Win32.Brontok

Heather · External Since: Mar 02, 2009 Posts: 13

Got the following from a friend.......and she is not a novice. From
what I see on Google, this is either a rogue spyware or a real
virus.....can someone tell me which one??

She has 2 or 3 computers and I suggested she download MBAM and give it a
go.

Thoughts, anyone?? I haven't seen it mentioned on here.

Thanks...Heather
------------------------

Been having virus problems - got a pop up re: Win32.Brontok being
blocked by the firewall. Have run all the virus software, done a
clean, etc, and can't get the firewall popup about disabling this to
go away and stay away.

Any thoughts? Is the "firewall" popup actually the virus?

1PW · External Since: May 15, 2009 Posts: 4

Heather wrote:
> Got the following from a friend.......and she is not a novice. From
> what I see on Google, this is either a rogue spyware or a real
> virus.....can someone tell me which one??
>
> She has 2 or 3 computers and I suggested she download MBAM and give it a
> go.
>
> Thoughts, anyone?? I haven't seen it mentioned on here.
>
> Thanks...Heather
> ------------------------
>
> Been having virus problems - got a pop up re: Win32.Brontok being
> blocked by the firewall. Have run all the virus software, done a
> clean, etc, and can't get the firewall popup about disabling this to
> go away and stay away.
>
> Any thoughts? Is the "firewall" popup actually the virus?

Hello Heather:

Using MBAM /would/ be one of the first suggested actions. In addition
to MBAM, you may also wish to use SAS in the safe mode.

<http://www.superantispyware.com/index.html>

What is the complete version of the OS, and how was the malware
originally identified?

Please update this thread with your progress.

HTH

Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

David H. Lipman · External Since: Jul 04, 2003 Posts: 2116

From: "Heather" <no.one DeleteThis @home.invalid>

| Got the following from a friend.......and she is not a novice. From
| what I see on Google, this is either a rogue spyware or a real
| virus.....can someone tell me which one??

| She has 2 or 3 computers and I suggested she download MBAM and give it a
| go.

| Thoughts, anyone?? I haven't seen it mentioned on here.

| Thanks...Heather
| ------------------------

| Been having virus problems - got a pop up re: Win32.Brontok being
| blocked by the firewall. Have run all the virus software, done a
| clean, etc, and can't get the firewall popup about disabling this to
| go away and stay away.

| Any thoughts? Is the "firewall" popup actually the virus?

Hi Figgs:

This is worm that propogates throught email and net shares and can perform a DoS on hard
coaded tragets.

As a worm it is trageted by anti virus software. I can't speak of MBAM and SAS working on
it as they tend to traget trojans and not viruses and worms. Albeit they may target some
worms.

You said your friend "Have run all the virus software..."
Plaese have her/him define WHAT anti virus software had been used.

Note that the McAfee and Sophos modules of my Multi AV should do well to remove this
threat.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Heather · External Since: Mar 02, 2009 Posts: 13

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:D72dnVdL0IhYtKPXnZ2dnUVZ_gqdnZ2d@giganews.com...
> From: "Heather" <no.one RemoveThis @home.invalid>
>
> | Got the following from a friend.......and she is not a novice. From
> | what I see on Google, this is either a rogue spyware or a real
> | virus.....can someone tell me which one??
>
> | She has 2 or 3 computers and I suggested she download MBAM and give
> it a
> | go.
>
> | Thoughts, anyone?? I haven't seen it mentioned on here.
>
> | Thanks...Heather
> | ------------------------
>
> | Been having virus problems - got a pop up re: Win32.Brontok being
> | blocked by the firewall. Have run all the virus software, done a
> | clean, etc, and can't get the firewall popup about disabling this to
> | go away and stay away.
>
> | Any thoughts? Is the "firewall" popup actually the virus?
>
>
> Hi Figgs:
>
> This is worm that propogates throught email and net shares and can
> perform a DoS > on hard coaded tragets.
>
> As a worm it is trageted by anti virus software. I can't speak of
> MBAM and SAS working on it as they tend to traget trojans and not
> viruses and worms. Albeit they may target some worms.
>
> You said your friend "Have run all the virus software..."
> Plaese have her/him define WHAT anti virus software had been used.
>
> Note that the McAfee and Sophos modules of my Multi AV should do well
> to remove > this threat.

Thanks David. I heard from her early this morning and they have run a
couple more a-v programs, but she didn't name them. Both she and her
husband are IT professionals (how embarrassing) and she alone has 2
servers that she downloads her mail from. Unfortunately, because the
servers have virus and malware protection, she is not running an active
antivirus proggie.

