BRONTOK.U Trojan

Discussion in 'NOD32 version 2 Forum' started by gearscout, Feb 15, 2008.

Thread Status:
Not open for further replies.
  1. gearscout

    gearscout Registered Member

    Joined:
    Mar 30, 2005
    Posts:
    26
    Let me spell it correctly! BRONTOK.U

    One of my NOD32 protected computers came up with this "worm" and it has spread to other computers on my home network. According to the information I have, it is done through e-mail addresses, so that makes sense.

    Deep scanning the system, it is indicated that it resides in winlogon.exe. Each reboot seems to result in MORE infections, not less. It hijacks the folder structure, creating folders with an .exe extension that propagate the worm.

    What a PAIN. Any advice? I've been running NOD32 scans, but it keeps coming back.

    NOD32 Ver. 2.70.32
    Database: 2880

    ==============
    UPDATE: NOD32 Seems to have cleared one computer after a reboot--not the 1st infected one.
     
    Last edited: Feb 15, 2008
  2. gearscout

    gearscout Registered Member

    Joined:
    Mar 30, 2005
    Posts:
    26
    Re: BRONTOK.U Worm

    This is driving me crazy!

    Not only did it appear without warning, I can't get rid of it. 12 hours of scanning and cleaning, but I can't get the root file without the system rebooting.

    winlogon.exe is the file in directory

    C:\Documents and Settings\User Name\Application Data\

    But if you open a folder, you won't find Application Data

    If you try to open the registry -- the computer reboots.

    HELP....Please! :'(
     
  3. ASpace

    ASpace Guest

    Hello!

    Download this file from here.

    Save it in your main C:\ directory , so that it will be C:\scanv2.bat

    Boot your infected computer in Safe Mode with Command prompt
    Read how here . Use only the so called F8 mode!

    Then when you log in the Command prompt will open .
    Type:
    cd\ and press ENTER
    type scanv2.bat and press ENTER


    This will scan NOD32's on-demand scanner with correct settings . It will scan all your local disks and will automatically eliminate threats.

    After the scan is ready , NOD32 might want you reboot . Otherwise , in order to reboot after the scan has finished , press CTR+ALT+Delete buttons to open Task Manager and from the Options menu choose to Restart
     
  4. Gas

    Gas Registered Member

    Joined:
    May 23, 2007
    Posts:
    27
  5. ASpace

    ASpace Guest

  6. Gas

    Gas Registered Member

    Joined:
    May 23, 2007
    Posts:
    27
  7. gearscout

    gearscout Registered Member

    Joined:
    Mar 30, 2005
    Posts:
    26
    Thanks to HiTech and all the responders...I have run the scan2.bat route and have not convincingly solved the problem.

    Fact in point: The "Applications Data" folder is not back in my user directory.

    ESET NOD32 help staff responded by saying I should disable backups in Windows XP SP2 and boot in 'Safe mode' before conducting a scan. I'll try that next.

    Apologies for being so late with the "Thanks!" but I'd decided to disconnect the network as I suspected the source of some infection was the home network itself...the shared files and folders.

    THANK YOU! I will post the outcome...and hopefully, it will be GOOD! ;-)
     
  8. gearscout

    gearscout Registered Member

    Joined:
    Mar 30, 2005
    Posts:
    26
    This is an apparently new variation. I submitted it to ESET for analysis.

    Trying to launch the "Sunbelt" anti-virus program results in an instantaneous reboot. Trying to run "Registry Mechanic" gets the same shutdown forced by Brontok.U

    Trend Micro is outlooking another 5 1/2 hours to complete its scan of this computer.

    The worm is making it tougher on every pass to shut it down. I'm looking at the real possibility of having to reformat. But with hundreds of gigabytes of photo files and all their multiple backups on various hard disks, it isn't going to be easy.

    I'm now getting warnings from AMON that Firefox.exe is creating new instances of the worm. Of course, Firefox is running House Call.

    Really, it keeps getting WORSE.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, install any HIPS with file protection like EQSecure, CFP with Defence Plus and try to contain it.
     
  10. gearscout

    gearscout Registered Member

    Joined:
    Mar 30, 2005
    Posts:
    26
    Aigle,

    Unfortunately, trying to install EQSecure triggers an immediate reboot of the computer. It's a tough one.

    I'm just rescanning this box and thought it might be in the clear, but NOD32 has found another instance of Brontok.U See, however, that it was stored in the /infected directory of ESET...so hoping I'll soon have one machine clear. This one is the server that gives NOD32 updates to all the others on my home network.

