BRONTOK.U Trojan

Let me spell it correctly! BRONTOK.U

One of my NOD32 protected computers came up with this "worm" and it has spread to other computers on my home network. According to the information I have, it is done through e-mail addresses, so that makes sense.

Deep scanning the system, it is indicated that it resides in winlogon.exe. Each reboot seems to result in MORE infections, not less. It hijacks the folder structure, creating folders with an .exe extension that propagate the worm.

What a PAIN. Any advice? I've been running NOD32 scans, but it keeps coming back.

NOD32 Ver. 2.70.32
Database: 2880

==============
UPDATE: NOD32 Seems to have cleared one computer after a reboot--not the 1st infected one.

 

Re: BRONTOK.U Worm

This is driving me crazy!

Not only did it appear without warning, I can't get rid of it. 12 hours of scanning and cleaning, but I can't get the root file without the system rebooting.

winlogon.exe is the file in directory

C:\Documents and Settings\User Name\Application Data\

But if you open a folder, you won't find Application Data

If you try to open the registry -- the computer reboots.

HELP....Please!

 

Hello!

Download this file from here.

Save it in your main C:\ directory , so that it will be C:\scanv2.bat

Boot your infected computer in Safe Mode with Command prompt
Read how here . Use only the so called F8 mode!

Then when you log in the Command prompt will open .
Type:
cd\ and press ENTER
type scanv2.bat and press ENTER


This will scan NOD32's on-demand scanner with correct settings . It will scan all your local disks and will automatically eliminate threats.

After the scan is ready , NOD32 might want you reboot . Otherwise , in order to reboot after the scan has finished , press CTR+ALT+Delete buttons to open Task Manager and from the Options menu choose to Restart

 

Hello HiTech_boy,
there was a problem with Nod32 and this "worm" 3 years ago, https://www.wilderssecurity.com/showthread.php?t=133956 , do you happen to know if Marcos had an answer?

 

Hi!
Most likely they have received the sample but I have no idea what has happened afterwards.

 

Thanx for the reply HiTech_boy.

gearscout why don't you try either Sunbelt's CounterSpy v2 (the 15 day free trial) http://www.sunbelt-software.com/Home-Home-Office/CounterSpy/Download/ or TrenMicro's HouseCall (free online service) http://housecall65.trendmicro.com/ .

Sorry Eset's mods no offence to nod32 but these two seem to remove Brotock.u.

Maybe, gearscout followed HiTech_boy's instructions and has already removed this nasty malware.

 

Thanks to HiTech and all the responders...I have run the scan2.bat route and have not convincingly solved the problem.

Fact in point: The "Applications Data" folder is not back in my user directory.

ESET NOD32 help staff responded by saying I should disable backups in Windows XP SP2 and boot in 'Safe mode' before conducting a scan. I'll try that next.

Apologies for being so late with the "Thanks!" but I'd decided to disconnect the network as I suspected the source of some infection was the home network itself...the shared files and folders.

THANK YOU! I will post the outcome...and hopefully, it will be GOOD! ;-)

 

This is an apparently new variation. I submitted it to ESET for analysis.

Trying to launch the "Sunbelt" anti-virus program results in an instantaneous reboot. Trying to run "Registry Mechanic" gets the same shutdown forced by Brontok.U

Trend Micro is outlooking another 5 1/2 hours to complete its scan of this computer.

The worm is making it tougher on every pass to shut it down. I'm looking at the real possibility of having to reformat. But with hundreds of gigabytes of photo files and all their multiple backups on various hard disks, it isn't going to be easy.

I'm now getting warnings from AMON that Firefox.exe is creating new instances of the worm. Of course, Firefox is running House Call.

Really, it keeps getting WORSE.

 

Hi, install any HIPS with file protection like EQSecure, CFP with Defence Plus and try to contain it.

 

Aigle,

Unfortunately, trying to install EQSecure triggers an immediate reboot of the computer. It's a tough one.

