Removal Virus

What is the difference between viruses, worms, and Trojans?

2007-06-04T21:16:00.000-07:00

As a user of the computer, Virus is the one of the killer in our program. So, every user of the computer should know what is the virus and others types of it.

A computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. A virus must meet two criteria:

It must execute itself. It often places its own code in the path of execution of another program.
It must replicate itself. For example, it may replace other executable files with a copy of the virus infected file. Viruses can infect desktop computers and network servers alike.

Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply to replicate themselves and make their presence known by presenting text, video, and audio messages. Even these benign viruses can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss.

Five recognized types of viruses

File infector viruses

File infector viruses infect program files. These viruses normally infect executable code, such as .com and .exe files. The can infect other files when an infected program is run from floppy, hard drive, or from the network. Many of these viruses are memory resident. After memory becomes infected, any noninfected executable that runs becomes infected. Examples of known file infector viruses include Jerusalem and Cascade.

Boot sector viruses

Boot sector viruses infect the system area of a disk; that is, the boot record on floppy disks and hard disks. All floppy disks and hard disks (including disks containing only data) contain a small program in the boot record that is run when the computer starts up. Boot sector viruses attach themselves to this part of the disk and activate when the user attempts to start up from the infected disk. These viruses are always memory resident in nature. Most were written for DOS, but, all PCs, regardless of the operating system, are potential targets of this type of virus. All that is required to become infected is to attempt to start up your computer with an infected floppy disk Thereafter, while the virus remains in memory, all floppy disks that are not write protected will become infected when the floppy disk is accessed. Examples of boot sector viruses are Form, Disk Killer, Michelangelo, and Stoned.

Master boot record viruses

Master boot record viruses are memory-resident viruses that infect disks in the same manner as boot sector viruses. The difference between these two virus types is where the viral code is located. Master boot record infectors normally save a legitimate copy of the master boot record in an different location. Windows NT computers that become infected by either boot sector viruses or master boot sector viruses will not boot. This is due to the difference in how the operating system accesses its boot information, as compared to Windows 98/Me. If your Windows NT systems is formatted with FAT partitions you can usually remove the virus by booting to DOS and using antivirus software. If the boot partition is NTFS, the system must be recovered by using the three Windows NT Setup disks. Examples of master boot record infectors are NYB, AntiExe, and Unashamed.

Multipartite viruses

Multipartite (also known as polypartite) viruses infect both boot records and program files. These are particularly difficult to repair. If the boot area is cleaned, but the files are not, the boot area will be reinfected. The same holds true for cleaning infected files. If the virus is not removed from the boot area, any files that you have cleaned will be reinfected. Examples of multipartite viruses include One_Half, Emperor, Anthrax and Tequilla.

Macro viruses

These types of viruses infect data files. They are the most common and have cost corporations the most money and time trying to repair. With the advent of Visual Basic in Microsoft's Office 97, a macro virus can be written that not only infects data files, but also can infect other files as well. Macro viruses infect Microsoft Office Word, Excel, PowerPoint and Access files. Newer strains are now turning up in other programs as well. All of these viruses use another program's internal programming language, which was created to allow users to automate certain tasks within that program. Because of the ease with which these viruses can be created, there are now thousands of them in circulation. Examples of macro viruses include W97M.Melissa, WM.NiceDay and W97M.Groov.

What is a Trojan horse?

Trojan horses are impostors—files that claim to be something desirable but, in fact, are malicious. A very important distinction between Trojan horse programs and true viruses is that they do not replicate themselves. Trojan horses contain malicious code that when triggered cause loss, or even theft, of data. For a Trojan horse to spread, you must invite these programs onto your computers; for example, by opening an email attachment or downloading and running a file from the Internet. Trojan.Vundo is a Trojan horse.

What is a worm?

Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file. Although worms generally exist inside of other files, often Word or Excel documents, there is a difference between how worms and viruses use the host file. Usually the worm will release a document that already has the "worm" macro inside the document.W32.Mydoom.AX@mm is an example of a worm

What is a virus hoax?