    Thanks for the suggestion...I'll load it up and keep it handy when I get through this.
     
  11. ASpace

    ASpace Guest

    o_O


    Disable back-ups ? Perhaps System Restore function ?
    Booting in Safe Mode and conductinng a scan will be the same what I told you to do with the bat file . However , the bat file certainly contains correct settings for your scan.

    You can continue using scanv2.bat for your scans no matter what mode you use.


    Most likely your computer needs further inspection , as you mention it could be new variant NOD32 is prepared to fight. Keep in touch with ESET Support and hopefully they can help you!
     
  12. gearscout

    gearscout Registered Member

    Joined:
    Mar 30, 2005
    Posts:
    26
    HiTech...

    Thanks.

    Yes, System Restore is what is being disabled to carry this out. Though I can't say anything has really worked.

    I've got two "cleaned" -- I think. But the third one is a real pain. I re-enable the registry editing only to have the virus return and wreak havoc. I've downloaded a fix for a variation of Brontok from Sophos that seemed to work well, but it's largely manual and obviously missing some files and locations for this variation.

    Firefox now won't load.

    All the Quicklaunch icons are gone.

    Every boot brings up a fresh round of infected files. I've been at it ALL DAY. With more than 700GB of hard disk space/files the scans are taking a long, long time.

    The behavior of the worm seems to be changing in terms of file locations.

    Usually, it was in /Documents and Settings/UserName/Local Settings/Application Data...
    ...now its in /UserName/NetworkService/Local Settings/Application Data


    sempalong.exe
    csrss.exe
    lsass.exe
    services.exe
    inetinfo.exe
    empty.pif
    explorasi.exe

    What every file has in common is the size: 42667
     
  13. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Just a suggestion - if you've validated one or more of your home machines as clean - try to slave the drives of the remaining infected machines off of the clean one(s) for treatment.

    Some of the cleanup will need to be done with the disk live, but the majority of treatment should be done from a slaved state to save time and provide for the greatest flexibility in approach. Good luck.

    Blue
     
  14. gearscout

    gearscout Registered Member

    Joined:
    Mar 30, 2005
    Posts:
    26
    I'm not sure I understand anything you just said. :doubt:

    Do you mean disconnect the main C: HDD from the affected computer and install it as a separate drive in one of the machines that is running OK?

    My main problem is a 3.2GHz WinXP Pro box. I have an almost identical setup on another machine...and could probably connect it. But wouldn't that just complicate all of the problems with the Registry, the missing access to folders in "Documents and Settings"?

    Obviously, I'm not an expert at this...waiting to hear what ESET has to say about the files I sent them.

    I have disconnected one of the 300GB drives on this machine...no files were showing up as infected on it and it was almost doubling the scan time...it was a data/backup drive.

    I have seen how it has written all kinds of pointers to reload multiple copies of the Brontok.U worm using the registry. I deleted every one I could find and it was right back...with a vengeance, after a re-boot.

    Here's an example after going into Safe Mode/Command Prompt and running the scanv2.bat--the User Name is substituted for the actual name listed in the virus alert from NOD32.
    ;-) I'm just sharing "the pain!"

    2/17/2008 16:53:00 PM - AMON - File system monitor Program Virus Alert triggered on
    BLUESTREAK: C:\WINDOWS\ShellNew\sempalong.exe infected with Win32/Brontok.U
    worm.~Bluestreak

    2/17/2008 16:53:01 PM - AMON - File system monitor Program Virus Alert triggered on
    BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
    Data\smss.exe infected with Win32/Brontok.U worm.~Bluestreak

    2/17/2008 16:53:02 PM - AMON - File system monitor Program Virus Alert triggered on
    BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
    Data\services.exe infected with Win32/Brontok.U worm.~Bluestreak

    2/17/2008 16:53:02 PM - AMON - File system monitor Program Virus Alert triggered on
    BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
    Data\lsass.exe infected with Win32/Brontok.U worm.~Bluestreak

    2/17/2008 16:53:04 PM - AMON - File system monitor Program Virus Alert triggered on
    BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
    Data\inetinfo.exe infected with Win32/Brontok.U worm.~Bluestreak

    2/17/2008 16:53:04 PM - AMON - File system monitor Program Virus Alert triggered on
    BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
    Data\csrss.exe infected with Win32/Brontok.U worm.~Bluestreak

