Malware name: Brontok Worm
Newest version detection rate: 13/41
Detected by Malwarebytes: Yes
Difficulty of removal once installed: lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
Introduction:This has to be the most annoying malware out there right now... But probably not.
This worm places an autorun.inf file on every USB plugged in your computer and is executed every time you plug in that infected USB device.
It also sends mail with the worm attached to all your contacts.
When executed, this worm disables almost everything on your computer.
When you run an executable file (.exe, .com, .scr and .pif) it creates a file with the same name but with a space after the name. This file also contains the worm.
It hides the original file that you've created and disables "Show hidden files and folders" so you won't be able to see the original file that you executed. It also disables folder options in the control panel so you can't change the option to view the hidden files.
When you execute any file, it also executes the worm again (hijacks the shell open command).
It also disables My Computer so you won't be able to access it, task manager, the registry editor, task bar, run, help, system restore and most services to protect itself and make it harder to remove.
After you restart your computer, it kills almost all processes and services related to anti-viruses.
Symptoms:Unable to open executable files or files disappearing after executing it and being replaced with a file with the icon below:
"This operation has been disabled by the administrator" Error when trying to access My computer, or any drive (C:\, D:\, E:\, etc..)
Task bar hidden.
Services and drivers not working properly.
Computer randomly shuts down when executing a program.
Files created:c:\Film.exe
c:\Puisi.txt
c:\Desktop.ini
c:\Data Administrator.exe
c:\4K51K4\Folder.htt
C:\Windows\System32\IExplorer.exe
C:\Windows\System32\MrHalloween.scr
C:\WINDOWS\system32\shell.exe
C:\WINDOWS\system32\trz1.tmp
C:\WINDOWS\system32\trz3.tmp
C:\Windows\4k51k4.exe
C:\Windows\trz2.tmp
C:\Windows\SYSTEM.INI
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Empty.pif (file name and extention can vary)
%Homepath%\Local Settings\Application Data\WINDOWS\CSRSS.EXE
%Homepath%\Local Settings\Application Data\WINDOWS\LSASS.EXE
%Homepath%\Local Settings\Application Data\WINDOWS\SERVICES.EXE
%Homepath%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
%Homepath%\Local Settings\Application Data\CSRSS.EXE
%Homepath%\Local Settings\Application Data\LSASS.EXE
%Homepath%\Local Settings\Application Data\SERVICES.EXE
%Homepath%\Local Settings\Application Data\WINLOGON.EXE
(FILE NAME EXECUTED)+(space).exe (example, if you execute IExplorer.exe, it will create a file called IExplorer .exe in the same folder)
On USB:
Autorun.inf
Data Administrator.exe
Film.exe
\4K51K4\Folder.htt
\4K51K4\New Folder.exe
Process Created:C:\Windows\4k51k4.exe - When you open an executable.
C:\Windows\System32\IExplorer.exe
%Homepath%\Local Settings\Application Data\WINDOWS\CSRSS.EXE
%Homepath%\Local Settings\Application Data\WINDOWS\LSASS.EXE
%Homepath%\Local Settings\Application Data\WINDOWS\SERVICES.EXE
%Homepath%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
Registry keys created:HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS
{C:\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\WINLOGON.EXE}
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdministrator
{C:\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\SERVICES.EXE}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LogonAdministrator
{C:\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\CSRSS.EXE}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Monitoring
{C:\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\LSASS.EXE}
Registry keys Modified:HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
{1}
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig
{1}
Removal:Note: this malware infects safemode so it's pointless to start it in safemode unless your computer can't boot up normally.
The removal is quite hard since it disables a lot of options and files.
The faster you try to remove this virus, the easier it will be and if you restart your computer after you've been infected, the removal will be even harder.
At the
"first stage" of this malware, you will still be able to access most of your programs/tools.
(You will only have about 10 minutes when you're in this stage, your computer will restart (it usually randomly restarts when executing a program) and reach the "second stage")
Manual removal for the first stage:
First click on start - run and type "gpedit.msc" without the quotes then press enter.
Click on User Configuration - Administrative Templates - System then click on Ctrl+alt+del Options
On the right side, double click Remove Task Manager and select Disable then click OK.
If gpedit.msc doesn't work:
Click on start - run and type Regedit
Find the key named HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr and delete it.
Press ctrl+alt+delete and go in the process tab.
Kill all the process named above (MAKE SURE THE PROCESS IS CREATED FROM YOUR USERNAME (or administrator) AND NOT FROM THE SYSTEM. IF YOU END TASK TO THE WRONG PROCESS IT WILL GIVE YOU A BLUE SCREEN OF DEATH.)