Virus hoaxes are messages, almost always sent by email, that amount to little more than chain letters. Following are some of the common phrases that are used in these hoaxes:

If you receive an email titled [email virus hoax name here], do not open it!
Delete it immediately!
It contains the [hoax name] virus.
It will delete everything on your hard drive and [extreme and improbable danger specified here].
This virus was announced today by [reputable organization name here].
Forward this warning to everyone you know!

Most virus hoax warnings do not deviate far from this pattern

W32/Almanahe.c

2007-06-04T02:54:00.001-07:00

Overview -

W32/Almanahe.a is a parasitic worm that infects Win32 executable files (*.exe) that can also download and execute additional malware.

Aliases

pe_corelink.a (TrendMicro)

w32.almanahe.b!inf (Symantec)

w32/alman-a (Sophos)

Characteristics

It also attempts to access network shares using the following passwords as "Administrator" user:

zxcv
qazwsx
qaz
qwer
!@#$%^&*()
!@#$%^&*(
!@#$%^&*
!@#$%^&
!@#$%^
!@#$%
asdfgh
asdf
!@#$
654321
123456
12345
1234
123
1111
admin

The virus contains a list of hardcoded of filename(s) that are excluded from infection:

wooolcfg.exe
woool.exe
ztconfig.exe
patchupdate.exe
trojankiller.exe
xy2player.exe
flyff.exe
xy2.exe
.exe
au_unins_web.exe
cabal.exe
cabalmain9x.exe
cabalmain.exe
meteor.exe
patcher.exe
mjonline.exe
config.exe
zuonline.exe
userpic.exe
main.exe
dk2.exe
autoupdate.exe
dbfsupdate.exe
asktao.exe
sealspeed.exe
xlqy2.exe
game.exe
wb-service.exe
nbt-dragonraja2006.exe
dragonraja.exe
mhclient-connect.exe
hs.exe
mts.exe
gc.exe
zfs.exe
neuz.exe
maplestory.exe
nsstarter.exe
nmcosrv.exe
ca.exe
nmservice.exe
kartrider.exe
audition.exe
zhengtu.exe

Symptoms

Symptoms -

Presence of the files and registry keys mentioned.
Increase in file size in existing executable files.
Unexpected network connections to the mentioned site(s).
Unexpected access to network shared folders.

Method of Infection

Method of Infection -

W32/Almanahe.a is a parasitic worm that propagates by infecting Win32 executable files (*.exe) on local drives and network shares.

"Hacked by Pokemon" virus

2007-05-30T23:46:00.001-07:00

Removing "Hacked by Pokemon" virus

Did your Internet Explorer title bar shown this "Hacked by Pokemon"?Don't worry this is not a high risk virus.Just some visual basic program.The file that run this visual basic is BHA.VBS.DLL. I will show you how to remove this bug manually.

What will This Virus Do ?

-Infected every of your partition including removable drive.This is because the script was written to generate bha.vbs.dll and autorun.inf.

-Spread via removable drive such as pendrive or other storage device because of its capability to generate dll file using vbs script.

-Will generate new registry value in your windows registry that is:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL - winpath&"\Bha.dll.vbs

HKCR\vbsfile\DefaultIcon - shell32.dll

And also modify this registry value:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title","Hacked by pokemon"

-All your partition cannot open normally if your PC infected because the authority was given to the 'autoplay' option not 'open' option if normal condition.To ensure this,just right click one of your drives and see the first bolt option,is it open or autoplay.

How to Show Autorun.inf & bha.vbs.dll in Your Computer?

-Go to Tools>Folder Option

-Uncheck Hide protected operating system files (Recommended) and Use simple file sharing(Recommended)

-Click Apply and Close the window.

WARNING: When you open your drive partition, MAKE SURE you open by right clicking it and choose Open, IF NOT,the thread will RUNNING again.

