Remove Brontok Worm

by on October 30th, 2007

newfolder exe virusBrontok is a computer worm which spreads through emails and USB drives. There are so many variants of brontok but they basically work similarly. Variants of the Brontok worm include: Brontok.A, Brontok.B, Brontok.C, Brontok.D, Brontok.F, Brontok.G, Brontok.H, Brontok.I, Brontok.K, Brontok.Q. Other names for this worm include: W32/[email protected], [email protected], BackDoor.Generic.1138, W32/Korbo-B, Worm/Brontok.a, [email protected], Worm.Mytob.GH, W32/Brontok.C.worm, and Win32/Brontok.E, [email protected], I-Worm.VB.DV.

Brontok Virus came from Indonesia. It arrives as an attachment of e-mail named kangen.exe (“kangen” word itself means “I miss you so much”). When Brontok is first run, it copies itself to the user’s application data directory. It then sets itself to start up with Windows, by creating a registry entry in the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key. It disables the Windows Registry Editor (regedit.exe)and modifies Windows Explorer settings. It removes the option of “Folder Options” in the Tools menu so that the hidden files, where it is concealed, are not easily accessible to the user. It also turns off Windows firewall. In some variants, when a window is found containing certain strings (such as “application data”) in the window title, the computer reboots. User frustration also occurs when an address typed into Windows Explorer is blanked out before completion. Using its own mailing engine, it sends itself to email addresses it finds on the computer, even faking the own user’s email address as the sender. The computer also restarts when trying to open DOS window (Command Prompt) in Windows and prevents user from downloading files. It also pop ups the default Web browser and loads a web page (HTML) which is located in the “My Pictures” (or on Windows Vista, “Pictures”) folder. It create .exe files in folders usually named as folder itself (..\documents\documents.exe)includes all mapped network drives.

Is My System infected?
  • You can’t start Regedit.exe
  • When trying to start any other registry editor, the system restarts
  • The system also restarts when executing certain EXE files
  • The presence of the following files:
      %UserProfile%\Local Settings\Application Data\smss.exe
      %UserProfile%\Local Settings\Application Data\services.exe
      %UserProfile%\Local Settings\Application Data\lsass.exe
      %UserProfile%\Local Settings\Application Data\csrss.exe
      %UserProfile%\Local Settings\Application Data\inetinfo.exe
      %UserProfile%\Local Settings\Application Data\winlogon.exe
      %UserProfile%\Start Menu\Programs\Startup\Empty.pif
      %WINDIR%\%CURRENT_USER%’s Setting.scr
      All these files have the size of the worm’s main executable: 42,028 bytes(About 42 KB).
  • Disabled Folder Options
  • Disabled Registry Editor
  • Installs itself in the startup
  • When in memory, it will restart the system if any program involving the registry is started
Brontok Worm Removal

Download tools from following sources and run these. These tools will kill the brontok process, restore folder options and registry editor and fix system startup.

Brontok Removal Tool – 1 (from Bitdefender)
Brontok Removal Tool – 2 (from sophos)

Anti Virus Protection for any PC has been a growing need. Some people recommend cheap antivirus software solution and some suggest free virus protection software or virus removal software. Internet security software are different from antivirus and with standard scanning software you also need anti spam software sometimes. Explore TechMynd Recommendations for your PC security needs.

3 Reviews

  1. maroq says:

    ArcaVir is usually good friend to this worm it do absolutely nothing to stop this worm. In my country many schools use ArcaVir and they also use Windows XP and cry… Why is this computer working so slow? Why?
    Thanks for this post. I will fight with this worm on monday.
    Why people write this kind of stuff?

  2. Hiroshi says:

    @Manny: Try these tools and methods:

    Quick Cleaner for Brontok.A

    Latest Avast Antivirus, Nod 32 Antivirus, Kaspersky Internet Security or BitDefender Brontok removal free tools are good.

    Correct Method to remove Brontok.A Worm/Spyware

    Download removal tools from bitdefender to any other PC.
    Copy to your Flash drive or Floppy.
    Copy tools to your PC & restart in Safe Mode.
    Then run the removal tools.

    Manual Removal Method 1

    Start your computer in safe mode with command prompt and type the following command to enable registry editor:
    reg delete HKCUsoftwaremicrosoftwindowscurrentversionpoliciessystem /v “DisableRegistryTools”
    and run
    HKLMsoftwaremicrosoftwindowscurrentversionpoliciessystem /v “DisableRegistryTools”
    After this your registry editor will be enabled
    Now type explorer
    Goto Run and type regedit
    Then follow the following path:
    on the right side delete the entries which contain ‘Brontok’ and ‘Tok-‘ words.
    After that restart your system
    Now open registry editor and follow the path to enable folder option in tools menu
    HKCUSoftwareMicrosoftWindowsCurrentversionPoliciesExplorer ‘NoFolderOption’
    delete this entry and restart ur computer
    Now search *.exe files in all drives (search in hidden files also)
    remove all files which are display like as folder icon.
    Now your computer will be completely free from Brontok Virus.

    Manual Removal Method 2

    If you still unable to remove the worm or access the normal Windows, enter Safe mode.
    Turn off System Restore.
    Download this tool to remove brontok worm.
    Double click the removal tool.
    Let the tool scan your computer for the worm threat and delete it.
    Download Lavasoft Ad-Aware AE Anniversary Edition.
    It is an anti malware/trojan/spyware that is capable of protecting your PC.
    Once installed, update the Ad-Aware. Just click on Web Update and it will download the latest update file (contain newest malware definition update) automatically.
    Use the tool to scan your computer again to make sure that Brontok worm is really deleted.

  3. Manny says:

    Brontok virus/worm showed up when I played a downloaded MP3 file. Seems like the virus was encapsulated within the MP3 file and decapsulated itself when the music file was played using the Windows Media Player. It then retriggered itself every about 3 minutes showing the trademark HTML page file named about.Brontok.A in Windows Explorer.
    Runned these programs AntiBrontokA-en.exe,, brontsfx.exe and the Brontok.A virus still popsup the Explorer window. Only that the popup frequency has decreased from every about 3 minutes to once on every shutdown or restart of the W2000 based machine.

    Is there a freeware program which Removes Brontok.A by just running it without all the additional manual manipulations?

    Thank you in advance,