Win32.Brontok

[Heather]

Got the following from a friend.......and she is not a novice. From
what I see on Google, this is either a rogue spyware or a real
virus.....can someone tell me which one??

She has 2 or 3 computers and I suggested she download MBAM and give it a
go.

Thoughts, anyone?? I haven't seen it mentioned on here.

Thanks...Heather
------------------------

Been having virus problems - got a pop up re: Win32.Brontok being
blocked by the firewall. Have run all the virus software, done a
clean, etc, and can't get the firewall popup about disabling this to
go away and stay away.

Any thoughts? Is the "firewall" popup actually the virus?

 

[1PW]

Got the following from a friend.......and she is not a novice. From
what I see on Google, this is either a rogue spyware or a real
virus.....can someone tell me which one??

She has 2 or 3 computers and I suggested she download MBAM and give it a
go.

Thoughts, anyone?? I haven't seen it mentioned on here.

Thanks...Heather
------------------------

Been having virus problems - got a pop up re: Win32.Brontok being
blocked by the firewall. Have run all the virus software, done a
clean, etc, and can't get the firewall popup about disabling this to
go away and stay away.

Any thoughts? Is the "firewall" popup actually the virus?

Hello Heather:

Using MBAM /would/ be one of the first suggested actions. In addition
to MBAM, you may also wish to use SAS in the safe mode.

<http://www.superantispyware.com/index.html>

What is the complete version of the OS, and how was the malware
originally identified?

Please update this thread with your progress.

HTH

Pete

 

[Heather]

From: "Heather" <[email protected]>

| Got the following from a friend.......and she is not a novice. From
| what I see on Google, this is either a rogue spyware or a real
| virus.....can someone tell me which one??

| She has 2 or 3 computers and I suggested she download MBAM and give
it a
| go.

| Thoughts, anyone?? I haven't seen it mentioned on here.

| Thanks...Heather
| ------------------------

| Been having virus problems - got a pop up re: Win32.Brontok being
| blocked by the firewall. Have run all the virus software, done a
| clean, etc, and can't get the firewall popup about disabling this to
| go away and stay away.

| Any thoughts? Is the "firewall" popup actually the virus?


Hi Figgs:

This is worm that propogates throught email and net shares and can
perform a DoS > on hard coaded tragets.

As a worm it is trageted by anti virus software. I can't speak of
MBAM and SAS working on it as they tend to traget trojans and not
viruses and worms. Albeit they may target some worms.

You said your friend "Have run all the virus software..."
Plaese have her/him define WHAT anti virus software had been used.

Note that the McAfee and Sophos modules of my Multi AV should do well
to remove > this threat.

Thanks David. I heard from her early this morning and they have run a
couple more a-v programs, but she didn't name them. Both she and her
husband are IT professionals (how embarrassing) and she alone has 2
servers that she downloads her mail from. Unfortunately, because the
servers have virus and malware protection, she is not running an active
antivirus proggie.

She sent a pic of the warning and it is the "Security Centre Alert" box
naming the subject worm and asking her if she wants to block it and/or
download and run protection.

She is away for the day, but I will hear from her this evening. I sent
her your explanation and she will see that. I told her to d/l and run
MBAM and Superantispyware last night, so not sure if those are the
programs that her husband ran, along with antivirus ones.

I will get back to you once I know, but it was late last night when she
wrote me and I couldn't see what I considered "valid information" on
Google other than what I said. I assumed it was the rogue
program....wrong. But I hadn't noticed any mention of it on here or the
MS group.

Don't know if it is the worm or just server things I am not aware of,
but often our emails are held up for hours. Perhaps it is the latter.
I only proofread a couple of websites for her......she does the hard
stuff. (G)

Cheers....Figgs

 

[Heather]

Hello Heather:

Using MBAM /would/ be one of the first suggested actions. In addition
to MBAM, you may also wish to use SAS in the safe mode.

<http://www.superantispyware.com/index.html>

What is the complete version of the OS, and how was the malware
originally identified?

Hi Pete.......heard from her this morning but she is now away for the
day. I would assume XP and I also assume that she and her husband have
at least 4 computers which have their own servers and both of them are
IT people. (aka geeks, according to her, grin)

They ran a couple of a-v programs after I posted this and found some
other things, but not this one. See my reply to David for the warning
from the Firewall. And the fact that she doesn't run an active
antivirus because of the alleged protection from her servers.

Thanks.......Heather (Figgs)

 

[FromTheRafters]

It's a worm.

 

[Heather]

Hi Figgs:

This is worm that propogates throught email and net shares and can
perform a DoS on hard coaded tragets.

As a worm it is trageted by anti virus software. I can't speak of
MBAM and SAS working on it as they tend to traget trojans and not
viruses and worms. Albeit they may target some worms.

You said your friend "Have run all the virus software..."
Plaese have her/him define WHAT anti virus software had been used.

Note that the McAfee and Sophos modules of my Multi AV should do well
to remove this threat.

Hi Dave.....heard from her and they used F-Prot.....twice. But it keeps
coming back from the sound of it. The firewall keeps popping up. I
have done enough reading on this to realize it has put something in the
registry, I assume.

It is one old worm!! She is torn between "is it a worm, or is it some
rogue spyware imitating the Firewall".......but I can't say on that one.

I sent her the page from Sophos to remove worms. But I didn't have your
Multi-AV instructions and I would have a problem figuring out the German
site too. I checked in my OE folders and for some dumb reason, I didn't
save it. Can you either send it to me via private email or post it
here??

Thanks in advance.......and thanks for the help.

Figgs