BRONTOK.U Trojan

There are many possible reasons but I think we can never know

 

maybe the answer to all this could be: leave the machine as it is for a few days, send all infected files that u can to eset support and make a good deep scan when they come up with the correct signature?

my other way of acting would be to transfer all precious data through a linux OS and then wiping out the entire HD...after such an infection i m not so sure if its possible to report everything back to normal, maybe low format is necessery after all.

 

i agree with you dr pan. best is to copy all data to safe place and then format and reinstall windows. i recommend making 2 partitions. one with 32gb with fat32 wich is accessible with a DOS floppy disk. and the second partition with ntfs that would be storage.
in this cases i use a Bart PE Windows XP live cd boot with multiple av and other aplications that can be updated. if some one is interested in this, pm me and i will send the links from rapidshare.

best wishes

 

It would be great -- if ESET had ever responded -- but the only real response I got was to send my questions somewhere else (I had somehow ended up with the Ireland office instead of U.S.) The U.S. side never responded.

I sent multiple samples to ESET, but got no word back...I was told by the Ireland support folks that such missives were stacked in a queue and it could be some time.

Of course, wiping the drive is best. But we buy AV software so we don't HAVE to do that. We could do that with every virus or piece of malware, but it would get pretty frustrating, wouldn't it?

In the end, I'm cleaned up on all my computers.

 

@gearscout

Im very sorry to hear that eset didnt manage to give u the proper assistance because the way i see things what u pay in an AV software is the assistance in moments like these...

 

If only it were true. I re-attached an external SATA drive used for backup storage on my main XP desktop and found every photo directory and every music directory had been infected with Brontok. 369 of them.

Here's the important part...perhaps. While the manual scanner found all the files, I had it configured to ask for directions...whether to delete, skip etc. Nightmare. Yes, I could have aborted and gone out and changed the settings (I had already done so with 'Deep Scan') but managed to accidentally skip one file delete.

When I opposite clicked on the Brontok WORM file, hidden as a directory, I then submitted that SINGLE file for another scan using the context menu. NOD32 DIDN'T DETECT THE WORM! I'm enough of an expert now to know it when I see it, unfortunately.


Here's the log:

Scan performed at: 3/5/2008 16:46:03 PM
Date: 5.3.2008 Time: 17:00:31
Anti-Stealth technology is enabled.
Scanned disks, folders and files: F:\DigImage\Digital Images\Mei - May 2007 - Piano\Mei - May 2007 - Piano.exe
Number of scanned files: 1
Number of threats found: 0
Time of completion: 17:00:31 Total scanning time: 0 sec (00:00:00)


After the full disks scan completed, I changed the settings, went back out and tried again and NOD32 did see the file as a Brontok worm and deleted it.

New log:

Date: 5.3.2008 Time: 17:04:37
Anti-Stealth technology is enabled.
Scanned disks, folders and files: F:\DigImage\Digital Images\Mei - May 2007 - Piano\Mei - May 2007 - Piano.exe
F:\DigImage\Digital Images\Mei - May 2007 - Piano\Mei - May 2007 - Piano.exe - Win32/Brontok.U worm - unable to clean - quarantined - deleted
Number of scanned files: 1
Number of threats found: 1
Number of files cleaned: 1
Time of completion: 17:04:38 Total scanning time: 1 sec (00:00:01)

Is that normal? That if you're running a scan, you can't scan a single file successfully? If it is, it ought to be changed.

Also ESET, why not allow the user to have the option to invoke "Delete All" instead of just "Delete" for a single file? It could be a checkbox.

 

im not the person to answer to your question, eset staff should, though they seem very legitimate to me...

Im using v3.0.642 now and the option to scan a single file during a deep scan is available. maybe u should migrate to the new version.

anyway , hope everything ended now, your story is a true nightmare.

 

Dr. Pan...

I use the ver. 2 software because my home network is set up with the Remote Administration. 15-year-old is a Trojan magnet! I don't think the RA software has migrated to v.3x -- or maybe it just retains the older numbers.