How to Prevent and Remove the Email-Worm.Win32.Brontok

Bookmark and Share

 

1. What is the Email-Worm.Win32.Brontok

Win32.Brontok.q is a computer worm that affects the Windows operating system. The worm is spread through malicious emails and shared folders. Once it infects your computer, Win32.Brontok.q blocks access to various websites, slows your computer, causes your computer to reboot and replicates itself so that it can spread to other computers. Fortunately, Win32.Brontok.q can be removed without the aid of an expensive security program. Note that the free removal steps that follow apply to the Windows Vista and 7 operating systems.

a. Descriptions of Email-Worm.Win32.Brontok:

  • Pop-up blocker incapable to block porn, casino and other adult related bulk popups
  • Unknown Worm.Win32.Brontok task processes running in Windows task list, strange error beeps from Computer tower
  • Infected files re-create and repair itself, Worm.Win32.Brontok is exceptionally hard to remove
  • Changed Windows shortcuts, background picture and desktop tray icons
  • Abnoramal system speed, long startup/shotdown and system shut downs
  • Missing or corrupt registry keys, dlls and system files initiate "Blue Screen Of Death" error
  • Search results and browser startpage redirected to strange sites

b. Email-Worm.Win32.Brontok worm behaviors:

  • Sneaks inside the Computer system by using browser security holes and installs multiple third party programs
  • Bypasses securtiy utility by disguise itself as legiti Windows file, sends passwords, usernames and other confidential info to hackers
  • Creates pop-up advertisements equivalent browsing habits, collects system activity and change system logs

Alias: W32/Rontokbro.gen@MM [McAfee];W32/Scribble-B [Sophos];Virus:Win32/Virut.BN [Microsoft]  

 

2.Technical Details:

 

a. The following files were created in the system:

 

# Filename(s) File Size
1 %CommonDocuments%\Server\admin.txt 2 bytes
2 %CommonDocuments%\Server\hlp.dat 36,221 bytes
3 %UserProfile%\aaaaaaaa�.exe
%UserProfile%\aaaaaaaa�.exe
%UserProfile%\aaaaaaaa�.exe
%UserProfile%\aaaaaaaa�.exe
%System%\aaaaaaaa�.exe
%System%\aaaaaaaa�.exe
%System%\aaaaaaaa�.exe 		35,840 bytes
4 %AppData%\br6657on.exe
%AppData%\csrss.exe
%AppData%\inetinfo.exe
%AppData%\lsass.exe
%AppData%\services.exe
%AppData%\smss.exe
%AppData%\svchost.exe
%AppData%\winlogon.exe
%Programs%\Startup\Empty.pif
%Templates%\11496-NendangBro.com
%Windir%\sembako-dfzjkli.exe
%Windir%\ShellNew\bbm-tooklifd.exe
%System%\cmd-bro-lkx.exe
%System%\DXBLAL.exe		 1,256,767 bytes
5 %Templates%\memory.tmp 60,416 bytes
6 %FontsDir%\services.exe 53,760 bytes
7 %System%\7y5h7.log 4,622 bytes
8 %System%\comsats.sys 9 bytes
9 %System%\guyik45hbh.exe 153,088 bytes
10 %System%\guyik45hbh.txt 594 bytes
11 %System%\guyik45hbhx.exe
%Windir%\Temp\04totenny.exe 		172,032 bytes
12 %System%\Install.txt 250 bytes
13 %System%\nwcwks.dll 8,192 bytes
14 %Windir%\Tasks\At1.job 416 bytes
15 %Windir%\Temp\9nsl74436.exe 259,584 bytes
16 %Windir%\Temp\cx65hjlfx.exe 259,584 bytes
17 %Windir%\Temp\ddiaa.log 3,758 bytes
18 %Windir%\Temp\explorer.dat 1,032,192 bytes
19 %Windir%\Temp\sienozv.exe 56,320 bytes
20 %Windir%\Temp\t5nnyrtn.exe 214,016 bytes
21 %Windir%\Temp\uygkr9b.exe 56,320 bytes
22 %Windir%\Temp\winlogon.dat 502,272 bytes
  • Notes:
    • %CommonDocuments% is a variable that refers to the file system directory that contains documents that are common to all users. A typical paths is C:\Documents and Settings\All Users\Documents.
    • %UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
    • %Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
    • %Templates% is a variable that refers to the file system directory that serves as a common repository for document templates. A typical path is C:\Documents and Settings\[UserName]\Templates.
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %FontsDir% is a variable that refers to a virtual folder containing fonts. A typical path is C:\Windows\Fonts.

