1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Net-Worm:W32/Brontok.B

Net-Worm:W32/Brontok.B

Name : Net-Worm:W32/Brontok.B
Size:94208
Category:Malware
Type:Net-Worm
Platform:W32
Date of Discovery:June 14, 2007

Summary

A type of worm that replicates by sending complete, independent copies of itself over a network.

Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.


Note

To fix executable file associations after disinfection please download and run the following Registry fix:

Additional Details

Net-Worm:W32/Brontok.B attempts to propagate over removable media such as USB thumb drives. It may also attempt to connect to remote servers.Brontok.B disables certain features of the operating system.


Execution

On execution, the first noticeable characteristic from this malware is the termination of applications such as CMD, regedit, and other EXE files. Processes with the following strings are terminated by this malware:

  • ANT
  • ASM
  • AVAST
  • BUG
  • CONF
  • CONSO
  • DBG
  • DETEC
  • INSTALL
  • KASP
  • MCAFEE
  • NOD
  • NORTON
  • NTVDM
  • OPEN
  • PLAY
  • PROC
  • REG
  • REMOV
  • SCAN
  • SECUR
  • SUPPO
  • TASK
  • UPDAT
  • UPG
  • VIR
  • W32
  • WALK

Furthermore, this malware will not perform any system changes if its filename is any of the following:

  • AutoPro.exe
  • mdefault.exe
  • mcagent.exe
  • mcshield.exe
During execution, the following files are dropped:
  • C:\AUTORUN.INF
  • C:\Documents and Settings\\Local Settings\Temp\~DF1A17.tmp
  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Empty.pif
  • C:\WINDOWS\Autorun.inf
  • C:\WINDOWS\Web\shell.exe
  • C:\WINDOWS\winme.exe
  • C:\winme.exe

Activity

This worm may open a browser attempting to connect to the following URLs:

  • http://security.symantec.com
  • http://www.symantec.com

Propagation

Brontok.B will create AUTORUN.INF files and copy itself to available removable media (USB drives) to allow itself to propagate.


Registry Modifications

Sets these values:

  • [HKCR\batfile\shell\open\command] (default) = "C:\WINDOWS\web\shell.exe" "%1" %*
  • [HKCR\comfile\shell\open\command] (default) = "C:\WINDOWS\web\shell.exe" "%1" %*
  • [HKCR\exefile\shell\open\command] (default) = "C:\WINDOWS\web\shell.exe" "%1" %*
  • [HKCR\piffile\shell\open\command] (default) = "C:\WINDOWS\web\shell.exe" "%1" %*
  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] Hidden = 1 HideFileExt = 1 ShowSuperHidden = 1
  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System] DisableTaskMgr = 1 DisableRegistryTools = 1 DisableCMD = 1
  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Nofolderoptions = 1
  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] DisableTaskMgr = 1 DisableRegistryTools = 1
  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] NoFolderOptions = 1
  • [HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer] DisableMSI = 1
  • [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore] DisableConfig = 1 DisableSR = 1
  • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Shell = Explorer.exe "C:\WINDOWS\winme.exe" Userinit = C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\winme.exe
  • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\ AlternateShell = C:\WINDOWS\winme.exe
  • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\ AlternateShell = C:\WINDOWS\winme.exe

Creates these keys:

  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run\] winme = C:\WINDOWS\winme.exe
  • [HKCR\lnkfile\shell\open\command\] (default) = "C:\WINDOWS\web\shell.exe" "%1" %*

Detection

F-Secure Anti-Virus detects this malware with the following updates:

[FSAV_Database_Version]
Version = 2007-06-14_03.