Brontok Removal Tool is a useful application that was designed in order to help you get rid of the worm infection.

The worm comes as an attachment in an infected email, that looks like this:

Subject: (empty)
Message:

BRONTOK.A [ By: HVM31-Jowobot #VM Community ]
-- Hentikan kebobrokan di negeri ini --
1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")
2. Stop Free Sex, Absorsi, & Prostitusi
3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!
-- KIAMAT SUDAH DEKAT --
Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[
By: HVM31-Jowobot #VM Community--

Attachment: Kangen.exe

The attached file has an icon that imitates an usual Windows folder. If executed, an Explorer window with My Documents folder is open. The worm installs itself in the locations specified in the Symptoms section.

The worm starts scanning files having the following extensions in order to gather email addresses to havest:
.asp
.cfm
.csv
.doc
.eml
.html
.php
.txt
.wab

It will not consider the adresses mathing the following strings:

ADMIN AHNLAB ALADDIN ALERT ALWIL ANTIGEN
ASSOCIATE AVAST AVIRA BILLING@ BUILDER
CILLIN CONTOH CRACK DATABASE DEVELOP
ESAFE ESAVE ESCAN EXAMPLE GRISOFT HAURI
INFO@ LINUX MASTER MICROSOFT NETWORK
NOD32 NORMAN NORTON PANDA PROGRAM
PROLAND PROTECT ROBOT SECURITY SOURCE
SYBARI SYMANTEC TRUST UPDATE VAKSIN
VAKSIN VIRUS

The email addresses are gathered into the following folder:
%UserProfile%\Local Settings\Application Data\Loc.Mail.Bron.Tok

This folder will contain as many files as the email addresses the worm found. Those files are named by the following pattern: found@email.address.ini

In the same folder as the one specified above, the worm creates the following ones, that it will use at the mass-mailing process:

Ok-SendMail-Bron-tok
Bron.tok-[x]-[y] (where x and y are two random numbers)
The worm also creates a task in C:\%WINDIR%\Tasks, that will execute a copy of it (WowTumpeth.com) every day, at 5:08PM.

In order to assure it is executed at every system startup, it creates the following registry entries:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

"Bron-Spizaetus" = "%Windir%\ShellNew\bronstab.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus" = "%UserProfile%\Local Settings\Application Data\smss.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Shell"="Explorer.exe %Windir%\eksplorasi.pif"

It will disable Folder Options in Windows Explorer, by setting the following Registry value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoFolderOptions"="1"

And will also disable Regedit:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"DisableRegistryTools"="1"

The following entries will be set at the specified values:

[HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced]

"Hidden"="0"

"ShowSuperHidden"="0"

"HideFileExt"="1"

When the worm is in memory, if it finds any window that contains "Registry" or ".EXE", it will restart the computer.