    2/17/2008 16:53:45 PM - AMON - File system monitor Program Virus Alert triggered on
    BLUESTREAK: C:\WINDOWS\ShellNew\sempalong.exe infected with Win32/Brontok.U
    worm.~Bluestreak

    2/17/2008 16:54:00 PM - AMON - File system monitor Program Virus Alert triggered on
    BLUESTREAK: C:\WINDOWS\eksplorasi.exe infected with Win32/Brontok.U
    worm.~Bluestreak

    2/17/2008 16:54:12 PM - AMON - File system monitor Program Virus Alert triggered on
    BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
    Data\smss.exe infected with Win32/Brontok.U worm.~Bluestreak

    2/17/2008 16:54:17 PM - AMON - File system monitor Program Virus Alert triggered on
    BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
    Data\services.exe infected with Win32/Brontok.U worm.~Bluestreak

    2/17/2008 16:54:20 PM - AMON - File system monitor Program Virus Alert triggered on
    BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
    Data\lsass.exe infected with Win32/Brontok.U worm.~Bluestreak

    2/17/2008 16:54:23 PM - AMON - File system monitor Program Virus Alert triggered on
    BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
    Data\inetinfo.exe infected with Win32/Brontok.U worm.~Bluestreak

    2/17/2008 16:54:24 PM - AMON - File system monitor Program Virus Alert triggered on
    BLUESTREAK: C:\Documents and Settings\User Name\Local Settings\Application
    Data\csrss.exe infected with Win32/Brontok.U worm.~Bluestreak
     
    Last edited: Feb 17, 2008
  15. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Yes, install it as a slave on that machine. If that machine already has two physical drives, pull one. If you have a spare USB enclosure, use that and connect it externally. However, if you are not comfortable mucking with hardware - do not learn now. There's too much chance of a misstep in the commotion.
    Basically, the end result should be a bunch of orphaned start up/registry entries - that's the part which would be addressed bringing the drive back for some live final adjustment.
    If it's in their lap, wait for their response.
    Exactly - focus attention where the main problem resides - and from descriptions of past variants, it sounds relatively localized. Naturally, that could change with a new variant.
    All it takes is one remainder - hence my suggestion to not rely on an OS load from the infected drive. It's simply easier to deal with having it as a "passive subject" that can be examined at will and at your leisure.

    Blue
     
  16. gearscout

    gearscout Registered Member

    Joined:
    Mar 30, 2005
    Posts:
    26
    Thanks, Blue.

    I'll move the hard disk physically tonite.

    Should it see the Primary Partition on that IDE drive, without problems? I will jumper it to "Slave." (If I can steal some jumper pins off another drive!)

    ESET isn't much help so far. The most advanced "tip" is how to "F8" the system into Safe Mode. Somehow, my queries ended up in Ireland. It's a holiday in the U.S. so my missives in that direction are, as yet, unanswered.

    I really appreciate the help each and every poster here has offered. They have been thoughtful and helpful.

    ;)

    Gearscout
     
  17. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    @gearscout
    Did you try my suggestions? Please scan the worm at VT so that other AV vendors can analyse it. Send a sample to samples@superantispyware.com as well. Thank you.

    thanatos
     
  18. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    CS (cable select) is generally used these days as a default, but either way works - just make sure the modes used match (CS/CS with proper cable location or Master/Slave). Again, don't go down this road if it's too unfamiliar. You should see the whole drive when it comes up.

    Blue
     
  19. gearscout

    gearscout Registered Member

    Joined:
    Mar 30, 2005
    Posts:
    26
    I built both of these computers, so rigging up a slave drive is not foreign.

    Still, as I go through my drive, having 'Safe Boot(ed)' my way into this OS and running NOD32, it's not finding anything except the file I deleted and is stored in the ESET\infected directory.

    Is the fact that it is in 'Safe Mode' and NOD32 reports that it's Anti-Stealth initialization could not be fully completed an issue here? Should I be booting normally?

    Meantime, all the other filenames are showing up in \Windows\prefetch as .pf files, created in the last 3 days.

    eksplorasi.exe (plus a number string and the extension .pf) is the only one that shows an exact filesize match.

    But Winlogon.exe - xxxxxx .pf and others are there, which I may delete...SAFE TO DO THAT? I think I would like to strip that entire directory of files, so many have been made in the last three days.

    Any special suggestions now that I have this disk mounted as F: on my other computer?

    Thanks!
     
    Last edited: Feb 18, 2008
  20. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Malware is not an issue if it cannot execute, and in a slaved drive configuration, that should be the case. Normal boot should be fine.
    You can dump everything in the prefetch folder, valid entries will be recreated on reboot.