b. The following files were modified:

c:\AUTOEXEC.BAT
[pathname with a string SHARE]\msinfo32.exe
[pathname with a string SHARE]\sapisvr.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwconn1.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwconn2.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwrmind.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwtutor.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\inetwiz.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\isignup.exe
%ProgramFiles%\Internet Explorer\iedw.exe
%ProgramFiles%\Internet Explorer\IEXPLORE.EXE
%ProgramFiles%\MSN\MSNIA\msniasvc.exe
%ProgramFiles%\MSN\MSNIA\prestp.exe
%ProgramFiles%\MSN\MsnInstaller\msninst.exe
%ProgramFiles%\NetMeeting\cb32.exe
%ProgramFiles%\NetMeeting\conf.exe
%ProgramFiles%\NetMeeting\wb32.exe
%ProgramFiles%\Outlook Express\msimn.exe
%ProgramFiles%\Outlook Express\oemig50.exe
%ProgramFiles%\Outlook Express\setup50.exe
%ProgramFiles%\Outlook Express\wab.exe
%ProgramFiles%\Outlook Express\wabmig.exe
%ProgramFiles%\Web Publish\WPWIZ.EXE
%ProgramFiles%\Windows Media Player\migrate.exe
%ProgramFiles%\Windows Media Player\mplayer2.exe
%ProgramFiles%\Windows Media Player\setup_wm.exe
%ProgramFiles%\Windows Media Player\wmplayer.exe
%ProgramFiles%\Windows NT\Accessories\wordpad.exe
%ProgramFiles%\Windows NT\dialer.exe
%ProgramFiles%\Windows NT\hypertrm.exe
%ProgramFiles%\Windows NT\Pinball\PINBALL.EXE
%Windir%\Cache\Adobe Reader 6.0.1\ENUBIG\setup.exe
%Windir%\explorer.exe
%Windir%\hh.exe
%Windir%\inf\unregmp2.exe
%Windir%\Installer\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}\places.exe
%Windir%\Microsoft.NET\Framework\NETFXSBS10.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\jsc.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
%Windir%\msagent\agentsvr.exe
%Windir%\mui\muisetup.exe
%Windir%\NOTEPAD.EXE
%Windir%\pchealth\helpctr\binaries\HelpCtr.exe
%Windir%\pchealth\helpctr\binaries\HelpHost.exe
%Windir%\pchealth\helpctr\binaries\HelpSvc.exe
%Windir%\pchealth\helpctr\binaries\HscUpd.exe
%Windir%\pchealth\helpctr\binaries\msconfig.exe
%Windir%\pchealth\helpctr\binaries\notiflag.exe
%Windir%\pchealth\UploadLB\Binaries\UploadM.exe
%Windir%\regedit.exe
%System%\accwiz.exe
%System%\actmovie.exe
%System%\ahui.exe
%System%\alg.exe
%System%\arp.exe
%System%\asr_fmt.exe
%System%\asr_ldm.exe
%System%\asr_pfu.exe
%System%\at.exe
%System%\atmadm.exe
%System%\attrib.exe
%System%\auditusr.exe
%System%\blastcln.exe
%System%\bootcfg.exe
%System%\bootok.exe
%System%\bootvrfy.exe
%System%\cacls.exe
%System%\calc.exe
%System%\charmap.exe
%System%\chkdsk.exe
%System%\chkntfs.exe
%System%\cidaemon.exe
%System%\cipher.exe
%System%\cisvc.exe
%System%\ckcnv.exe
%System%\cleanmgr.exe
%System%\clean_all.exe
%System%\cliconfg.exe
%System%\clipbrd.exe
%System%\clipsrv.exe
%System%\cmd.exe
%System%\cmdl32.exe
%System%\cmmon32.exe
%System%\cmstp.exe
%System%\Com\comrepl.exe
%System%\Com\comrereg.exe
%System%\comp.exe
%System%\compact.exe
%System%\conime.exe
%System%\control.exe
%System%\convert.exe

