Saturday, April 14, 2007

BrO_AcT Facts That You Need To Know

BrO_AcT Facts That You Need To Know

Lately, a lot of my friend's computer have been infected by BrO_AcT worm/virus. And it cause them a lot of trouble to get rid of this new virus. Moreover, the information on the Net is still very limited since it is a new virus. Recently, I've found the facts about this virus on the Net and want to share with you so that you will know if you've been a victim or not.

1)What is BrO_AcT ?

Symantec AV -> identify it as W32.sillyDC.
DrWeb CureIT -> identify it as Win32.HLLW.Broact
TrenMicro -> identify it as WORM_VB.BHE
Panda AV -> identify it as W32/SexyGirl.A.worm
Avira -> identify it as Worm/VB.DH.1

2)How it Spreads ?

Normally it spread via removable storage devices(USB drive) . Infected thumb drive will show these files: "MySexy.exe", "User.exe" and "Sexy.Dat".

3)Symptomps

-Popup box appears after login into the Windows, with the title "BrO_AcT.exe". It contains a message but I don't remember what it is written.
-Look at your title bar. An infected hardisk will show the folder name + [:Restricted by BrO_Act:]
- When you try to open C:\Windows\System32 folder, explorer close itself.
- Right click My Computer, select Properties, select Computer, click Change button, you find that your computer name has been changed to "ReAct_User"
-Your antivirus has been deactivated.
-You can't access Task Manager, Regedit, Msconfig, Folder option, and Command prompt.

4)How Do I Confirm that I'm Infected ?

Run Hijackthis. These are the entries added:
C:\WINDOWS\system32\BrO_AcT.exe
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\default__.pif"
O4 - HKLM\..\Run: [System] C:\WINDOWS\SYSTEM32\BrO_AcT.exe
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SYSTEM32\ReAct_User\svchost.exe


5)What Will This Virus Do or Create in Your Computer ?

It will create and add the following files :-

-C:\Windows\system32\BrO_AcT.exe-C:\WINDOWS\default__.pif
-C:\WINDOWS\SYSTEM32\ReAct_User\svchost.exe
-C:\WINDOWS\SYSTEM32\ReAct_User\winlogon.exe
-C:\ReActLog (Something with this name)
-NTDETCH.com (on all your drive, root folder)
-Autorun.inf (on all your drive, root folder)
-Hundreds of files in C:\System Volume -Information\_restore{7C0D0734-E9F5-4A30-ABD4-977206CFACB2}\RP411 (With name like -A0062080.com, A0062083.pif, A0062092.exe and etc)
-C:\WINDOWS\system32\MySexy.exe
-C:\WINDOWS\system32\regedit.com
-C:\WINDOWS\system32\msconfig.com

It also will copy itself to any portable USB drive connected to the infected system and creating:-
->Autorun.innf
->BrO_AcT.exe
->My_SeXy.exe

and the USB drive will autorun anytime you connect it to the system. "THIS IS THE WAY HOW THE VIRUS SPREAD".


6) How Do I Get Rid of BrO_Act.exe ?

Update your anti-virus with latest virus definition. As far as I know :-

Nod32 AV - not detect, system infected
BitDefender 10 - not detect, system infected
McAfee - not detect, system infected

Avira - detected as Worm/VB.DH.1
AVG 7.5 Pro - detected as W32/VB
Kapersky - detected as Win32.VB.DH


I hope this little info will help you to eliminate this annoying virus.

AddThis Social Bookmark Button AddThis Feed Button

Posted by JakF at 5:00 AM

Labels: ,

Add this post:
  • Agregar a Technorati
  • Agregar a Del.icio.us
  • Agregar a DiggIt!
  • Agregar a Yahoo!
  • Agregar a Google
  • Agregar a Meneame
  • Agregar a Furl
  • Agregar a Reddit
  • Agregar a Magnolia
  • Agregar a Blinklist
  • Agregar a Blogmarks

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Design by Free blogger template