Sunday, December 23, 2007

How to remove " Sujin.com.np " browser Hi-Jack Worm

" Sujin.com.np " seems to be recent headache to many of the users within the country(NEPAL) and some part of the world around. Instead of calling it Virus, i would better call it "Browser HiJack worm". It couldn't infect my Vista and when i checked the Code of ' Sujin.com.np ' Browser HiJack worm, it wasn't serious threat. Instead it was coded to remove couple of known malwares(ravmon,sxs,winfile,run).
look at the code below
If Fso.FileExists(Drives.Path & "\ravmon.exe") Then
Fso.DeleteFile(Drives.Path & "\ravmon.exe")
End If
If Fso.FileExists(Drives.Path & "\sxs.exe") Then
Fso.DeleteFile(Drives.Path & "\sxs.exe")
End If
If Fso.FileExists(Drives.Path & "\winfile.exe") Then
Fso.DeleteFile(Drives.Path & "\winfile.exe")
End If
If Fso.FileExists(Drives.Path & "\run.wsh") Then
Fso.DeleteFile(Drives.Path & "\run.wsh")
End If

Couple of things it did to intimidate people are:
1. It changed the Browser's homepage to www.sujin.com.np (once, me and my friend thups did the registry hack,taskbar lock to make our site appear as the browser's homepage everytime someone lauched the browser. I didn't know that same idea today, has proliferated into something called as "browser hijack".). Hard to revert it back to default.
2. Every 10 seconds, it seeks the removable drives on host and writes "Autorun.inf" to new removable drives if found,which sets to run 'the code to inject the same browser hijack script' on and on. That's why i called it WORM instead of VIRUS since it tries to propagates itself every 10 seconds without harmful intention.
if Count <> 1 then
Wscript.sleep 10000
end if
loop while Count<>1

3. And, it tried to keep it's VBS code to all the root drives of the system which is of course suspicious and somewhat it changed the registry in doing so. And, that caused it to load many times as a process eating bit of Physical RAM.
Do
If Not Fso.FileExists(SystemDir & "\VirusRemoval.vbs") then
set WriteAll = Fso.CreateTextFile(SystemDir & "\VirusRemoval.vbs",2,true)
WriteAll.Write AllFile
WriteAll.close
set WriteAll = Fso.GetFile(SystemDir & "\VirusRemoval.vbs")
WriteAll.Attributes = -1
End If


My Verdict:

This Sujin.com.np is just a mere browser hijack annoyance which sets the user's homepage to " www.sujin.com.np " and it tries to hijack other peoples browsers by injecting itself to removable drives every ten seconds. So, whoever poped in the Pen Drive or floppy drive, the infected host injected the Hijack script on them. They went to another computer with the infected pen drive and it infected another computer and that's how it seems exploded all over the region.

However, there is no malicious code inside it. The only motive is to set user's browser to 'Sujin.com.np'.

Solutions:

1. My first advise would be disable the autorun feature of your operating system at first. Because, the autorun feature of your system triggered the worm. Here's how:
Here is the step(for XP).

a. Start ---> run --> type "gpedit.msc" without the quotes and enter.

b. we'll be seeing Group Policy Console. There,under Local Computer Policy, there are a)Computer Configuration and b)User Configuration.

c. Since we are to tweak Computer configuration, under Computer Configuration-->Select "Administrative Templates"-->Select "System"--->Turn off Autoplay.

d. Double click that "Turn off Autoplay" option and select "disabled" on next screen.

(This will disable all kind of autorun)
** prevention is better than cure.


2. But, if Sujin.com.np is already resident in the memory, Download SCANNER here

Note: Thanks for your note ,यो मन त मेरो नेपाली हो !!!

Thanks to MangalMan for providing me the "Worm code" to study and analyze.


Related links: http://www.meroguff.com/2007/05/autoruninf-worm-infecting-removable-usb.html

9 comments:

MangalMan said...

Hi navin should i stick with this new found pseudo name of mine??What do you think?Identity crisis!!!!!

आकार said...

Yes, it's not a virus(?)But it has given trouble...Anyway, I've removed it..
Nabin Bro!Can we share our blog links??.....
And also Sulabh has remembered you,but you may not recognize him exactly...

Navin said...

Mangalman!!! sounds good. typical Nepalese name and i really liked it bro!!!
i won't call it I-crisis, everyone has pseudo name. :)

Aakar, sure bro, we can add our links. I'll add your blog to mine within 2 minutes :)

यो मन त मेरो नेपाली हो said...

I appreciate your effort in analyzing the sujin.com.np worm problem and the solution you suggested. The worm just make a few tweaks in the registry and the problem can be resolved by making some changes in the registry. But if I have to remove the worm from several computers then definitely I'd require a script.

I have tried using both the tools/scrpits 'scanner.exe' and 'AntiSujin'. 'scanner.exe' works flawlessly but although 'AntiSujin' removes the worm it still changes the IE homepage to http://back2mangalman.blogspot.com/.

Mangalman is also trying to get popular by spreading some script which removes the worm but does something the users don't want (change their homepage).

So I can not agree to your second solution. I'd recommend the 'scanner.exe'.

"2. But, if Sujin.com.np is already resident in the memory, i strongly recommend you to download AntiSujin 2.0 by Mangalman .
Password to extract: www.meroguff.com
Note: And, i don't recommend the use of scanner.exe to remove the worm. Because, it's the remedy tool created by the same guy who created this worm."


Microsoft has bundled IE with Windows so people can not think of any browser other than IE. Firefox is a lot better option than any version of IE.

Navin said...

यो मन त मेरो नेपाली हो , i edited the part you suggested regarding the antisujin. Because, mangalman is my friend and blindly put his removal tool without looking ever at the code. You're right, the browser title is still directed to his blog address.

and for about Microsoft what you wrote, i totally disagree. I know firefox is good but microsoft is not evil to bundle IE and Windows together. I wish Microsoft would put all the necessary codec/drivers/browser/tools/players etc. on their OS but MS then would have to face hundreds of lawsuits. I'm with Microsoft all the time. Their virtuous intentions are being morphed into something evil.

यो मन त मेरो नेपाली हो said...

Thanks. As I said earlier, your information about the worm is the most comprehensive and informative as well. Now it has become even better.

And about the Microsoft thing, I didn't mean that Microsoft is evil to bundle IE with Windows. In fact, MS has done a good thing by bundling the software. If they hadn't bundled IE, the internet would not have been as popular as it is now. And may people would not have had such easy access to the internet. I just meant to say that Firefox is a lot better than IE. IE is just a basic browser and has many security loop holes.

Only if Microsoft had bundled Firefox it would have been even better. Just like सुनमा सु्गन्ध।

Navin said...

Hahaha, i agree with you यो मन त मेरो नेपाली हो
firefox is better than microsoft IE, and just like you wished.. wow. at least we can wish.. what else can we do??

Leer said...

I was wondering... Does RavMon delete your Group Policies? 'Cause the system tells me "gpedit.msc" doesn't exist. Plus, I no longer have any control over Folder Options.

I've already deleted RavMon.exe and it's goons; autorun in each HD partition. What should I do now to fix Folder Options?

Navin said...

Hi Leer,
no group policy must have been disabled.

please check links below for solutions

For autorun stuff:
http://www.meroguff.com/2007/05/autoruninf-worm-infecting-removable-usb.html

For disabled Folder option issue:
http://www.meroguff.com/2007/07/remove-restrictions-tool-v20.html

Hope that helps you. :)

Copyright © 2014
Designed by Navin