How to Delete/Remove *vbs File ?

1) CTRL + ALT + DEL and find wscript.exe if exist to make sure its running or not. If exist, click End Process.

2)You may delete 2 files that i mention above manually in every partition.

3) or, Start -> Search. Search for *vbs files . Delete the file if it is found.

How To Clean The Registry ?

-After clean and delete the file, now you must clean the windows registry because this thread generate new registry value after they were activated.

-Run registry editor:START--->Run (type regedit)

-Open this location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL

Delete registry named MS32DLL

-And open this location:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

-Choose Window title and edit the string.

-You may put any names or delete the string value (Window title)

-Then reboot your PC

I hope this GUIDE will help you to eliminate this annoying virus . Good Luck !!!

Step-By-Step

2007-05-30T23:25:00.000-07:00

To Get Rid Of Spylocked or Iesmin.exe

Yesterday, my laptop has been infected by Spylocked spyware. I believe that it is due to my brother has installed a fake anti-spyware.

Windows keeps giving me a warning that I have spyware and that i should get rid of it.Spylock kept coming up, and even though I've uninstalled it, the icon keeps flashing in system tray...

If you open the Task Manager, you will see iesmn.exe, iesmin.exe, imsmain, imsmn in the process. That's the spyware. Iesmin.exe is actually Trojan-Downloader.Zlob.Media-Codec.

After searching some info about the virus, I am able to remove the spyware. So, what you have to do to get rid of this spyware?

First, kill the process of those I've stated above one by one in the Task Manager.

Then run Hijack This or Startup Manager to remove iesmin.exe and the gang from Windows startup.

Final step, after making sure that iesmin.exe and the gang are not running in the process( open Task Manager and look at the process whether they still running or not ), go to

C:\Program Files\Video ActiveX Access\ and find iesbpl.dll and delete that file.

DONE !!! Now you will be able to remove the spyware manually.

Information W32/Netsky-P Worm

2007-05-29T18:10:00.000-07:00

This section helps you to understand how it behaves

NOTE: The information contained in this analysis may be considered offensive by some customers.

W32/Netsky-P is a mass-mailing worm which spreads by emailing itself to addresses harvested from files on the local drives.

The worm will also copy itself to various peer-to-peer shared folders as the following files:

1001 Sex and more.rtf.exe
3D Studio Max 6 3dsmax.exe
ACDSee 10.exe
Adobe Photoshop 10 crack.exe
Adobe Photoshop 10 full.exe
Adobe Premiere 10.exe
Ahead Nero 8.exe
Altkins Diet.doc.exe
American Idol.doc.exe
Arnold Schwarzenegger.jpg.exe
Best Matrix Screensaver new.scr
Britney sex xxx.jpg.exe
Britney Spears and Eminem porn.jpg.exe
Britney Spears blowjob.jpg.exe
Britney Spears cumshot.jpg.exe
Britney Spears fuck.jpg.exe
Britney Spears full album.mp3.exe
Britney Spears porn.jpg.exe
Britney Spears Sexy archive.doc.exe
Britney Spears Song text archive.doc.exe
Britney Spears.jpg.exe
Britney Spears.mp3.exe
Clone DVD 6.exe
Cloning.doc.exe
Cracks & Warez Archiv.exe
Dark Angels new.pif
Dictionary English 2004 - France.doc.exe
DivX 8.0 final.exe
Doom 3 release 2.exe
E-Book Archive2.rtf.exe
Eminem blowjob.jpg.exe
Eminem full album.mp3.exe
Eminem Poster.jpg.exe
Eminem sex xxx.jpg.exe
Eminem Sexy archive.doc.exe
Eminem Song text archive.doc.exe
Eminem Spears porn.jpg.exe
Eminem.mp3.exe
Full album all.mp3.pif
Gimp 1.8 Full with Key.exe
Harry Potter 1-6 book.txt.exe
Harry Potter 5.mpg.exe
Harry Potter all e.book.doc.exe
Harry Potter e book.doc.exe
Harry Potter game.exe
Harry Potter.doc.exe
How to hack new.doc.exe
Internet Explorer 9 setup.exe
Kazaa Lite 4.0 new.exe
Kazaa new.exe
Keygen 4 all new.exe
Learn Programming 2004.doc.exe
Lightwave 9 Update.exe
Magix Video Deluxe 5 beta.exe
Matrix.mpg.exe
Microsoft Office 2003 Crack best.exe
Microsoft WinXP Crack full.exe
MS Service Pack 6.exe
netsky source code.scr
Norton Antivirus 2005 beta.exe
Opera 11.exe
Partitionsmagic 10 beta.exe
Porno Screensaver britney.scr
RFC compilation.doc.exe
Ringtones.doc.exe
Ringtones.mp3.exe
Saddam Hussein.jpg.exe
Screensaver2.scr
Serials edition.txt.exe
Smashing the stack full.rtf.exe
Star Office 9.exe
Teen Porn 15.jpg.pif
The Sims 4 beta.exe
Ulead Keygen 2004.exe
Visual Studio Net Crack all.exe
Win Longhorn re.exe
WinAmp 13 full.exe
Windows 2000 Sourcecode.doc.exe
Windows 2003 crack.exe
Windows XP crack.exe
WinXP eBook newest.doc.exe
XXX hardcore pics.jpg.exe