    Empty out you Temporary Internet Folders under Local Settings. Also, use the location observations that you mentioned above to inspect these and related locations and look for generally suspicious and/or date or filesize correlated entries. Do the same in the root and Windows folders. From the various descriptions, prime locations/files are (via simple cut/paste from original sources - obviously, there are variant differences):
    Code:
    From Bitdefender:
    
        *  %WINDIR%\eksplorasi.pif
        * %UserProfile%\Local Settings\Application Data\smss.exe
        * %UserProfile%\Local Settings\Application Data\services.exe
        * %UserProfile%\Local Settings\Application Data\lsass.exe
        * %UserProfile%\Local Settings\Application Data\csrss.exe
        * %UserProfile%\Local Settings\Application Data\inetinfo.exe
        * %UserProfile%\Local Settings\Application Data\winlogon.exe
        * %UserProfile%\Start Menu\Programs\Startup\Empty.pif
        * %UserProfile%\Templates\WowTumpeh.com
        * %WINDIR%\%CURRENT_USER%'s Setting.scr
        * %WINDIR%\ShellNew\bronstab.exe
    
    From Sophos:
    
    <User>\Local Settings\Application Data\GavGent.B
    <User>\Local Settings\Application Data\IDTemplate.exe
    <User>\Local Settings\Application Data\csrss.exe
    <User>\Local Settings\Application Data\inetinfo.exe
    <User>\Local Settings\Application Data\lsass.exe
    <User>\Local Settings\Application Data\services.exe
    <Startup>\Empty.pif
    <Windows>\pif\cvt.exe
    
    The following registry entries are created to run IDTemplate.exe and cvt.exe on startup:
    
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    IDTemplates
    <User>\Local Settings\Application Data\IDTemplate.exe
    
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    SystemGent
    <Windows>\PIF\CVT.exe
    
    The following registry entry is set, disabling the registry editor (regedit):
    
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableRegistryTools
    1
    
    Registry entries are set as follows:
    
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoFolderOptions
    1
    
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableCMD
    0
    See also the MS Description. Finally, since key files tend to be homogeneous in size, perform a filesize based search on the slaved drive and deal with found files as appropriate (some are likely to be valid).

    Verify your HOSTS file is valid. I'd do a custom scan of the slaved drive with NOD32 before reinstalling it - you can finesse this by focusing on the key folders where material is expected: Docs & Settings and Windows. You could narrow it down from here if D&S is loaded with content (photos/music/etc.) since it's really under Local Settings of each profile as I understand prior variants

    When you first boot the "cleaned" drive/machine up, I'd personally do it as a standalone unit not connected to the LAN. I'd verify the state of the network connection and validity of DNS servers listed (or automatically assigned by your ISP) - but that's just me. Have CCleaner or something similar installed to survey start entries, perform a basic registry clean, and manually check registry entries mentioned above and in the MS listing mentioned above (needed executable should have already been removed).

    At least that's what occurs to me on a quick review....

    Blue
     
  21. gearscout

    gearscout Registered Member

    Joined:
    Mar 30, 2005
    Posts:
    26
    It's gone.

    I have a laptop that's still "ill" but I'm sure I'll sort that out. The Windows desktop is blank...just the background image, altho you can call up programs. I suspect that's another registry tweak by Brontok.U

    The main box, where most of the trouble was, is back up and running. That's the one I swapped out the drive to complete the cleaning process.

    Lots of Brontok files were found and deleted in the end. Your list helped, Blue!

    Also, the scheduled \Tasks folder contained a tidy bit of information. I found numerous "signature" files for the hare brained loser that wrote this code.

    ESET has all kinds of copies of the files.

    Firefox is restored...with all the bookmarks. Folder Options is back. I've had to manually restore some from Hidden and System files.

    Unanswered is how a fully up-to-date version of NOD32 let Brontok.U go so far into the system. No doubt, I made it worse by clicking on a couple of folders that were actually .exe files. But even then, no red screen alert from NOD32. (The option WAS set to on.)

    Again, many, many thanks to everyone on this thread!

    Gearscout
     
  22. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Glad to hear things are on the mend.

    Blue
     
  23. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Has this variant already been added to any updates I wonder?
     
  24. ASpace

    ASpace Guest


    Isn't it already detected as Brontok.U ?
     
  25. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    You're right :D . Let me rephrase: how did it get past NOD if it is in the def files already?
     
Thread Status:
Not open for further replies.