I'm just rescanning this box and thought it might be in the clear, but NOD32 has found another instance of Brontok.U See, however, that it was stored in the /infected directory of ESET...so hoping I'll soon have one machine clear. This one is the server that gives NOD32 updates to all the others on my home network.

Thanks for the suggestion...I'll load it up and keep it handy when I get through this.

 

Disable back-ups ? Perhaps System Restore function ?
Booting in Safe Mode and conductinng a scan will be the same what I told you to do with the bat file . However , the bat file certainly contains correct settings for your scan.

You can continue using scanv2.bat for your scans no matter what mode you use.


Most likely your computer needs further inspection , as you mention it could be new variant NOD32 is prepared to fight. Keep in touch with ESET Support and hopefully they can help you!

 

HiTech...

Thanks.

Yes, System Restore is what is being disabled to carry this out. Though I can't say anything has really worked.

I've got two "cleaned" -- I think. But the third one is a real pain. I re-enable the registry editing only to have the virus return and wreak havoc. I've downloaded a fix for a variation of Brontok from Sophos that seemed to work well, but it's largely manual and obviously missing some files and locations for this variation.

Firefox now won't load.

All the Quicklaunch icons are gone.

Every boot brings up a fresh round of infected files. I've been at it ALL DAY. With more than 700GB of hard disk space/files the scans are taking a long, long time.

The behavior of the worm seems to be changing in terms of file locations.

Usually, it was in /Documents and Settings/UserName/Local Settings/Application Data...
...now its in /UserName/NetworkService/Local Settings/Application Data


sempalong.exe
csrss.exe
lsass.exe
services.exe
inetinfo.exe
empty.pif
explorasi.exe

What every file has in common is the size: 42667

 

Just a suggestion - if you've validated one or more of your home machines as clean - try to slave the drives of the remaining infected machines off of the clean one(s) for treatment.

Some of the cleanup will need to be done with the disk live, but the majority of treatment should be done from a slaved state to save time and provide for the greatest flexibility in approach. Good luck.

Blue

 

I'm not sure I understand anything you just said.

Do you mean disconnect the main C: HDD from the affected computer and install it as a separate drive in one of the machines that is running OK?

My main problem is a 3.2GHz WinXP Pro box. I have an almost identical setup on another machine...and could probably connect it. But wouldn't that just complicate all of the problems with the Registry, the missing access to folders in "Documents and Settings"?

Obviously, I'm not an expert at this...waiting to hear what ESET has to say about the files I sent them.

I have disconnected one of the 300GB drives on this machine...no files were showing up as infected on it and it was almost doubling the scan time...it was a data/backup drive.

I have seen how it has written all kinds of pointers to reload multiple copies of the Brontok.U worm using the registry. I deleted every one I could find and it was right back...with a vengeance, after a re-boot.

Here's an example after going into Safe Mode/Command Prompt and running the scanv2.bat--the User Name is substituted for the actual name listed in the virus alert from NOD32.
;-) I'm just sharing "the pain!"

2/17/2008 16:53:00 PM - AMON - File system monitor Program Virus Alert triggered on
BLUESTREAK: C:\WINDOWS\ShellNew\sempalong.exe infected with Win32/Brontok.U
worm.~Bluestreak

2/17/2008 16:53:01 PM - AMON - File system monitor Program Virus Alert triggered on
BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
Data\smss.exe infected with Win32/Brontok.U worm.~Bluestreak

2/17/2008 16:53:02 PM - AMON - File system monitor Program Virus Alert triggered on
BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
Data\services.exe infected with Win32/Brontok.U worm.~Bluestreak

2/17/2008 16:53:02 PM - AMON - File system monitor Program Virus Alert triggered on
BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
Data\lsass.exe infected with Win32/Brontok.U worm.~Bluestreak

2/17/2008 16:53:04 PM - AMON - File system monitor Program Virus Alert triggered on
BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
Data\inetinfo.exe infected with Win32/Brontok.U worm.~Bluestreak

2/17/2008 16:53:04 PM - AMON - File system monitor Program Virus Alert triggered on
BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
Data\csrss.exe infected with Win32/Brontok.U worm.~Bluestreak

