected to the network to
download tools and references.

Tags: antivirus, manual removal, mass-mailings, Porno website, W32.Brontok