It is the most STICKY virus.
Other names for this worm include:-
- W32/Rontokbro.gen@MM
- W32.Rontokbro@mm
- BackDoor.Generic.1138
- W32/Korbo-B
- Worm/Brontok.a
- Win32.Brontok.A@mm
- Worm.Mytob.GH
- W32/Brontok.C.worm
- Win32/Brontok.E
- W32.Rontokbro.D@mm.
- I-Worm.VB.DV,opopopopo
Brontok originated in Indonesia. The name refers to Elang brontok, a bird species native to South & Southeast Asia. It arrives as an attachment of e-mail named kangen.exe ("kangen" word itself means "miss with someone/thing"). When Brontok is first run, it copies itself to the user's application data directory. It then sets itself to start up with Windows, by creating a registry entry in the
HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key. It disables the Windows Registry Editor (regedit.exe)and modifies Windows Explorer settings. It removes the option of "Folder Options" in the Tools menu so that the hidden files, where it is concealed, are not easily accessible to the user. It also turns off Windows firewall. In some variants, when a window is found containing certain strings (such as "application data") in the window title, the computer reboots. User frustration also occurs when an address typed into Windows Explorer is blanked out before completion. Using its own mailing engine, it sends itself to email addresses it finds on the computer, even faking the own user's email address as the sender. The computer also restarts when trying to open the Command Prompt in Windows and prevents the user from downloading files. It also pop ups the default Web browser and loads a web page (HTML) which is located in the "My Pictures" (or on Windows Vista, "Pictures") folder. It creates .exe files in folders usually named as the folder itself (..\documents\documents.exe) this also includes all mapped network drives.REMOVAL
Start your computer in safe mode with command prompt and type the following command to enable registry editor:-
reg delete HKCU\software\microsoft\windows\currentversion\policies\system /v "DisableRegistryTools"
and run HKLM\software\microsoft\windows\currentversion\policies\system /v "DisableRegistryTools"
After this your registry editor is enable
Type "explorer"
Go to run and type "regedit"
Then follow the following path :-
HKLM\Software\Microsoft\Windows\Currentversion\Run
On the right side delete the entries which contain 'Brontok' and 'Tok-' words.
After that restart your system
Open registry editor and follow the path to enable folder option in tools menu
HKCU\Software\Microsoft\Windows\Currentversion\Policies\Explorer\ 'NoFolderOption'
Delete this entry and restart your computer
And search *.exe files in all drives (search in hidden files also)
Remove all files which are display likes as folder icon.
Your computer is completely free from virus brontok
No comments:
Post a Comment