2/17/2008 16:53:45 PM - AMON - File system monitor Program Virus Alert triggered on
BLUESTREAK: C:\WINDOWS\ShellNew\sempalong.exe infected with Win32/Brontok.U
worm.~Bluestreak

2/17/2008 16:54:00 PM - AMON - File system monitor Program Virus Alert triggered on
BLUESTREAK: C:\WINDOWS\eksplorasi.exe infected with Win32/Brontok.U
worm.~Bluestreak

2/17/2008 16:54:12 PM - AMON - File system monitor Program Virus Alert triggered on
BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
Data\smss.exe infected with Win32/Brontok.U worm.~Bluestreak

2/17/2008 16:54:17 PM - AMON - File system monitor Program Virus Alert triggered on
BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
Data\services.exe infected with Win32/Brontok.U worm.~Bluestreak

2/17/2008 16:54:20 PM - AMON - File system monitor Program Virus Alert triggered on
BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
Data\lsass.exe infected with Win32/Brontok.U worm.~Bluestreak

2/17/2008 16:54:23 PM - AMON - File system monitor Program Virus Alert triggered on
BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
Data\inetinfo.exe infected with Win32/Brontok.U worm.~Bluestreak

2/17/2008 16:54:24 PM - AMON - File system monitor Program Virus Alert triggered on
BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
Data\csrss.exe infected with Win32/Brontok.U worm.~Bluestreak

 

Yes, install it as a slave on that machine. If that machine already has two physical drives, pull one. If you have a spare USB enclosure, use that and connect it externally. However, if you are not comfortable mucking with hardware - do not learn now. There's too much chance of a misstep in the commotion.

Basically, the end result should be a bunch of orphaned start up/registry entries - that's the part which would be addressed bringing the drive back for some live final adjustment.

If it's in their lap, wait for their response.

Exactly - focus attention where the main problem resides - and from descriptions of past variants, it sounds relatively localized. Naturally, that could change with a new variant.

All it takes is one remainder - hence my suggestion to not rely on an OS load from the infected drive. It's simply easier to deal with having it as a "passive subject" that can be examined at will and at your leisure.

Blue

 

Thanks, Blue.

I'll move the hard disk physically tonite.

Should it see the Primary Partition on that IDE drive, without problems? I will jumper it to "Slave." (If I can steal some jumper pins off another drive!)

ESET isn't much help so far. The most advanced "tip" is how to "F8" the system into Safe Mode. Somehow, my queries ended up in Ireland. It's a holiday in the U.S. so my missives in that direction are, as yet, unanswered.

I really appreciate the help each and every poster here has offered. They have been thoughtful and helpful.



Gearscout

 

@gearscout
Did you try my suggestions? Please scan the worm at VT so that other AV vendors can analyse it. Send a sample to samples@superantispyware.com as well. Thank you.

thanatos

 

CS (cable select) is generally used these days as a default, but either way works - just make sure the modes used match (CS/CS with proper cable location or Master/Slave). Again, don't go down this road if it's too unfamiliar. You should see the whole drive when it comes up.

Blue

 

I built both of these computers, so rigging up a slave drive is not foreign.

Still, as I go through my drive, having 'Safe Boot(ed)' my way into this OS and running NOD32, it's not finding anything except the file I deleted and is stored in the ESET\infected directory.

Is the fact that it is in 'Safe Mode' and NOD32 reports that it's Anti-Stealth initialization could not be fully completed an issue here? Should I be booting normally?

Meantime, all the other filenames are showing up in \Windows\prefetch as .pf files, created in the last 3 days.

eksplorasi.exe (plus a number string and the extension .pf) is the only one that shows an exact filesize match.

But Winlogon.exe - xxxxxx .pf and others are there, which I may delete...SAFE TO DO THAT? I think I would like to strip that entire directory of files, so many have been made in the last three days.

Any special suggestions now that I have this disk mounted as F: on my other computer?

Thanks!

 

Malware is not an issue if it cannot execute, and in a slaved drive configuration, that should be the case. Normal boot should be fine.