  • Notes:
    • %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

c. The following directories were created:

c:\System Volume Information\.
c:\System Volume Information\..
%CommonDocuments%\Server
%AppData%\Bron.tok-18-23
%AppData%\Ok-SendMail-Bron-tok
%Windir%\ShellNew

d.  Memory Modifications

    • There were new processes created in the system:

    Process Name Process Filename Main Module Size
    winlogon.exe %AppData%\winlogon.exe 1,388,544 bytes
    services.exe %AppData%\services.exe 1,388,544 bytes
    lsass.exe %AppData%\lsass.exe 1,388,544 bytes
    sienozv.exe %Windir%\temp\sienozv.exe 172,032 bytes
    uygkr9b.exe %Windir%\temp\uygkr9b.exe 172,032 bytes
    04totenny.exe %Windir%\temp\04totenny.exe 176,128 bytes
    guyik45hbh.exe %System%\guyik45hbh.exe 442,368 bytes
    guyik45hbhx.exe %System%\guyik45hbhx.exe 176,128 bytes
    updata.exe %System%\updata.exe 81,920 bytes
    csrss.exe %AppData%\csrss.exe 1,388,544 bytes
    inetinfo.exe %AppData%\inetinfo.exe 1,388,544 bytes
    services.exe %FontsDir%\services.exe 167,936 bytes
    [filename of the sample #1] [file and pathname of the sample #1] 1,388,544 bytes

    • There were new memory pages created in the address space of the system process(es):

    Process Name Process Filename Allocated Size
    spoolsv.exe %System%\spoolsv.exe 999,424 bytes
    spoolsv.exe %System%\spoolsv.exe 999,424 bytes

    • The following module was loaded into the address space of other process(es):

    Module Name Module Filename Address Space Details
    nwcwks.dll %System%\nwcwks.dll Process name: svchost.exe
    Process filename: %System%\svchost.exe
    Address space: 0x10000000 - 0x10006000

    • There was a new service created in the system:

    Service Name Display Name Status Service Filename
    NWCWorkstation Client Service for NetWare "Running" %System%\svchost.exe -k netsvcs

    • The following system services were modified:

    Service Name Display Name New Status Service Filename
    ALG Application Layer Gateway Service "Stopped" %System%\alg.exe
    SharedAccess Windows Firewall/Internet Connection Sharing (ICS) "Stopped" %System%\svchost.exe -k netsvcs
    wscsvc Security Center "Stopped" %System%\svchost.exe -k netsvcs

    e. Registry Modifications

    • The following Registry Keys were created:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tbsolute
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000\Control
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Security
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Enum
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION\0000
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION\0000\Control
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Parameters
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Security
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Enum
      • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P
      • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
        • Use FormSuggest = "yes"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS]
        • CheckedValue = 0x00000000
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
        • uqsyb = "%Windir%\TEMP\sienozv.exe"
        • v5uvf = "%Windir%\TEMP\uygkr9b.exe"
        • apps = "%FontsDir%\services.exe"

        so that sienozv.exe runs every time Windows starts
        so that uygkr9b.exe runs every time Windows starts
        so that services.exe runs every time Windows starts
         