W32/Netsky-P harvests email addresses from files with the following extensions:
PL, HTM, HTML, EML, TXT, PHP, ASP, VBS, RTF, UIN, SHTM, CGI, DHTM, ADB, TBB, DBX, SHT, OFT, MSG, JSP, WSH, XML.

The worm has a trigger date of 24 March 2004, at which time it will attempt to mass mail.

Emails have the following characteristics (note that not all variations listed):

Subject lines: constructed from the following groups of strings -

Re: Re:
Re: Encrypted Mail
Re: Extended Mail
Re: Status
Re: Notify
Re: SMTP Server
Re: Mail Server
Re: Delivery Server
Re: Bad Request
Re: Failure
Re: Thank you for delivery
Re: Test
Re: Administration
Re: Message Error
Re: Error
Re: Extended Mail System
Re: Secure SMTP Message
Re: Protected Mail Request
Re: Protected Mail System
Re: Protected Mail Delivery
Re: Secure delivery
Re: Delivery Protection
Re: Mail Authentification

Message texts: chosen from -

Please confirm my request.
ESMTP [Secure Mail System #334]: Secure message is attached.
Partial message is available.
Waiting for a Response. Please read the attachment.
First part of the secure mail is available.
For more details see the attachment.
For further details see the attachment.
Your requested mail has been attached.
Protected Mail System Test.
Secure Mail System Beta Test.
Forwarded message is available.
Delivered message is attached.
Encrypted message is available.
Please read the attachment to get the message.
Follow the instructions to read the message.
Please authenticate the secure message.
Protected message is attached.
Waiting for authentification.
Protected message is available.
Bad Gateway: The message has been attached.
SMTP: Please confirm the attached message.
You got a new message.
Now a new message is available.
New message is available.
You have received an extended message. Please read the instructions.

Attachment description: chosen from -

Your details.
Your document.
I have received your document. The corrected document is attached.
I have attached your document.
Your document is attached to this mail.
Authentication required.
Requested file.
See the file.
Please read the important document.
Please confirm the document.
Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file!
Please see the attached file for details.

followed by -

+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com
+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com
+++ Attachment: No Virus found
+++ Kaspersky AntiVirus - www.kaspersky.com
+++ Attachment: No Virus found
+++ Panda AntiVirus - www.pandasoftware.com
++++ Attachment: No Virus found
++++ Norman AntiVirus - www.norman.com
++++ Attachment: No Virus found
++++ F-Secure AntiVirus - www.f-secure.com
++++ Attachment: No Virus found
++++ Norton AntiVirus - www.symantec.de

Attached file:

_ .

chosen from:

document_all
message
excel document
word document
screensaver
application
website
product
letter
information
details
document

chosen from:

EXE
SCR
PIF
ZIP

W32/Netsky-P attempts to delete registry entries which may be set by variants of the W32/Mydoom and W32/Bagle worms.

