Removal instructions for VBS_WORM (33)
Virustotal scan
Related tutorials with screenshots:
How to Remove a VBS Worm
Ultimate Guide in Removing VBS Worms
Analysis:
Type of file: VBSFile
Description:
Location: C:\Users\WinXPert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Size: 59510 b
MD5: 1B6F482F076F767D8E9D6A5123B80B5B
Keys added:
HKCU\Software\Classes\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}
HKCU\Software\Classes\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32
HKCU\Software\Classes\DynamicWrapperX
HKCU\Software\Classes\DynamicWrapperX\CLSID
Values added:
HKCU\di: "!"
HKCU\Environment\SEE_MASK_NOZONECHECKS: "1"
HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{D9845EAB-A870-43A4-87C1-63B8738825D5}: "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe|Name=MSBUILD.EXE|"
HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{8E2DEC74-E4A0-4DE1-8088-E2AC6FE58AE5}: "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe|Name=MSBUILD.EXE|"
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{D9845EAB-A870-43A4-87C1-63B8738825D5}: "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe|Name=MSBUILD.EXE|"
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{8E2DEC74-E4A0-4DE1-8088-E2AC6FE58AE5}: "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe|Name=MSBUILD.EXE|"
HKCU\Software\Classes\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\: "C:\Users\WinXPert\AppData\Local\Temp\HOUDINI.BIN"
HKCU\Software\Classes\DynamicWrapperX\CLSID\: "{89565275-A714-4a43-912E-978B935EDCCC}"
HKCU\Software\6101e9ff9e3b0ece7cc23757d642f8f6\[kl]: ""
Files added:
%Temp%\VBS_WORM (33).vbs
%Temp%\HOUDINI.BIN"
Manual Removal Instructions for VBS_WORM (33):
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
Make sure you create a System Restore point before proceeding:
1. Use Task Manager to terminate the malicious process MSBuild.exe
2. Delete HOUDINI.BIN and VBS_WORM (33).VBS from these location.
%Temp%
3. Repair the registry using this reg script. Note that registry key VBS_WORM (32) is random and takes the filename of the vbs file.
Windows Registry Editor Version 5.00
;1B6F482F076F767D8E9D6A5123B80B5B
[-HKEY_CURRENT_USER\Software\Classes\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32]
[-HKEY_CURRENT_USER\Software\Classes\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}]
[-HKEY_CURRENT_USER\Software\Classes\DynamicWrapperX\CLSID]
[-HKEY_CURRENT_USER\Software\Classes\DynamicWrapperX]
[HKEY_CURRENT_USER]
"di"=-
[HKEY_CURRENT_USER\Environment]
"SEE_MASK_NOZONECHECKS"=-
4. Remove MSBuild.exe from your firewall exceptions using this command.at the CMD Prompt.
netsh firewall delete allowedprogram MSBuild.exe
5. Update your antivirus program and perform a full scan of the computer.
All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!
To GOD be the glory!
All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.
The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.
Copyright © 2015 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.
No comments:
Post a Comment