BrO_AcT Facts That You Need To Know
BrO_AcT Facts That You Need To Know
Lately, a lot of my friend's computer have been infected by BrO_AcT worm/virus. And it cause them a lot of trouble to get rid of this new virus. Moreover, the information on the Net is still very limited since it is a new virus. Recently, I've found the facts about this virus on the Net and want to share with you so that you will know if you've been a victim or not.
1)What is BrO_AcT ?
Symantec AV -> identify it as W32.sillyDC.
DrWeb CureIT -> identify it as Win32.HLLW.Broact
TrenMicro -> identify it as WORM_VB.BHE
Panda AV -> identify it as W32/SexyGirl.A.worm
Avira -> identify it as Worm/VB.DH.1
2)How it Spreads ?
Normally it spread via removable storage devices(USB drive) . Infected thumb drive will show these files: "MySexy.exe", "User.exe" and "Sexy.Dat".
3)Symptomps
-Popup box appears after login into the Windows, with the title "BrO_AcT.exe". It contains a message but I don't remember what it is written.
-Look at your title bar. An infected hardisk will show the folder name + [:Restricted by BrO_Act:]
- When you try to open C:\Windows\System32 folder, explorer close itself.
- Right click My Computer, select Properties, select Computer, click Change button, you find that your computer name has been changed to "ReAct_User"
-Your antivirus has been deactivated.
-You can't access Task Manager, Regedit, Msconfig, Folder option, and Command prompt.
4)How Do I Confirm that I'm Infected ?
Run Hijackthis. These are the entries added:
C:\WINDOWS\system32\BrO_AcT.exe
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\default__.pif"
O4 - HKLM\..\Run: [System] C:\WINDOWS\SYSTEM32\BrO_AcT.exe
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SYSTEM32\ReAct_User\svchost.exe
5)What Will This Virus Do or Create in Your Computer ?
It will create and add the following files :-
-C:\Windows\system32\BrO_AcT.exe-C:\WINDOWS\default__.pif
-C:\WINDOWS\SYSTEM32\ReAct_User\svchost.exe
-C:\WINDOWS\SYSTEM32\ReAct_User\winlogon.exe
-C:\ReActLog (Something with this name)
-NTDETCH.com (on all your drive, root folder)
-Autorun.inf (on all your drive, root folder)
-Hundreds of files in C:\System Volume -Information\_restore{7C0D0734-E9F5-4A30-ABD4-977206CFACB2}\RP411 (With name like -A0062080.com, A0062083.pif, A0062092.exe and etc)
-C:\WINDOWS\system32\MySexy.exe
-C:\WINDOWS\system32\regedit.com
-C:\WINDOWS\system32\msconfig.com
It also will copy itself to any portable USB drive connected to the infected system and creating:-
->Autorun.innf
->BrO_AcT.exe
->My_SeXy.exe
and the USB drive will autorun anytime you connect it to the system. "THIS IS THE WAY HOW THE VIRUS SPREAD".
6) How Do I Get Rid of BrO_Act.exe ?
Update your anti-virus with latest virus definition. As far as I know :-
Nod32 AV - not detect, system infected
BitDefender 10 - not detect, system infected
McAfee - not detect, system infected
Avira - detected as Worm/VB.DH.1
AVG 7.5 Pro - detected as W32/VB
Kapersky - detected as Win32.VB.DH
I hope this little info will help you to eliminate this annoying virus.
0 comments:
Post a Comment