W32/Netsky-P also creates a number of the TMP files in the Windows folder: base64.tmp, zip1.tmp, zip2.tmp, zip3.tmp, zipped.tmp.

Virus Description - W32.Blackmal.E@mm

2007-05-20T20:04:00.000-07:00

Created: 27/01/06

CME-24,
Win32.Blackmal.F [Computer Associates],
Email-Worm.Win32.Nyxem.e [F-Secure],
Email-Worm.Win32.Nyxem.e [Kaspersky],
W32/MyWife.d@MM [McAfee],
W32/MyWife.d@MM!M24 [McAfee],
W32/Small.KI@mm [Norman],
Tearec.A [Panda Software],
W32/Nyxem-D [Sophos]
WORM_GREW.{A, B} [Trend Micro]

Description

W32.Blackmal.E@mm is a mass-mailing worm that tries to spread on networks using open network shares and on the third of each month this virus deletes data files such as Word documents and Excel spreadsheets.
The 'From' line of the email is spoofed (faked), and its Subject line and message body of the email vary, but tend to be of a 'sexual' nature. The attachment varies but often appears to be a 'zip' file.

Damage

Spreads, clogs email servers, generates False Alarms, attacks anti-virus programs and deletes Word documents, Excel files, Powerpoint presentations, Access Databases, Zips, RARs and Photoshop files on the third of the month. The virus also attacks anti-virus and security software installed on your computer (which is a common feature of modern viruses).
On the 3rd of each month, 30 minutes after the victim
computer is rebooted, the worm will overwrite (destroy) files
with the following extensions:

Files corrupted by the worm contain the following text:
DATA Error [47 0F 94 93 F4 F5]
It is capable of disabling the mouse and keyboard of an affected system.
May reduce security on your PC.

Occurrence

Blackmal.E has been seen several times on campus - Symantec AntiVirus is recognising it and is stopping it (providing your 'virus definitions' are dated later than 17/01/06 .

Advice

Do not read suspicious email. Do not open the attachments with the above names or any unknown attachments. Keep Windows (& Outlook) up-to-date - see Updating Windows. And do not forward warnings to the apparent sender because the apparent sender is NOT the real sender.

Detecting Blackmal.E

An up-to-date copy of Symantec/Norton AntiVirus should detect and prevent infection from Blackmal.E. If you do not have Symantec/Norton AntiVirus and you are worried that you may have infected computer, you could run an online virus check or contact the Student Help Desk in the Library.

Cleaning Blackmal.E

Use the tool from Symantec: Blackmal Removal Tool.
Further Information
For further info about Blackmal.E:

Symantec on W32.Blackmal.E@mm
Trend on 'WORM_GREW.A' (w32.Blackmal.E@mm)

Combating Viruses, Worms and Trojan Horses

2007-05-18T21:45:00.000-07:00

The first steps to protecting your computer are to ensure your Operating System (OS) is up-to-date. This is essential if you are running a Microsoft Windows OS. Secondly, you should have anti-virus software installed on your system and ensure you download updates frequently to ensure your software has the latest fixes for new viruses, worms, and Trojan horses. Additionally, you want to make sure your anti-virus program has the capability to scan e-mail and files as they are downloaded from the Internet. This will help prevent malicious programs from even reaching your computer. You should also install a firewall as well.