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        • Bron-Spizaetus = ""
        • Bron-Spizaetus-dfilkoot = ""%Windir%\ShellNew\bbm-tooklifd.exe""
        • aaaaaaaa� = "%System%\aaaaaaaa�.exe"
        • guyik45hbh = "%System%\guyik45hbh.exe"
        • guyik45hbhx = "%System%\guyik45hbhx.exe"
        • aaaaaaaa� = "%System%\aaaaaaaa�.exe"
        • aaaaaaaa� = "%System%\aaaaaaaa�.exe"
        • aaaaaaaa� = "%System%\aaaaaaaa�.exe"

        so that bbm-tooklifd.exe runs every time Windows starts
        so that aaaaaaaa�.exe runs every time Windows starts
        so that guyik45hbh.exe runs every time Windows starts
        so that guyik45hbhx.exe runs every time Windows starts
         
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tbsolute]
        • values = 2A 3D F7 67 64 67 67 67 63 67 67 67 98 98 67 67 DF 67 67 67 67 67 67 67 27 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 66 67 67 69 78 DD 69 67 D3 6E AA 46 DF 66 2B AA 46 33 0F 0E 14 47 1
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000\Control]
        • *NewlyCreated* = 0x00000000
        • ActiveService = "NWCWorkstation"
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000]
        • Service = "NWCWorkstation"
        • Legacy = 0x00000001
        • ConfigFlags = 0x00000000
        • Class = "LegacyDriver"
        • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
        • DeviceDesc = "Client Service for NetWare"
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION]
        • NextInstance = 0x00000001
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Enum]
        • 0 = "Root\LEGACY_NWCWORKSTATION\0000"
        • Count = 0x00000001
        • NextInstance = 0x00000001
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Security]
        • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters]
        • ServiceDll = "%System%\nwcwks.dll"
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation]
        • Type = 0x00000020
        • Start = 0x00000002
        • ErrorControl = 0x00000001
        • ImagePath = "%System%\svchost.exe -k netsvcs"
        • DisplayName = "Client Service for NetWare"
        • ObjectName = "LocalSystem"
        • Description = "Provides access to file and print resources on NetWare networks."
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION\0000\Control]
        • *NewlyCreated* = 0x00000000
        • ActiveService = "NWCWorkstation"
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION\0000]
        • Service = "NWCWorkstation"
        • Legacy = 0x00000001
        • ConfigFlags = 0x00000000
        • Class = "LegacyDriver"
        • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
        • DeviceDesc = "Client Service for NetWare"
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION]
        • NextInstance = 0x00000001
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Enum]
        • 0 = "Root\LEGACY_NWCWORKSTATION\0000"
        • Count = 0x00000001
        • NextInstance = 0x00000001
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Security]
        • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Parameters]
        • ServiceDll = "%System%\nwcwks.dll"
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation]
        • Type = 0x00000020
        • Start = 0x00000002
        • ErrorControl = 0x00000001
        • ImagePath = "%System%\svchost.exe -k netsvcs"
        • DisplayName = "Client Service for NetWare"
        • ObjectName = "LocalSystem"
        • Description = "Provides access to file and print resources on NetWare networks."
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
        • DisableScriptDebuggerIE = "yes"
        • Error Dlg Displayed On Every Error = "no"
        • Play_Animations = "no"
        • Play_Background_Sounds = "no"
        • Display Inline Videos = "no"
        • Use FormSuggest = "yes"
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]
        • UpdateHost = 00 50 3C BE DE 8B
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
        • ProxyEnable = 0x00000000
        • WarnOnZoneCrossing = 0x00000000
        • WarnOnPostRedirect = 0x00000000
        • WarnonBadCertRecving = 0x00000000
        • WarnOnHTTPSToHTTPRedirect = 0x00000000
        • WarnOnPost = 00 00 01 00
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
        • aaaaaaaa� = "%UserProfile%\aaaaaaaa�.exe"

        so that aaaaaaaa�.exe runs every time Windows starts
         
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows]
        • win = "%FontsDir%\services.exe"
        • init = "%FontsDir%\services.exe"

        so that services.exe runs every time Windows starts
         
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
        • NoFolderOptions = 0x00000001

        to remove the Folder Options item from all Windows Explorer menus and from Control Panel
         
