Skip to main content
Skip to main content
Microsoft Security Intelligence
Cart 0 items in shopping cart
Sign in
Published Apr 30, 2010 | Updated Sep 15, 2017

Worm:Win32/Brontok.FFV

Detected by Microsoft Defender Antivirus

Aliases: Win32/Detnat.E (AhnLab) W32/Backdoor.BVDW (Command) Worm.Win32.Detnat.e (Kaspersky) Detnat.gen1 (Norman) Worm.VB.FMU (VirusBuster) Trojan horse Downloader.Generic2.OEH.dropper (AVG) TR/VB.BG (Avira) Trojan.FakeFolder.A (BitDefender) Win32/Bacalid (CA) Win32.HLLW.Blank (Dr.Web) Win32/Bacalid.A (ESET) Worm.Win32.Brontok (Ikarus) W32/Bacalid.gen (McAfee) W32/Bacalid.A (Panda) Worm.Win32.Detnat.g (Rising AV) W32/Bacalid-A (Sophos) Trojan.Win32.Generic.pak!cobra (Sunbelt Software) W32.SillyFDC (Symantec) PE_VBAC.A (Trend Micro)

Summary

Worm:Win32/Brontok.FFV is detection for a variant of the Win32/Brontok worm family. This variant of the Brontok family spreads by copying itself to removable drives. It can disable antivirus and security software and modify Windows settings.
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
 
Recovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
 
  1. Ensure that an antivirus product is installed on ALL computers connected to the network that can access or host shares.
  2. Ensure that all available network shares are scanned with an up-to-date antivirus product.
  3. Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: http://technet.microsoft.com/library/bb456977.aspx.
  4. Remove any unnecessary network shares or mapped drives.
 
Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.
 
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
322756 How to back up and restore the registry in Windows
 
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
 
To remove/modify the changes that Worm:Win32/Brotok.FFV has made to your computer, follow these steps:
 
1) Click Start and then click Run.
2) In the Open box, type regedit and then click OK.
3) Locate and then click on the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
4) On the right panel, right-click on the following registry entry:
Userinit
5) Select Modify and then click OK.
6) In the "Value data:" entry box, edit the data such that it only contains the following:
%windir%\system32\userinit.exe
7) Click OK, locate and then click on the following registry key:
HKLM\SYSTEM\CurrentControlSet\Control
8) On the right panel, right-click on the following registry entry:
AlternateShell
9) Select Modify and then click OK.
10) In the "Value data:" entry box, edit the data such that it only contains the following:
cmd.exe
11) Click OK, locate and then click on the following registry key:
HKLM\Software\Classes\txtfile\shell\open\command
12) On the right panel, right-click on the following registry entry:
(default)
13) Select Modify and then click OK.
14) In the "Value data:" entry box, edit the data such that it only contains the following:
%SystemRoot%\system32\NOTEPAD.EXE %1
15) Locate and then click on the following registry key:
HKLM\Software\Classes\comfile\shell\open\command
16) On the right panel, right-click on the following registry entry:
(default)
17) Select Modify and then click OK.
18) In the "Value data:" entry box, edit the data such that it only contains the following:
"%1" %*
19) Click OK and close Registry Editor.
Follow us