Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

 All about Bro_Act, My experience dealing with this virus.

views
     
TSnetcrusader
post Mar 18 2007, 07:22 PM, updated 18y ago

Getting Started
**
Junior Member
225 posts

Joined: Mar 2005



Here is the story. I was helping my cousin to clean this virus and thus these details written below are truly based on my experience.

From what I search in Yahoo, there is still very limited information on this virus. In fact, it is spreading like wild fire nowadays, as you can see there are quite some number of users post about it in this forum. I am writing this so that I can help those who are infected by this virus as well. blush.gif

1. What is Bro_Act virus?

This is a virus which its origin is believed to be from IDO.

p/s: Symantec AV identify it as W32.sillyDC.
DrWeb CureIT identify it as Win32.HLLW.Broact.



2. How it spreads?

It spreads through USB drive. Infected thumb drive will show these files: "MySexy.exe", "User.exe" and "Sexy.Dat".

3. Any symptoms? vmad.gif

- When opening a folder, you see this sentence "Restrict By Bro_Act"
- When you right click on your local drive, you see "Autorun" as first option and bolded.
- When you try to open C:\Windows\System32 folder, explorer close itself.
- Right click My Computer, select Properties, select Computer, click Change button, you find that your computer name has been changed to "ReAct_User"
- Task Manager, Regedit, Msconfig are disabled.
- Antivirus might be disabled.
- System Restore gives error message when you try to turn it off.
- If you manage to open Task Manager, go to Processes. You will see that the column for "User Name" is blank for all processes. (One of the svchost.exe and winlogon.exe is launched from ReAct_user folder in System32.)
- If you manage to open Task Manager, go to Applications. You will see 2 application named "[Program Manager] Restrict By Bro_act" and "Restrict By Bro_act".

4. How do I confirm that I am infected?

Run Hijackthis. These are the entries added:
C:\WINDOWS\system32\BrO_AcT.exe
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\default__.pif"
O4 - HKLM\..\Run: [System] C:\WINDOWS\SYSTEM32\BrO_AcT.exe
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SYSTEM32\ReAct_User\svchost.exe


5. What are the files added?

C:\WINDOWS\system32\BrO_AcT.exe
C:\WINDOWS\default__.pif
C:\WINDOWS\SYSTEM32\ReAct_User\svchost.exe
C:\WINDOWS\SYSTEM32\ReAct_User\winlogon.exe
C:\ReActLog (Something with this name)
NTDETCH.com (on all your drive, root folder)
Autorun.inf (on all your drive, root folder)
Hundreds of files in C:\System Volume Information\_restore{7C0D0734-E9F5-4A30-ABD4-977206CFACB2}\RP411 (With name like A0062080.com, A0062083.pif, A0062092.exe and etc)
C:\WINDOWS\system32\MySexy.exe
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\msconfig.com

p/s: All these files are marked as Win32.HLLW.Broact virus and deleted by drweb-cureit antivirus software.

6. How do I remove this virus?

In my case, since AVG free 7.5 in the system is disabled. I use Doctor Web CureIT free antivirus scanner. Drweb cureit able to detect bro_act virus as Win32.HLLW.Broact.

Steps: (This step is from SpywareInfo forum)

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: user posted image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    user posted image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

For USB drive, I recommend you to format it.

Remeber to Turn off your system restore and Turn in on again to flush away all the files inside.

--------------------------------------------------------------------------------------------

This part shows roughly how this virus works:

7. Why can't I access Regedit from Start>Run?

The virus added one file named "Regedit.com" into C:\WINDOWS\system32\, which is the same folder as the file "Regedit.exe". Any .com file will run before .exe file. So, when you type "Regedit" on start>Run, the file you accessed is actually "Regedit.com". It will close the explorer.

8. Why can't I access Msconfig from Start>Run?

Same consep as above. A file named "Msconfig.com" is added into C:\WINDOWS\system32\, which is the same folder as the file "Msconfig.exe".

9. Why I keep on getting this virus even after I deleted the files Bro_Act.exe?

p/s: This is my belief on how the virus reinfected your computer, but not guarantee 100% correct because I don't look into the coding.

To understand this, we need to look at the HijackThis entry:
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\default__.pif"

We use Explorer.exe to navigate the content inside a folder. Everytime, you open a folder, explorer.exe will run. The problem is now explorer.exe is link to C:\WINDOWS\default__.pif. I don't know what exactly this file does, but I believe that it will check if all the "Bro_Act.exe", "RecAct_user\svchost.exe", "msconfig.com", "regedit.com", "NTDETCH.com" and etc are still in place or not. If they are not, a copy will be fetch/restore from C:\System Volume Information\_restore folder, as you can see there are hundred of files in the folder.(Now you see why it does not allow you to turn off system restore?)

When you access your local drive, "Autorun.inf" will connect to another file named "NTDETCH.com", as you can see from the screenshot below. I don't exactly know what it does, but I believe that this is the culprit that close the explorer when you try to access C:\Windows\System32 folder.

» Click to show Spoiler - click again to hide... «


----------------------------------------------------------------------------------------------

p/s: This is definitely not a copy-and-paste work. All are based on my personal experience dealing with this virus. Some of the info is obtained from uncle google.

That's all for now. If I get more Info, I will update it accordingly. smile.gif

Regards,
netcrusader.









 

Change to:
| Lo-Fi Version
0.0149sec    0.62    5 queries    GZIP Disabled
Time is now: 29th March 2024 - 06:10 AM