W32/Brontok-DP

Please follow the instructions for removing worms.

W32/Brontok-DP is a worm for the Windows platform.

W32/Brontok-DP will attempt to copy itself to network and removable drives. The worm will also create an autorun.inf file so that it is automatically run when the drive is accessed.

W32/Brontok-DP is a worm for the Windows platform.

W32/Brontok-DP will attempt to copy itself to network and removable drives, using filenames including Music.exe and Default.pif. The worm will also create an autorun.inf file so that it is automatically run when the drive is accessed. The worm also spreads to other network computers.

When first run W32/Brontok-DP copies itself to:

<User>\Documents\Music.exe
<Startup>\Default.pif
<Root>\Windowxp\explorer.exe
<Windows>\Fonts\smss.exe
<Windows>\System32.exe
<System>\dllcache\services.exe
<System>\oobe\isperror\csrss.exe

and creates the following files:

<Root>\autorun.inf
<Windows>\SoftWareProtector\smss_out.pr
<Windows>\winxp.inf

The following registry entry is changed to run W32/Brontok-DP on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\fonts\smss.exe

The following registry entries are set or modified, so that csrss.exe is run when files with extensions of BAT, COM, EXE and PIF are opened/launched:

HKCR\lnkfile\shell\open\command
(default)
<System>\oobe\isperror\csrss.exe" "%1" %*

HKCR\batfile\shell\open\command
(default)
<System>\oobe\isperror\csrss.exe" "%1" %*

HKCR\comfile\shell\open\command
(default)
<System>\oobe\isperror\csrss.exe" "%1" %*

HKCR\exefile\shell\open\command
(default)
<System>\oobe\isperror\csrss.exe" "%1" %*

HKCR\piffile\shell\open\command
(default)
<System>\oobe\isperror\csrss.exe" "%1" %*

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HideClock
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDrives
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoShellSearchButton
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSimpleStartMenu
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDesktop
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
00

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
00

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoControlPanel
00

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
kbao
AUTO.TXT

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
00

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
00

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
00

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
00

HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LimitSystemRestoreCheckpointing
00

HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
DisableMSI
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
00

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
000

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
Debugger
<System>\dllcache\services.exe