As mentioned on the topic, this worm has hit UUM, detected yesterday on an Acer Laptop. Currently only Sophos database has a detail technical description on the worm.
http://www.sophos.com/security/analyses/w32sillyfdcd.html
As usual, the infected Operating System is Microsoft Windows. Method of spreading is by Autorunning from from portable USB drive.
This worm will create:
C:\Windows\System\BrO_AcT.exe
C:\Windows\System\"Your Computer Name"\svchost.exe
Registry:
Entry to run the file BrO_AcT.exe and svchost.exe when windows start.
Symptoms
1. Popup box with the title BrO_AcT.exe, mambling something about how he's trying to make your OS better
2. Automatic close of Taskmanager (taskman.exe), Command Prompt (cmd.exe), and Microsoft System Configuration Utility (msconfig.exe).
Threats
Will copy itself to portable USB drives connected to the system. Creating
- Autorun.inf
- BrO_AcT.exe
-My SeXy.exe
On the portable USB drive which will autorun everytime the infected Portable USB drives connect to other system
I've tested the worm with 6 antivirus, latest update(19/11/06) .
1. Nod32 2.5 = not detected as malware, worm executed, system infected
2. Symantec Corporate Edition 10.1 = not detected as malware, worm executed, system infected
3. Bitdefender 10 = not detected as malware, worm executed, system infected
4. Mcafee Viruscan Enterprise 8.0i = not detected as malware, worm executed, system infected
5. AVG 7.5 pro = detected as W32/VB
6. Kaspersky KIS 6 = detected as Win32.VB.DH
7. Clamav = detected as Worm.Torb (tested by razif)
For those using Mcafee Viruscan Enterprise, you can prevent or remove this worm by adding manually the name of the worm's created files on your "Unwanted Programs" module.
If you want to test the worm, you can download the file at
http://faizi.myictnetwork.org/bro_act.zip
bro_act.zip
|_ BrO_AcT1.zip
|_BrO_AcT.exe
|_BrO_AcT1.exe
|_svchost.zip
|_svchost.exe
archive password: edubase
* Please be advise that the author , and fakap community
cannot be held responsible for any mishaps that will happen to your system by testing and executing the worm from those files.
* In other words, if your system got fakaped from those worm, your own your own.
* Nor will we
be held responsible for any wrong doing resulted from the worm downloaded here.
Update your AV protection before your system got fakaped.
Comments
ooo.. aku rasa ni ler virus misteri yg dikaborkan member aku tu... sampai command prompt pun takleh masuk...regedit disabled.. antivirus pun disabled gak.. dasat.. even symantec av pun yg selalunya bleh diharapkan pun serender... hopefully ader ler antigen dier...
pakai avg7.5 buleh ler weyh..tapi kene sentiasa up8 la..huhhu..aku dah buat dah..bereh weyh..x payah format
tak perlu semua tue..
korang takkan percaya..
just restart computer, hit F8, smpai keluar Advanced Boot Options.
pastu pilih, Last Known Good Configuration, Enter.
done.. hilang abis semua virus2 tue.. jgn risau tentang2 files2 yang korang dah edit, update mcm word, gambar ker, etc... dia x akan effect.. dia just effect registry dan setting2 lain dlm system... mmg virus pukimak ni create value di registry pun..
prooved and tested.. by me.. sebab aku baru kena tadi.. dah update avg.. still sama.. last2 teringat cara basic nie.. =D
bye..
wassalam.
Post a Comment