She sent a pic of the warning and it is the "Security Centre Alert" box
naming the subject worm and asking her if she wants to block it and/or
download and run protection.

She is away for the day, but I will hear from her this evening. I sent
her your explanation and she will see that. I told her to d/l and run
MBAM and Superantispyware last night, so not sure if those are the
programs that her husband ran, along with antivirus ones.

I will get back to you once I know, but it was late last night when she
wrote me and I couldn't see what I considered "valid information" on
Google other than what I said. I assumed it was the rogue
program....wrong. But I hadn't noticed any mention of it on here or the
MS group.

Don't know if it is the worm or just server things I am not aware of,
but often our emails are held up for hours. Perhaps it is the latter.
I only proofread a couple of websites for her......she does the hard
stuff. (G)

Cheers....Figgs

Heather · External Since: Mar 02, 2009 Posts: 13

"1PW" <barcrnahgjuvfgy.DeleteThis@nby.pbz> wrote in message
news:h1l0l7$fr0$1@news.eternal-september.org...
> Heather wrote:
>> Got the following from a friend.......and she is not a novice. From
>> what I see on Google, this is either a rogue spyware or a real
>> virus.....can someone tell me which one??
>>
>> She has 2 or 3 computers and I suggested she download MBAM and give
>> it a
>> go.
>>
>> Thoughts, anyone?? I haven't seen it mentioned on here.
>>
>> Thanks...Heather
>> ------------------------
>>
>> Been having virus problems - got a pop up re: Win32.Brontok being
>> blocked by the firewall. Have run all the virus software, done a
>> clean, etc, and can't get the firewall popup about disabling this to
>> go away and stay away.
>>
>> Any thoughts? Is the "firewall" popup actually the virus?
>
> Hello Heather:
>
> Using MBAM /would/ be one of the first suggested actions. In addition
> to MBAM, you may also wish to use SAS in the safe mode.
>
> <http://www.superantispyware.com/index.html>
>
> What is the complete version of the OS, and how was the malware
> originally identified?

Hi Pete.......heard from her this morning but she is now away for the
day. I would assume XP and I also assume that she and her husband have
at least 4 computers which have their own servers and both of them are
IT people. (aka geeks, according to her, grin)

They ran a couple of a-v programs after I posted this and found some
other things, but not this one. See my reply to David for the warning
from the Firewall. And the fact that she doesn't run an active
antivirus because of the alleged protection from her servers.

Thanks.......Heather (Figgs)

FromTheRafters · External Since: Feb 16, 2009 Posts: 26

It's a worm.

"Heather" <no.one.DeleteThis@home.invalid> wrote in message
news:h1kgaq$9ea$1@news.eternal-september.org...
> Got the following from a friend.......and she is not a novice. From
> what I see on Google, this is either a rogue spyware or a real
> virus.....can someone tell me which one??
>
> She has 2 or 3 computers and I suggested she download MBAM and give it
> a go.
>
> Thoughts, anyone?? I haven't seen it mentioned on here.
>
> Thanks...Heather
> ------------------------
>
> Been having virus problems - got a pop up re: Win32.Brontok being
> blocked by the firewall. Have run all the virus software, done a
> clean, etc, and can't get the firewall popup about disabling this to
> go away and stay away.
>
> Any thoughts? Is the "firewall" popup actually the virus?
>
>

Heather · External Since: Mar 02, 2009 Posts: 13

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:D72dnVdL0IhYtKPXnZ2dnUVZ_gqdnZ2d@giganews.com...

>
> Hi Figgs:
>
> This is worm that propogates throught email and net shares and can
> perform a DoS on hard coaded tragets.
>
> As a worm it is trageted by anti virus software. I can't speak of
> MBAM and SAS working on it as they tend to traget trojans and not
> viruses and worms. Albeit they may target some worms.
>
> You said your friend "Have run all the virus software..."
> Plaese have her/him define WHAT anti virus software had been used.
>
> Note that the McAfee and Sophos modules of my Multi AV should do well
> to remove this threat.

Hi Dave.....heard from her and they used F-Prot.....twice. But it keeps
coming back from the sound of it. The firewall keeps popping up. I
have done enough reading on this to realize it has put something in the
registry, I assume.

It is one old worm!! She is torn between "is it a worm, or is it some
rogue spyware imitating the Firewall".......but I can't say on that one.

I sent her the page from Sophos to remove worms. But I didn't have your
Multi-AV instructions and I would have a problem figuring out the German
site too. I checked in my OE folders and for some dumb reason, I didn't
save it. Can you either send it to me via private email or post it
here??

Thanks in advance.......and thanks for the help.

Figgs
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>