A firewall is a system that prevents unauthorized use and access to your computer. A firewall can be either hardware or software. Hardware firewalls provide a strong degree of protection from most forms of attack coming from the outside world and can be purchased as a stand-alone product or in broadband routers. Unfortunately, when battling viruses, worms and Trojans, a hardware firewall may be less effective than a software firewall, as it could possibly ignore embedded worms in out going e-mails and see this as regular network traffic. For individual home users, the most popular firewall choice is a software firewall. A good software firewall will protect your computer from outside attempts to control or gain access your computer, and usually provides additional protection against the most common Trojan programs or e-mail worms. The downside to software firewalls is that they will only protect the computer they are installed on, not a network.

It is important to remember that on its own a firewall is not going to rid you of your computer virus problems, but when used in conjunction with regular operating system updates and a good anti-virus scanning software, it will add some extra security and protection for your computer or network.

New Worm Name : W32.Fubalca.E-

2007-05-15T20:46:00.000-07:00

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When the worm executes, it copies itself to the following location:

%System%\servet.exe

The worm then enables the autorun facitility on all drives by modifying the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "0"

Next, the worm scans all drives from A through Z and creates the following file:[DRIVE LETTER]:

\AutoRun.inf

The worm then sets the system date to January 12th 1981, if the following file exists:

%System%\drivers\klick.sys

It then creates a service with the following characteristics:

Servicename:WindowsDownService

description: Windows

The worm creates the following registry subkey for the above service: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsDown

The worm uses advanced techniques to hide itself on the computer as the following file: %System%\svchost.exe

Once the worm has completed its installation, it deletes itself.

The worm then attempts to download and execute the following malicious files every sixty seconds:

[http://]www.18dmm.com/arp/[REMOVED]
[http://]www.18dmm.com/arp/[REMOVED]
[http://]www.18dmm.com/arp/[REMOVED]
[http://]www.18dmm.com/arp/[REMOVED]
[http://]www.18dmm.com/arp/[REMOVED]
[http://]www.18dmm.com/arp/[REMOVED]
[http://]www.18dmm.com/arp/[REMOVED]
[http://]www.18dmm.com/arp/[REMOVED]
[http://]www.18dmm.com/arp/[REMOVED]
[http://]www.18dmm.com/arp/10.[REMOVED]
[http://]www.18dmm.com/arp/11.[REMOVED]
[http://]www.18dmm.com/arp/12.[REMOVED]
[http://]www.18dmm.com/arp/13.[REMOVED]
[http://]www.18dmm.com/arp/14.[REMOVED]
[http://]www.18dd.net/new/system[REMOVED]

The above files are saved to the following location:

%System%\1.exe
%System%\2.exe
%System%\3.exe
%System%\4.exe
%System%\5.exe
%System%\6.exe
%System%\7.exe
%System%\8.exe
%System%\9.exe
%System%\10.exe
%System%\11.exe
%System%\12.exe
%System%\13.exe
%System%\14.exe
%System%\system22.exe

BrO_AcT (That You Need To Know)

2007-04-30T01:15:00.000-07:00

BrO_AcT Facts That You Need To KnowLately, a lot of my friend's computer have been infected by BrO_AcT worm/virus. And it cause them a lot of trouble to get rid of this new virus. Moreover, the information on the Net is still very limited since it is a new virus. Recently, I've found the facts about this virus on the Net and want to share with you so that you will know if you've been a victim or not.1)What is BrO_AcT ?Symantec AV -> identify it as W32.sillyDC.DrWeb CureIT -> identify it as Win32.HLLW.BroactTrenMicro -> identify it as WORM_VB.BHEPanda AV -> identify it as W32/SexyGirl.A.wormAvira -> identify it as Worm/VB.DH.12)How it Spreads ?Normally it spread via removable storage devices(USB drive) . Infected thumb drive will show these files: "MySexy.exe", "User.exe" and "Sexy.Dat".3)Symptomps -Popup box appears after login into the Windows, with the title "BrO_AcT.exe". It contains a message but I don't remember what it is written.-Look at your title bar. An infected hardi...