Then, delete all of of the files mentioned above.
After this, click on start - run - type Regedit and press enter.
Find all of the "Registry key created" mentioned above and delete them (rightclick and delete)
For the "Registry keys Modified, do the same as the above but double click the key and change value data from 1 to 0 then close the box.
Once you're done this, skip the second and third stage and follow the rest of the removal guide. (to remove the test of the files)
Second stage:Gpedit.msc and regedit won't work and you won't be able to end task to the files.
For this stage, we will need to download process explorer.
First, open your browser (if you can't open it, skip to stage 3) (if your browser randomly closes, keep trying to download it)
Download process explorer here:
http://technet.microsoft.com/en-us/sysinternals/bb896653Save it on your desktop.
Extract the zip file on your desktop.
Open the program (note, when you open it the program will "disappear". If it randomly closes, you will need to extract it back from the zip file and over-wright it on your desktop)
Find all the process mentioned above and rightclick and end task.
If the program closes to quickly and can't end task to them, skip to the third stage.
After deleting the process, locate the files mentioned above and delete all of them.
After this, click on start - run - type Regedit and press enter.
Find all of the "Registry key created" mentioned above and delete them (rightclick and delete)
For the "Registry keys Modified, do the same as the above but double click the key and change value data from 1 to 0 then close the box.
Once you're done this, skip the third and follow the rest of the removal guide. (to remove the test of the files)
Third stage:Won't be able to access your drives, services and most drivers won't work. Won't be able to use the run command or system restore.
Now, we will need to open your browser and download combofix here
http://download.cnet.com/Combofix/3000-8022%5F4-75221073.htmlUsually there should be a shortcut to your browser on your desktop/quick launch bar or start menu.
If there isn't and you can't access your drive, rightclick your desktop and click on New - Shortcut
In the location of the item, put the location of the browser (example, C:\Program files\Mozilla firefox\Firefox.exe or c:\program files\internet explorer\IExplorer.exe) then double click to open it.
Once you've downloaded combofix, close ALL of your programs and disable your anti-virus (google: how to disable "anti-virus name") (if you have AVG, you will need to uninstall it using add/remove in the control panel. If you do not wish to uninstall AVG, skip combofix.
Open combofix and it may ask to download updates, click on Yes.
The scan should take 10-20 minutes (it can be more).
Once it's done, it should have deleted all the running processes from the malware and most of the files and registry keys and it should restore most of your settings.
To remove the rest of the files:There should still be files containing the malware on your computer. To remove them, download Malwarebytes Anti-Malware here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.htmlMake sure to do the full scan and not just the quick scan.
If your USB was infected, make sure to run a scan with an anti-virus or malwarebytes to remove the infected files.
To fix the "This operation has been disabled by the administrator" Error, do the following:
Click on start - run - type gpedit.msc and press enter
Click on User Configuration - Administrative Templates - Windows Components, and then click Windows explorer.
In the right pane, right-click Prevent access to drives from my Computer, and then click Properties.
Click Disable, and then click OK.
How to unhide the files that has been hidden:Click on start - run and type "cmd" without the quotes then press enter.
Then in the command prompt, type in "attrib -s -h /s /d" without the quotes
Wait a few seconds and it should unhide all your files on the c:\ drive.
Additional information:When you first execute the program, a notepad file comes up with the following:
(Google translator from Indonesian to english)
(aksika is another malware created by someone else)
Code
thank's to aksika maker
riesha like to thank many of the
v_m aksika which has provided insight
so v_m emerging
one more thing I stress to all ..
VIRUS MAKER not intend anything except to tell you
that the OS (OPERATING SYSTEM) you use has a
many shortcomings, and do not view as a villain VIRUS MAKER
HACKER because just as a security tester, not as criminals
VIRUS MAKER also is testing an OS
so do not view VIRUSMAKER with negative outlook
but look with a positive outlook, a creation of the nation
by: rieysha
It also creates about 10 random notepads/document files named (location of file (e.i. desktop) + random letter).doc/.txt in random directories with the following content:
Google translator:
Code
Pls yanx you back?
I've missed ya weight
what's the matter must go away from me
What you return to the heart of old
Will what I feel the Warmth of a first love
by: rieysha
And
Google translator:
Code
When you yank back to Indonesia?
Are you back with your heart first?
by:rieysha
These files are not malicious but you can remove them on your computer if you want.