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
        • DisableRegistryTools = 0x00000001
        • DisableCMD = 0x00000000

        to disable the Windows registry editors (Regedt32.exe and Regedit.exe)
         
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
        • Tok-Cirrhatus-2817 = ""%AppData%\br6657on.exe""
        • Tok-Cirrhatus = ""
        • aaaaaaaa� = "%UserProfile%\aaaaaaaa�.exe"
        • aaaaaaaa� = "%UserProfile%\aaaaaaaa�.exe"
        • aaaaaaaa� = "%UserProfile%\aaaaaaaa�.exe"

        so that br6657on.exe runs every time Windows starts
        so that aaaaaaaa�.exe runs every time Windows starts
         
    • The following Registry Values were deleted:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
        • InprocServer32 = "IW[F9`$@Q?NcrI3z%N[,>`NTP6lYuf(laaqF-Q9q."
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
        • DisableSR = 0x00000001
    • The following Registry Values were modified:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}]
        • (Default) =
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
        • (Default) =
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32]
        • (Default) =
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
        • (Default) =
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock]
        • (Default) =
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1]
        • (Default) =
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0]
        • (Default) =
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32]
        • (Default) =
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR]
        • (Default) =
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
        • CheckedValue =
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]
        • Auto =
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
        • Shell =
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot]
        • AlternateShell =
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
        • AlternateShell =
      • [HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\Explorer\Navigating\.Current]
        • (Default) =
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
        • Cookies =
        • Desktop =
        • Personal =
        • Templates =
        • Local AppData =
        • Cache =
        • History =
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
        • 1001 =
        • 1206 =
        • 1406 =
        • 1601 =
        • 1604 =
        • 1605 =
        • 1609 =
        • 1800 =
        • 1804 =
        • 1805 =
        • 1806 =
        • 1A04 =
        • 1A05 =
        • 1C00 =

    f. Other details

    • The following ports were open in the system:

    Port Protocol Process
    1093 UDP guyik45hbh.exe (%System%\guyik45hbh.exe)
    1097 UDP updata.exe (%System%\updata.exe)
    1098 TCP updata.exe (%System%\updata.exe)
    1100 TCP updata.exe (%System%\updata.exe)
    1101 TCP updata.exe (%System%\updata.exe)
    1102 TCP updata.exe (%System%\updata.exe)
    1105 TCP updata.exe (%System%\updata.exe)
    1110 TCP inetinfo.exe (%AppData%\inetinfo.exe)
    1116 TCP updata.exe (%System%\updata.exe)
    1117 TCP updata.exe (%System%\updata.exe)
    1122 TCP updata.exe (%System%\updata.exe)
    1123 TCP updata.exe (%System%\updata.exe)
    1126 TCP updata.exe (%System%\updata.exe)
    1127 TCP updata.exe (%System%\updata.exe)
    1128 TCP updata.exe (%System%\updata.exe)
    1129 TCP updata.exe (%System%\updata.exe)
    1134 TCP updata.exe (%System%\updata.exe)
    1135 TCP updata.exe (%System%\updata.exe)
    1137 TCP csrss.exe (%AppData%\csrss.exe)
    1139 TCP uygkr9b.exe (%Windir%\TEMP\uygkr9b.exe)
    1140 TCP updata.exe (%System%\updata.exe)
    1143 TCP updata.exe (%System%\updata.exe)
    1144 TCP updata.exe (%System%\updata.exe)
    1147 TCP updata.exe (%System%\updata.exe)