You can dump everything in the prefetch folder, valid entries will be recreated on reboot.

Empty out you Temporary Internet Folders under Local Settings. Also, use the location observations that you mentioned above to inspect these and related locations and look for generally suspicious and/or date or filesize correlated entries. Do the same in the root and Windows folders. From the various descriptions, prime locations/files are (via simple cut/paste from original sources - obviously, there are variant differences):

Code:

From Bitdefender:

    *  %WINDIR%\eksplorasi.pif
    * %UserProfile%\Local Settings\Application Data\smss.exe
    * %UserProfile%\Local Settings\Application Data\services.exe
    * %UserProfile%\Local Settings\Application Data\lsass.exe
    * %UserProfile%\Local Settings\Application Data\csrss.exe
    * %UserProfile%\Local Settings\Application Data\inetinfo.exe
    * %UserProfile%\Local Settings\Application Data\winlogon.exe
    * %UserProfile%\Start Menu\Programs\Startup\Empty.pif
    * %UserProfile%\Templates\WowTumpeh.com
    * %WINDIR%\%CURRENT_USER%'s Setting.scr
    * %WINDIR%\ShellNew\bronstab.exe

From Sophos:

<User>\Local Settings\Application Data\GavGent.B
<User>\Local Settings\Application Data\IDTemplate.exe
<User>\Local Settings\Application Data\csrss.exe
<User>\Local Settings\Application Data\inetinfo.exe
<User>\Local Settings\Application Data\lsass.exe
<User>\Local Settings\Application Data\services.exe
<Startup>\Empty.pif
<Windows>\pif\cvt.exe

The following registry entries are created to run IDTemplate.exe and cvt.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
IDTemplates
<User>\Local Settings\Application Data\IDTemplate.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SystemGent
<Windows>\PIF\CVT.exe

The following registry entry is set, disabling the registry editor (regedit):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
0

See also the MS Description. Finally, since key files tend to be homogeneous in size, perform a filesize based search on the slaved drive and deal with found files as appropriate (some are likely to be valid).

Verify your HOSTS file is valid. I'd do a custom scan of the slaved drive with NOD32 before reinstalling it - you can finesse this by focusing on the key folders where material is expected: Docs & Settings and Windows. You could narrow it down from here if D&S is loaded with content (photos/music/etc.) since it's really under Local Settings of each profile as I understand prior variants

When you first boot the "cleaned" drive/machine up, I'd personally do it as a standalone unit not connected to the LAN. I'd verify the state of the network connection and validity of DNS servers listed (or automatically assigned by your ISP) - but that's just me. Have CCleaner or something similar installed to survey start entries, perform a basic registry clean, and manually check registry entries mentioned above and in the MS listing mentioned above (needed executable should have already been removed).

At least that's what occurs to me on a quick review....

Blue

 

It's gone.

I have a laptop that's still "ill" but I'm sure I'll sort that out. The Windows desktop is blank...just the background image, altho you can call up programs. I suspect that's another registry tweak by Brontok.U

The main box, where most of the trouble was, is back up and running. That's the one I swapped out the drive to complete the cleaning process.

Lots of Brontok files were found and deleted in the end. Your list helped, Blue!

Also, the scheduled \Tasks folder contained a tidy bit of information. I found numerous "signature" files for the hare brained loser that wrote this code.

ESET has all kinds of copies of the files.

Firefox is restored...with all the bookmarks. Folder Options is back. I've had to manually restore some from Hidden and System files.

Unanswered is how a fully up-to-date version of NOD32 let Brontok.U go so far into the system. No doubt, I made it worse by clicking on a couple of folders that were actually .exe files. But even then, no red screen alert from NOD32. (The option WAS set to on.)

Again, many, many thanks to everyone on this thread!

Gearscout

 

Glad to hear things are on the mend.

Blue

 

Has this variant already been added to any updates I wonder?

 

Isn't it already detected as Brontok.U ?

 

You're right . Let me rephrase: how did it get past NOD if it is in the def files already?