Rontokbro aka Brontok Worm
October 19, 2006
A mass-mailing email worm that also spreads via USB and thumb drives, the Rontokbro worm - also know as Brontok - takes a multifaceted approach to defy detection and removal. Rontokbro / Brontok modifies the HOSTS file to prevent access to antivirus vendor sites, thereby preventing access to signature updates and online scanners. It may also disable antivirus and other security software running on the system, as well as blocking access to Registry Editor and other system tools needed to attempt manual removal of the worm.
First discovered in late September 2005, as of October 2006 over 20 variants of the Rontokbro / Brontok worm had been discovered. The worm executables often adopt either the Microsoft Word icon or the folder icon. Copies of the worm also often adopt the same name as the folder in which it was dropped. For example, if Rontokbro / Brontok copied itself to a folder named "New Folder", it would do so using the filename "New Folder". Because Windows disables executable file extensions by default, and the worm may use a folder icon, this may make it appear as if the infected file were merely a nested new folder. In addition, the worm typically modifies the Registry to cause the Folder Options menu item to disappear from the Windows Explorer Tools menu.
Some variants of the Rontokbro / Brontok worm cause the system to reboot when certain strings appear in task windows. For example, if "EXE" appears in the title of a window, the worm will cause the system to shutdown and restart. On some occasions, the worm will pause the system during bootup and display a message in a similar fashion to much older DOS viruses.
F-Secure includes a screenshot in their Brontok.N write-up.
Rontokbro / Brontok may also launch Ping attacks which, depending on the number of infected systems at any given time, could result in form of a Distributed Denial of Service (DDoS) attack.
Because the worm prevents access to the Registry Editor and other diagnostic tools, and prevents access to antivirus software, removing a Rontokbro / Brontok infection can be tricky. To do so will require access to a second, non-infected PC. Here's how:
After cleaning the system, be sure to remove any worm-created entries in the HOSTS file. Then update your antivirus software, test it with the EICAR test file to ensure it's working properly, and rescan your entire system - including any mapped and removable drives.
To prevent reinfection from Rontokbro / Brontok, avoid opening email attachments received unexpectedly - even from someone you know - unless you are certain of the intent. Don't share your USB and thumb drives with others unless you are certain their system is clean and avoid downloading files from anonymous P2P filesharing networks.
A mass-mailing email worm that also spreads via USB and thumb drives, the Rontokbro worm - also know as Brontok - takes a multifaceted approach to defy detection and removal. Rontokbro / Brontok modifies the HOSTS file to prevent access to antivirus vendor sites, thereby preventing access to signature updates and online scanners. It may also disable antivirus and other security software running on the system, as well as blocking access to Registry Editor and other system tools needed to attempt manual removal of the worm.
First discovered in late September 2005, as of October 2006 over 20 variants of the Rontokbro / Brontok worm had been discovered. The worm executables often adopt either the Microsoft Word icon or the folder icon. Copies of the worm also often adopt the same name as the folder in which it was dropped. For example, if Rontokbro / Brontok copied itself to a folder named "New Folder", it would do so using the filename "New Folder". Because Windows disables executable file extensions by default, and the worm may use a folder icon, this may make it appear as if the infected file were merely a nested new folder. In addition, the worm typically modifies the Registry to cause the Folder Options menu item to disappear from the Windows Explorer Tools menu.
Some variants of the Rontokbro / Brontok worm cause the system to reboot when certain strings appear in task windows. For example, if "EXE" appears in the title of a window, the worm will cause the system to shutdown and restart. On some occasions, the worm will pause the system during bootup and display a message in a similar fashion to much older DOS viruses.
F-Secure includes a screenshot in their Brontok.N write-up.
Rontokbro / Brontok may also launch Ping attacks which, depending on the number of infected systems at any given time, could result in form of a Distributed Denial of Service (DDoS) attack.
Because the worm prevents access to the Registry Editor and other diagnostic tools, and prevents access to antivirus software, removing a Rontokbro / Brontok infection can be tricky. To do so will require access to a second, non-infected PC. Here's how:
- From a non-infected PC, follow the first 8 steps outlined in How to Make an F-Prot CD.
- Take the F-Prot CD to the infected computer. Boot the infected computer into Safe Mode (see How to Boot into Safe Mode), then follow the 7 remaining steps outlined in the How to Make an F-Prot CD article to scan the system and remove any instances of Rontokbro / Brontok found.
- Before rebooting the PC, while still in Safe Mode, disable system restore. You can re-enable the system restore feature later, after you've booted normally, to create a new, clean system restore point.
After cleaning the system, be sure to remove any worm-created entries in the HOSTS file. Then update your antivirus software, test it with the EICAR test file to ensure it's working properly, and rescan your entire system - including any mapped and removable drives.
To prevent reinfection from Rontokbro / Brontok, avoid opening email attachments received unexpectedly - even from someone you know - unless you are certain of the intent. Don't share your USB and thumb drives with others unless you are certain their system is clean and avoid downloading files from anonymous P2P filesharing networks.
Source...