Brontok is a computer worm which spreads through emails and USB drives. There are so many variants of brontok but they basically work similarly.How do I know if my system is infected?
You can’t start Regedit.exe
When trying to start any other registry editor, the system restarts
The system also restarts when executing certain EXE files
The presence of the following files:
%WINDIR%\eksplorasi.pif
%UserProfile%\Local Settings\Application Data\smss.exe
%UserProfile%\Local Settings\Application Data\services.exe
%UserProfile%\Local Settings\Application Data\lsass.exe
%UserProfile%\Local Settings\Application Data\csrss.exe
%UserProfile%\Local Settings\Application Data\inetinfo.exe
%UserProfile%\Local Settings\Application Data\winlogon.exe
%UserProfile%\Start Menu\Programs\Startup\Empty.pif
%UserProfile%\Templates\WowTumpeh.com
%WINDIR%\%CURRENT_USER%’s Setting.scr
%WINDIR%\ShellNew\bronstab.exe
All these files have the size of the worm’s main executable: 42,028 bytes(About 42 KB).
What does it do?
Disable Folder Options
Disable Registry Editor
Installs itself in the startup
When in memory, it will restart the system if any program involving the registry is started
How to remove Brontok?
Download and run this brontok removal tool from Bitdefender. This tool will kill the brontok process, restore folder options and registry editor and fix system startup.
Wednesday, December 26, 2007
Brontok Worm
Unable To Open Hard Drive On Double Click
In some situation especially when anti-virus program has cleaned, healed, disinfected or removed a worm, trojan horse or virus from computer, there may be error happening whenever users try to open or access the drive by double clicking on the disk drive icon in Explorer or My Computer window to try to enter the drive’s folder. The problem or symptom happens in hard disk drive, portable hard disk drive or USB flash drive, and Windows will prompt a dialog box with the following message:Windows Script Host
Can not find script file autorun.vbs.
Sometimes you will be asked to debug the VBScript with error code of 800A041F - Unexpected ‘Next’.
orChoose the program you want to use to open this file with:
In this case, the “Always use the selected program to open this kind of file” option is grayed out.
The symptom occurs because when autorun.vbs is created by trojan horse or virus. The virus normally loads autorun.inf file to root folder of all hard drive or USB drive, and then execute autorun.bat file which contains script to apply and merge autorun.reg into the registry, with possible change to the following registry key to ensure that virus is loaded when system starts:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Userinit=userinit.exe,autorun.exe
Finally, autorun.bat will call wscript.exe to run autorun.vbs.
When antivirus or security software detected the autorun.vbs file as infected, the file will be deleted or removed or quarantined. However, other files (autorun.*) and registry value still referring to autorun.vbs, and this document no longer exists, hence the error when users double click to open a drive folder.
To correct and solve this error, follow this steps:
1.Run Task Manager (Ctrl-Alt-Del or right click on Taskbar)
2.Stop wscript.exe process if available by highlighting the process name and clicking End Process.
3.Then terminate explorer.exe process.
4.In Task Manager, click on File -> New Task (Run…).
5.Type “cmd” (without quotes) into the Open text box and click OK.
6.Type the following command one by one followed by hitting Enter key:
del c:\autorun.* /f /s /q /a
del d:\autorun.* /f /s /q /a
del e:\autorun.* /f /s /q /a
c, d, e each represents drive letters on Windows system. If there are more drives or partitions available, continue to command by altering to other drive letter. Note that you must also clean the autorun files from USB flash drive or portable hard disk as the external drive may also be infected.
7.In Task Manager, click on File -> New Task (Run…).
8.Type “regedit” (without quotes) into the Open text box and click OK.
9.Navigate to the following registry key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
10.Check if the value name and value data for the key is correct (the value data of userint.exe include the path which may be different than C drive, which is also valid, note also the comma which is also needed):“Userinit”=”C:\WINDOWS\system32\userinit.exe,”
If the value is incorrent, modify it to the valid value data.
autorun.inf In Pen Drive
This virus is activated when we double click open the Pen Drive.
The autorun file in that drive runs a .exe file to activate the virus.
So, you must remove these two files (autorun.inf and a .exe file) from the pen drive.
Otherwise, the virus will roll back whole things what we have done to remove them.
These files may be hidden system files, to show the files, follow these steps:
1. Select Run from Start menu.
2. Type cmd and hit Enter.
3. Type the pen drive letter with a colon (for eg: J: ) and hit Enter.
4. Now type as following:
attrib -h -a -r -s and hit Enter.
5. Now, from My Computer, right click (do not double click) on the pen drive and select Open.
6. Delete the files autorun.inf and a .exe file from there.
Restart the system.