1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Worm:W32/Brontok.B

Worm:W32/Brontok.B

Name : Worm:W32/Brontok.B
Detection Names : Worm.Win32.Brontok.b
Category:Malware
Type:Worm
Platform:W32

Summary

A type of worm that replicates by sending complete, independent copies of itself over a network.

Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Note

To fix executable file associations after disinfection please download and run the following Registry fix:

Details


Registry Modifications
Sets these values:

  •  [HKCR\batfile\shell\open\command]
          (default) = "C:\WINDOWS\web\shell.exe" "%1" %*
  •   [HKCR\comfile\shell\open\command]
          (default) = "C:\WINDOWS\web\shell.exe" "%1" %*
  •   [HKCR\exefile\shell\open\command]
          (default) = "C:\WINDOWS\web\shell.exe" "%1" %*
  •   [HKCR\piffile\shell\open\command]
          (default) = "C:\WINDOWS\web\shell.exe" "%1" %*
  •   [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
          Hidden = 1
          HideFileExt = 1
          ShowSuperHidden = 1
  •   [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
          DisableTaskMgr = 1
          DisableRegistryTools = 1
          DisableCMD = 1
  •   [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
          Nofolderoptions = 1
  •   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
          DisableTaskMgr = 1
          DisableRegistryTools = 1
  •   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
          NoFolderOptions = 1
  •   [HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer]
          DisableMSI = 1
  •   [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
          DisableConfig = 1
          DisableSR = 1
  •   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
          Shell = Explorer.exe "C:\WINDOWS\winme.exe"
          Userinit = C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\winme.exe
  •   [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\
          AlternateShell = C:\WINDOWS\winme.exe
  •   [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
         AlternateShell = C:\WINDOWS\winme.exe


Deletes these keys:

  •  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run\]
          winme = C:\WINDOWS\winme.exe
  •   [HKCR\lnkfile\shell\open\command\]
          (default) = "C:\WINDOWS\web\shell.exe" "%1" %*


Additional Details

Net-Worm:W32/Brontok.B attempts to propagate over removable media such as USB thumb drives. It may also attempt to connect to remote servers.
 
Brontok.B disables certain features of the operating system.

Execution

On execution, the first noticeable characteristic from this malware is the termination of applications such as CMD, regedit, and other EXE files. Processes with the following strings are terminated by this malware:

  •   ANT
  •   ASM
  •   AVAST
  •   BUG
  •   CONF
  •   CONSO
  •   DBG
  •   DETEC
  •   INSTALL
  •   KASP
  •   MCAFEE
  •   NOD
  •   NORTON
  •   NTVDM
  •   OPEN
  •   PLAY
  •   PROC
  •   REG
  •   REMOV
  •   SCAN
  •   SECUR
  •   SUPPO
  •   TASK
  •   UPDAT
  •   UPG
  •   VIR
  •   W32
  •   WALK


Furthermore, this malware will not perform any system changes if its filename is any of the following:

  •   AutoPro.exe
  •   mdefault.exe
  •   mcagent.exe
  •   mcshield.exe

During execution, the following files are dropped:

  •   C:\AUTORUN.INF
  •   C:\Documents and Settings\\Local Settings\Temp\~DF1A17.tmp
  •   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Empty.pif
  •   C:\WINDOWS\Autorun.inf
  •   C:\WINDOWS\Web\shell.exe
  •   C:\WINDOWS\winme.exe
  •   C:\winme.exe


Activity

This worm may open a browser attempting to connect to the following URLs:

  •   http://security.symantec.com
  •   http://www.symantec.com


Propagation

Brontok.B will create AUTORUN.INF files and copy itself to available removable media (USB drives) to allow itself to propagate.