MA-104.032006: MyCERT Special Alert - W32.Brontok Worm

Original Issue Date: 22nd March 2006
Second Revision: 2nd May 2006

Introduction

MyCERT received reports and information from various reliable sources regarding the circulation of a particular worm and its variants, known as the W32.Brontok worm. W32.Brontok worm is a mass mailing worm that infects computers and USBs/Pen Drives. Most anti-virus vendors had rated the W32.Brontok worm as LOW in threat assessment, MEDIUM in potential damage associated to the worm and HIGH in distribution of the worm. The W32.Brontok worm was first discovered on 23rd September 2005 (UTC Time) and until yesterday the latest variant is W32.Brontokbro.U@mm.

The worm spreads through email attachments and file sharing over the network. The characteristics of this worm, with regard to file names, folders created, port numbers used will differ from one variant to another.

Based on assessment of number of reports received, we believe there is a widespread infection in our constituency and MyCERT advises users and organizations to update their anti-virus softwares with latest signature file and patch their systems and take the prevention actions as provided below to prevent against the current and future worm infection.

System Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Payload

(Payloads varies from different variants)

  1. Large scale e-mailing: Sends a mass-mailing of itself.

  2. Mass-mailing may degrade performance.

  3. It may lead to machine or system instability.

  4. Overwrites the c:\autoexec.bat file.

  5. Restarts the system.

  6. Disable Registry Editor.

How to Tell if your Computer is Infected

  1. Presence of the worm related file in your system folder.

  2. Modifications to file viewing settings.

  3. Removal of Folder Option on Windows Explorer.

  4. Unusual instability of your system.

Detection

Scan the infected computer with an updated Anti-virus softwares to detect the presence of the worm on infected machine.

NOTE: Users MUST update their Anti-virus softwares in order to detect/delete the worm.

Removal Steps

Manual removal steps:

  1. Disconnect your computer from the network and disable file sharings, if any.

  2. Disable System Restore (for Windows XP/Windows Me only).

    For Windows XP:

    1. Click Start.

    2. Right-click My Computer, and then click Properties.

    3. Click the System Restore tab.

    4. Select "Turn off System Restore" or "Turn off System Restore on all drives" check box.

    For Windows Me:

    1. Click Start, point to Settings, and then click Control Panel.

    2. Double-click the System icon. The System Properties dialog box appears.

    3. Click the Performance tab, and then click File System. The File System Properties dialog box appears.

    4. Click the Troubleshooting tab, and then check Disable System Restore.

    5. Click OK. Click Yes, when you are prompted to restart Windows.

  3. Start your machine in Safe mode.

    How to start a computer in safe mode, pls refer to:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

  4. Update your Anti-virus software with the latest signature files and scan your computer withthe Anti-virus to detect the worm and delete any files detected as the worm by clicking the DELETE button.

  5. Delete the value from the registry.

    You need to back up the registry before making any changes to it. In correct changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only.

    How to make a backup of the Windows registry, pls refer at:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617?OpenDocument&src=sec_doc_nam

    1. Click Start > Run.
    2. Type regedit
    3. Click OK.

      Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. You can used a tool to resolve this problem.

      Download this tool. Once downloaded, ‘right-click’ the UnHookExec.inf file and click install. Then continue with the removal steps.
      http://securityresponse.symantec.com/avcenter/venc/data/tool.to.reset.shellopencommand.registry.keys.html

      Other alternative way to enable registry, please refer to:
      http://www.patheticcockroach.com/mpam4/index.php?p=28

      Navigate to the subkey that was detected by the anti-virus and delete the value.

    4. Exit the Registry Editor.

    6. If you are still unable to open your registry, you may try the following steps.

    1. Boot up the infected computer, but do not login to the server, leave it at the login prompt.

    2. Start up another clean computer, worm-free computer which has an updated anti-virus software running and an active firewall running preventing all inbound connections.

    3. From the clean computer, start REGEDIT.EXE and click on File -> File -> Connect Network Registry. Connect to the infected computer.

    4. Modify the following values in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\NT\CurrentVersion\Winlogon to the following values:

      "Userinit" = "C:\WINNT\system32\userinit.exe,"
      "Shell" = "Explorer.exe"

      (make sure that you enter the correct path to where Windows is installed. For example on NT4.0 it is WINNT)

    5. After completing the above steps, reboot the infected computer.

    6. Using the clean computer, map the C$ share and scan it using the up to date anti-virus to remove any infected files on the infected computer. Then, you should be able to boot to the computer and then follow Steps 6 - Steps 11.

  6. Run a full system scan using an updated version of Anti-virus software and delete any files detected as worm.

  7. Download and run a process management tool or process viewer to kill all worm processes running on the infected machine. The process management tool or the process viewer is available according to the machine's platform and can be downloaded free from the Internet. For example users can download and use the following process viewer:
    http://www.sysinternals.com/Utilities/ProcessExplorer.html

  8. Delete the scheduled tasks added by the worm. Click Start, and then click Control Panel. (In Windows XP, switch to Classic View.) In the Control Panel window, double click Scheduled Tasks. Right click the task icon and select Properties from pop-up menu. The properties of the task is displayed. Delete the task if the contents of the Run text box in the task pane matches the worm.

  9. Enable the System Restore (for Windows XP/Windows Me only).

  10. Re-scan your computer with an updated version of Anti-virus to confirm the computer is clean.

  11. Re-connect your computer to the network once confirmed clean.

NOTE: As your computer is disconnected from the network, use a clean computer connected to the network to download tools and references.

You may refer to the below URL on protecting/securing your computer:
http://www.mycert.org.my/homepcsecurity.html

Prevention

  1. Install the latest computer updates/patches.

  2. Enable and use up-to-date antivirus software.

  3. Close all ports except your http port otherwise you need to filter the ports to authorized users only.

  4. Enable a personal firewall on your computer.

  5. Practise safe email practices. You may refer at:
    http://www.mycert.org.my/faq-safe_email_practices.htm

  6. You may refer to the below URL on protecting/securing your computer:
    http://www.mycert.org.my/homepcsecurity.html

References:

  1. Symantec
    http://securityresponse.symantec.com/avcenter/venc/data/w32.rontokbro@mm.html

  2. Trend Micro
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBRONTOK%2EAA&VSect=P

  3. McAfee
    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=136318

  4. F-Secure

If you believe that your computer has been infected in any way, we encourage you to report to MyCERT at:

Tel : 03-89961901
Fax : 03-89960827
Email : mycert@mycert.org.my
SMS :019-2813801
Web :https://www.mycert.org.my/report/form_report.html




All Rights Reserved
Copyright© 2005 MyCERT, NISER
Technology Park Malaysia, 57000 Kuala Lumpur, Malaysia.
Last Modified : 2nd May 2006
Developed and maintained by MyCERT WebMaster
Feedback

Disclaimer:

MyCERT page serves as a source of information, extracted from various other sources focusing on computer security issues for the Internet community in Malaysia. Therefore, MyCERT is not responsible for any outcomes resulted in the misuse of the information given on this page. In addition, MyCERT also denies liability for any consequences of applying the technical solutions given here.


MyCERT Copyright