How to remove " Sujin.com.np " browser Hi-Jack Worm" Sujin.com.np " seems to be recent headache to many of the users within the country(NEPAL) and some part of the world around. Instead of calling it Virus, i would better call it "Browser HiJack worm". It couldn't infect my Vista and when i checked the Code of ' Sujin.com.np ' Browser HiJack worm, it wasn't serious threat. Instead it was coded to remove couple of known malwares(ravmon,sxs,winfile,run).
look at the code below
If Fso.FileExists(Drives.Path & "\ravmon.exe") Then
Fso.DeleteFile(Drives.Path & "\ravmon.exe")
If Fso.FileExists(Drives.Path & "\sxs.exe") Then
Fso.DeleteFile(Drives.Path & "\sxs.exe")
If Fso.FileExists(Drives.Path & "\winfile.exe") Then
Fso.DeleteFile(Drives.Path & "\winfile.exe")
If Fso.FileExists(Drives.Path & "\run.wsh") Then
Fso.DeleteFile(Drives.Path & "\run.wsh")
Couple of things it did to intimidate people are:
1. It changed the Browser's homepage to www.sujin.com.np (once, me and my friend thups did the registry hack,taskbar lock to make our site appear as the browser's homepage everytime someone lauched the browser. I didn't know that same idea today, has proliferated into something called as "browser hijack".). Hard to revert it back to default.
2. Every 10 seconds, it seeks the removable drives on host and writes "Autorun.inf" to new removable drives if found,which sets to run 'the code to inject the same browser hijack script' on and on. That's why i called it WORM instead of VIRUS since it tries to propagates itself every 10 seconds without harmful intention.
if Count <> 1 then
loop while Count<>1
3. And, it tried to keep it's VBS code to all the root drives of the system which is of course suspicious and somewhat it changed the registry in doing so. And, that caused it to load many times as a process eating bit of Physical RAM.
If Not Fso.FileExists(SystemDir & "\VirusRemoval.vbs") then
set WriteAll = Fso.CreateTextFile(SystemDir & "\VirusRemoval.vbs",2,true)
set WriteAll = Fso.GetFile(SystemDir & "\VirusRemoval.vbs")
WriteAll.Attributes = -1
This Sujin.com.np is just a mere browser hijack annoyance which sets the user's homepage to " www.sujin.com.np " and it tries to hijack other peoples browsers by injecting itself to removable drives every ten seconds. So, whoever poped in the Pen Drive or floppy drive, the infected host injected the Hijack script on them. They went to another computer with the infected pen drive and it infected another computer and that's how it seems exploded all over the region.
However, there is no malicious code inside it. The only motive is to set user's browser to 'Sujin.com.np'.
1. My first advise would be disable the autorun feature of your operating system at first. Because, the autorun feature of your system triggered the worm. Here's how:
Here is the step(for XP).
a. Start ---> run --> type "gpedit.msc" without the quotes and enter.
b. we'll be seeing Group Policy Console. There,under Local Computer Policy, there are a)Computer Configuration and b)User Configuration.
c. Since we are to tweak Computer configuration, under Computer Configuration-->Select "Administrative Templates"-->Select "System"--->Turn off Autoplay.
d. Double click that "Turn off Autoplay" option and select "disabled" on next screen.
(This will disable all kind of autorun)
** prevention is better than cure.
2. But, if Sujin.com.np is already resident in the memory, Download SCANNER here
Note: Thanks for your note ,यो मन त मेरो नेपाली हो !!!
Related links: http://www.meroguff.com/2007/05/autoruninf-worm-infecting-removable-usb.html