Tips

BrO_AcT Facts That You Need To Know

Lately, a lot of my friend's computer have been infected by BrO_AcT worm/virus. And it cause them a lot of trouble to get rid of this new virus. Moreover, the information on the Net is still very limited since it is a new virus. Recently, I've found the facts about this virus on the Net and want to share with you so that you will know if you've been a victim or not.

1)What is BrO_AcT ?

Symantec AV -> identify it as W32.sillyDC.
DrWeb CureIT -> identify it as Win32.HLLW.Broact
TrenMicro -> identify it as WORM_VB.BHE
Panda AV -> identify it as W32/SexyGirl.A.worm
Avira -> identify it as Worm/VB.DH.1

2)How it Spreads ?

Normally it spread via removable storage devices(USB drive) . Infected thumb drive will show these files: "MySexy.exe", "User.exe" and "Sexy.Dat".

3)Symptomps

-Popup box appears after login into the Windows, with the title "BrO_AcT.exe". It contains a message but I don't remember what it is written.
-Look at your title bar. An infected hardisk will show the folder name + [:Restricted by BrO_Act:]
- When you try to open C:\Windows\System32 folder, explorer close itself.
- Right click My Computer, select Properties, select Computer, click Change button, you find that your computer name has been changed to "ReAct_User"
-Your antivirus has been deactivated.
-You can't access Task Manager, Regedit, Msconfig, Folder option, and Command prompt.

4)How Do I Confirm that I'm Infected ?

Run Hijackthis. These are the entries added:
C:\WINDOWS\system32\BrO_AcT.exe
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\default__.pif"
O4 - HKLM\..\Run: [System] C:\WINDOWS\SYSTEM32\BrO_AcT.exe
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SYSTEM32\ReAct_User\svchost.exe

5)What Will This Virus Do or Create in Your Computer ?

It will create and add the following files :-

-C:\Windows\system32\BrO_AcT.exe-C:\WINDOWS\default__.pif
-C:\WINDOWS\SYSTEM32\ReAct_User\svchost.exe
-C:\WINDOWS\SYSTEM32\ReAct_User\winlogon.exe
-C:\ReActLog (Something with this name)
-NTDETCH.com (on all your drive, root folder)
-Autorun.inf (on all your drive, root folder)
-Hundreds of files in C:\System Volume -Information\_restore{7C0D0734-E9F5-4A30-ABD4-977206CFACB2}\RP411 (With name like -A0062080.com, A0062083.pif, A0062092.exe and etc)
-C:\WINDOWS\system32\MySexy.exe
-C:\WINDOWS\system32\regedit.com
-C:\WINDOWS\system32\msconfig.com

It also will copy itself to any portable USB drive connected to the infected system and creating:-
->Autorun.innf
->BrO_AcT.exe
->My_SeXy.exe

and the USB drive will autorun anytime you connect it to the system. "THIS IS THE WAY HOW THE VIRUS SPREAD".

6) How Do I Get Rid of BrO_Act.exe ?

Update your anti-virus with latest virus definition. As far as I know :-

Nod32 AV - not detect, system infected
BitDefender 10 - not detect, system infected
McAfee - not detect, system infected

Avira - detected as Worm/VB.DH.1
AVG 7.5 Pro - detected as W32/VB
Kapersky - detected as Win32.VB.DH

I hope this little info will help you to eliminate this annoying virus.

All The Best....

killerWorm

2007-04-25T23:20:00.000-07:00

For u guys in the Lab, it might be a tiny problem for u guys in there. but there is a virus named bro_act associated with my sexy.exe, ntdetech.com, autorun.inf, winlogon and it stamped the folder title with "restrict by bro act". so far the only method to romove it is by manually editing the registry and deleting those files and others. and some how it misses ur scanning capability. i hope u guys can fixed that for us out here, soon, cause it's really like hell

autorun.inf [Open with note and delete text]
[save the files]
[Hidden files]