    • The HOSTS file was updated with the following URL-to-IP mappings:

    64.79.73.154 drghwaweg45j4i6u3q32fg2h.com
    122.224.6.48 3b.iwillhavebigdick.com
    122.224.6.48 sb.iwillhavebigdick.com
    173.192.153.178 zsrdgrki32qw.com

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    122.224.6.164 82
    122.224.6.48 10167
    122.224.6.48 255
    122.224.6.48 88
    173.192.153.178 80
    194.8.251.114 80
    194.8.251.69 80
    194.8.251.98 80
    222.170.127.203 80
    60.190.222.139 80
    64.208.241.65 80
    64.79.73.154 80
    69.64.147.243 80
    69.64.154.211 80
    173.224.212.93 443

    • The data identified by the following URLs was then requested from the remote web server:

      • http://hn.yigeyuming.com:82/hn.gif?t=0.2690088
      • http://exe3.perfectexe.com:255/list.php?c=475F32E5F94F5EF22FC80129460379A824BD2219E3D1A008261194D6D2771834BD83130ECDBAE28C611827BD1A5FFCDE56AC47B0B8C123799CF3&v=2&t=0.2052729
      • http://2b.yigeyuming.com:88/2.0/discover.exe
      • http://zsrdgrki32qw.com/prox.gif?t=0.3229944
      • http://zsrdgrki32qw.com/cs.gif?t=0.9797327
      • http://zsrdgrki32qw.com/cool.gif?t=4.351443E-02
      • http://zsrdgrki32qw.com/sy3.gif?t=0.5224268
      • http://www.derquda.com/ert/mno3.txt
      • http://www.derquda.com/ert/klm1.txt
      • http://www.derquda.com/kb9.txt
      • http://www.derquda.com/ert/nop4.txt
      • http://www.derquda.com/ert/lmn2.txt
      • http://91B7DAD62C1F560ED7EC68FD0126FD29.info/message.php?subid=10&br=IE_6.00&os=12&flg=23&id=5F60FAF878B650F053239049F41A2EF3&ad=&ver=_if15
      • http://194.8.251.98/rc.exe
      • http://image.perfectexe.com/kp.exe
      • http://i.nuseek.com/images/misc/blank.gif
      • http://i.nuseek.com/images/template/360x318/hk_20080207_rockclimbing.jpg
      • http://i.nuseek.com/Images/Shared/relLinkBkg.gif
      • http://i.nuseek.com/images/Themes/T101/buttons/0004.gif
      • http://i.nuseek.com/images/Themes/T101/bullets/0004.gif
      • http://drghwaweg45j4i6u3q32fg2h.com/gggg.exe?t=0.6305658
      • http://cantilevermount.com/
      • http://cantilevermount.com/cantilevermount.com.js
      • http://search.dmtracker.com/tags/vs.js
      • http://search.dmtracker.com/images/zig.gif?Log=1&v=JT01.02&lt=0&t=trade%20show%20display%20climbing%20gear%20at%20cantilevermount.com&r=&l=en-us&ss=640*480&sc=32&jv=15&ct=lan&hp=n&vid=0.6831431185507715
      • http://google.com/
      • http://www.google-analytics.com/ga.js
      • http://bestkind.ru/list.php?c=746C4B9C3E8870DC6C8BAB8387C29C4D18816259794BC26AE5D2723019BCAB87122C7865AADD5C321D6444DEC287DDFF7B81C730A3DA3F6E8BFF&v=2&t=0.1149408

     

    3. How-to's

    a. How to prevent the  Email-Worm.Win32.Brontok ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Email-Worm.Win32.Brontok Manually?

    Step 1 : Detect and Delete Other Email-Worm.Win32.Brontok Files

    Restart your computer and press "F8" repeatedly while it boots up. The Advanced Boot Options menu appears.
    Use the arrow keys on your keyboard to highlight "Safe Mode" and then press "Enter." Windows will load in Safe Mode.
    Click on the "Windows Start Menu" and then click on the "Search Programs and Files" box.
    Search for and delete the following files. To delete a file, right-click on it and select "Delete."

