Brontok is the name of a worm infected in Windows-based machines. I often get notification of this worm to create files in my laptop. My antivirus software is NOD32 standard edition by Eset. NOD32 is my favorite antivirus because of its powerfulness and small memory footprint. I have never gotten any false alarm. It performs as fast as running without antivirus. So I don’t think that notification is false alarm or it cannot clean the worm completely. However, I still get the same notification so often. Below is my analysis.

1. I have never gotten that notification when I am at home.
2. I often get that notification at my university, Kasetsart University.
3. That notification will occur more often whenever it started to appear.
4. NOD32 just informs me and leaves only "Close" button to press to continue.
5. The notification informs me that Brontok.B tried to create a file in C:\Documents and Settings\All Users\Documents.
6. In NOD32’s Threat Log, I found below entry.

   Time	10/2/2549 13:11:21
   Module	AMON
   Object	file C:\Documents and Settings\All Users\Documents\My Videos\My Videos.exe
   Name	Win32/Brontok.B
   Threat	worm
   Action	quarantined - deleted
   User	NT AUTHORITY\SYSTEM
   Information	Event occurred on a newly created file. The file was moved to quarantine. You may close this window.

7. As a result, NOD32 thought it is a worm ran by SYSTEM and it was deleted by default.

Okay. It is not big problem to close notification window. However, I just want to make sure that my laptop has no Brontok.B running in memory. I forced NOD32 to scan memory and found nothing. The analysis of Brontok by Sophos named it as W32/Brontok-B and it spreads by e-mail attachments. Seriously, my default e-mail client is Thunderbird and browser is Firefox. I have never known a big bug relating to run attached code in e-mail in Thunderbird. Actually, it cannot run VBscript and javascript execution has been disabled by default.

Some users reported that NOD32 always deletes this worm so it deleted all games and programs in his computer. However, some users reported that NOD32 cannot clean this worm. I am so confusing to these minority report. As a result, it turned out that many users recommended to use Avast Home Edition. They claimed that Avast can clean this worm forever. Some people suggested to follow instruction proposed by Symantec. I tried to follow this instruction without success. I didn’t see files or entries in registry as indicated in that instruction. Other suggestion is to use HijackThis.

To end this long analysis, I conclude as follow.

1. Brontok.B may not only infect to my computer via e-mail attachments but also other unknown methods.
2. NOD32 can detect the creation of files containing Brontok.B. That’s enough.

It is very easy to clean Brontok.B using NOD32. Actually, I should say that Brontok.B is already deleted immediately it is saved in harddisk. What you have to do is just close the notification window. Yes, I know this action is annoying one. You can turn off the notification window by 2 options. First, you can specify period of time to disable appearance of this notification window, e.g., 120 minutes. 120 minutes are usually enough to pass spreading storm. Last option is to turn off this notification window until next reboot. This option is suitable for who are going to shut down the machine in short time. I never use this option because I like to hibernate.

Technorati Tags: English, IT, Review, Tips and Tricks, Brontok.B, NOD32, Eset, Avast, Symantec, Virus, Worm