    %CommonDocuments%\Server\admin.txt
    %CommonDocuments%\Server\hlp.dat
    %UserProfile%\aaaaaaaa�.exe
    %UserProfile%\aaaaaaaa�.exe
    %UserProfile%\aaaaaaaa�.exe
    %UserProfile%\aaaaaaaa�.exe
    %System%\aaaaaaaa�.exe
    %System%\aaaaaaaa�.exe
    %System%\aaaaaaaa�.exe
    %AppData%\br6657on.exe
    %AppData%\csrss.exe
    %AppData%\inetinfo.exe
    %AppData%\lsass.exe
    %AppData%\services.exe
    %AppData%\smss.exe
    %AppData%\svchost.exe
    %AppData%\winlogon.exe
    %Programs%\Startup\Empty.pif
    %Templates%\11496-NendangBro.com
    %Windir%\sembako-dfzjkli.exe
    %Windir%\ShellNew\bbm-tooklifd.exe
    %System%\cmd-bro-lkx.exe
    %System%\DXBLAL.exe
    %Templates%\memory.tmp
    %FontsDir%\services.exe
    %System%\7y5h7.log
    %System%\comsats.sys
    %System%\guyik45hbh.exe
    %System%\guyik45hbh.txt
    %System%\guyik45hbhx.exe
    %Windir%\Temp\04totenny.exe
    %System%\Install.txt
    %System%\nwcwks.dll
    %Windir%\Tasks\At1.job
    %Windir%\Temp\9nsl74436.exe
    %Windir%\Temp\cx65hjlfx.exe
    %Windir%\Temp\ddiaa.log
    %Windir%\Temp\explorer.dat
    %Windir%\Temp\sienozv.exe
    %Windir%\Temp\t5nnyrtn.exe
    %Windir%\Temp\uygkr9b.exe
    %Windir%\Temp\winlogon.dat

    Step 2 : Use Registry Editor to Remove Email-Worm.Win32.Brontok Registry Values

    Click on the "Windows Start Menu," key in "Regedit" into the "Search Programs and Files" box and press "Enter." The Registry Editor opens.
    Click on "[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]" in the left pane of the Registry Editor. Then right-click on "Bron-Spizaetus-[random symbols]" in the right pane of the Registry Editor and select "Delete."
    Click on "[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]" in the left pane of the Registry Editor, right-click on "Tok-Cirrhatus-[random number]" in the right pane of the Registry Editor and select "Delete."
    Click on "[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]" in the left pane of the Registry Editor, then right-click on "Shell" in the right pane of the Registry Editor and select "Delete."
    Click on "[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]" in the left pane of the Registry Editor. Then right-click on "Explorer.exe" in the right pane of the Registry Editor and select "Delete."
    Click on [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot] in the left pane of the Registry Editor. Next right-click "AlternateShell" in the right pane of the Registry Editor and choose "Delete."
    Step3:  Change Registry Values

    Click on the "Windows Start Menu" and type "Regedit" into the "Search Programs and Files" box and press "Enter." The Registry Editor opens.
    Click on "[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\System]" in the left pane of the Registry Editor. Right-click on "DisableRegistryTools" in the right pane of the Registry Editor, select "Modify" and then change the "Value" to "0" and click "OK."
    Click on "[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\System] again in the left pane. Right-click on "NoFolderOptions" in the right pane, select "Modify" and then alter the "Value" to "0." Click "OK."
    Click on "[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced]" in the left pane of the Registry Editor. Right-click on "HideFileExt" in the right pane of the Registry Editor, select "Modify" and then change the "Value" to "0." Click "OK."
    Close the Registry Editor and restart your computer in normal mode

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•