Skip to main content

How to remove " Sujin.com.np " browser Hi-Jack Worm

" Sujin.com.np " seems to be recent headache to many of the users within the country(NEPAL) and some part of the world around. Instead of calling it Virus, i would better call it "Browser HiJack worm". It couldn't infect my Vista and when i checked the Code of ' Sujin.com.np ' Browser HiJack worm, it wasn't serious threat. Instead it was coded to remove couple of known malwares(ravmon,sxs,winfile,run).
look at the code below
If Fso.FileExists(Drives.Path & "\ravmon.exe") Then
Fso.DeleteFile(Drives.Path & "\ravmon.exe")
End If
If Fso.FileExists(Drives.Path & "\sxs.exe") Then
Fso.DeleteFile(Drives.Path & "\sxs.exe")
End If
If Fso.FileExists(Drives.Path & "\winfile.exe") Then
Fso.DeleteFile(Drives.Path & "\winfile.exe")
End If
If Fso.FileExists(Drives.Path & "\run.wsh") Then
Fso.DeleteFile(Drives.Path & "\run.wsh")
End If

Couple of things it did to intimidate people are:
1. It changed the Browser's homepage to www.sujin.com.np (once, me and my friend thups did the registry hack,taskbar lock to make our site appear as the browser's homepage everytime someone lauched the browser. I didn't know that same idea today, has proliferated into something called as "browser hijack".). Hard to revert it back to default.
2. Every 10 seconds, it seeks the removable drives on host and writes "Autorun.inf" to new removable drives if found,which sets to run 'the code to inject the same browser hijack script' on and on. That's why i called it WORM instead of VIRUS since it tries to propagates itself every 10 seconds without harmful intention.
if Count <> 1 then
Wscript.sleep 10000
end if
loop while Count<>1

3. And, it tried to keep it's VBS code to all the root drives of the system which is of course suspicious and somewhat it changed the registry in doing so. And, that caused it to load many times as a process eating bit of Physical RAM.
Do
If Not Fso.FileExists(SystemDir & "\VirusRemoval.vbs") then
set WriteAll = Fso.CreateTextFile(SystemDir & "\VirusRemoval.vbs",2,true)
WriteAll.Write AllFile
WriteAll.close
set WriteAll = Fso.GetFile(SystemDir & "\VirusRemoval.vbs")
WriteAll.Attributes = -1
End If


My Verdict:

This Sujin.com.np is just a mere browser hijack annoyance which sets the user's homepage to " www.sujin.com.np " and it tries to hijack other peoples browsers by injecting itself to removable drives every ten seconds. So, whoever poped in the Pen Drive or floppy drive, the infected host injected the Hijack script on them. They went to another computer with the infected pen drive and it infected another computer and that's how it seems exploded all over the region.

However, there is no malicious code inside it. The only motive is to set user's browser to 'Sujin.com.np'.

Solutions:

1. My first advise would be disable the autorun feature of your operating system at first. Because, the autorun feature of your system triggered the worm. Here's how:
Here is the step(for XP).

a. Start ---> run --> type "gpedit.msc" without the quotes and enter.

b. we'll be seeing Group Policy Console. There,under Local Computer Policy, there are a)Computer Configuration and b)User Configuration.

c. Since we are to tweak Computer configuration, under Computer Configuration-->Select "Administrative Templates"-->Select "System"--->Turn off Autoplay.

d. Double click that "Turn off Autoplay" option and select "disabled" on next screen.

(This will disable all kind of autorun)
** prevention is better than cure.


2. But, if Sujin.com.np is already resident in the memory, Download SCANNER here

Note: Thanks for your note ,यो मन त मेरो नेपाली हो !!!

Thanks to MangalMan for providing me the "Worm code" to study and analyze.


Related links: http://www.meroguff.com/2007/05/autoruninf-worm-infecting-removable-usb.html

Comments

Anonymous said…
Hi navin should i stick with this new found pseudo name of mine??What do you think?Identity crisis!!!!!
Aakar said…
Yes, it's not a virus(?)But it has given trouble...Anyway, I've removed it..
Nabin Bro!Can we share our blog links??.....
And also Sulabh has remembered you,but you may not recognize him exactly...
Navin said…
Mangalman!!! sounds good. typical Nepalese name and i really liked it bro!!!
i won't call it I-crisis, everyone has pseudo name. :)

Aakar, sure bro, we can add our links. I'll add your blog to mine within 2 minutes :)
Anonymous said…
I appreciate your effort in analyzing the sujin.com.np worm problem and the solution you suggested. The worm just make a few tweaks in the registry and the problem can be resolved by making some changes in the registry. But if I have to remove the worm from several computers then definitely I'd require a script.

I have tried using both the tools/scrpits 'scanner.exe' and 'AntiSujin'. 'scanner.exe' works flawlessly but although 'AntiSujin' removes the worm it still changes the IE homepage to http://back2mangalman.blogspot.com/.

Mangalman is also trying to get popular by spreading some script which removes the worm but does something the users don't want (change their homepage).

So I can not agree to your second solution. I'd recommend the 'scanner.exe'.

"2. But, if Sujin.com.np is already resident in the memory, i strongly recommend you to download AntiSujin 2.0 by Mangalman .
Password to extract: www.meroguff.com
Note: And, i don't recommend the use of scanner.exe to remove the worm. Because, it's the remedy tool created by the same guy who created this worm."


Microsoft has bundled IE with Windows so people can not think of any browser other than IE. Firefox is a lot better option than any version of IE.
Navin said…
यो मन त मेरो नेपाली हो , i edited the part you suggested regarding the antisujin. Because, mangalman is my friend and blindly put his removal tool without looking ever at the code. You're right, the browser title is still directed to his blog address.

and for about Microsoft what you wrote, i totally disagree. I know firefox is good but microsoft is not evil to bundle IE and Windows together. I wish Microsoft would put all the necessary codec/drivers/browser/tools/players etc. on their OS but MS then would have to face hundreds of lawsuits. I'm with Microsoft all the time. Their virtuous intentions are being morphed into something evil.
Anonymous said…
Thanks. As I said earlier, your information about the worm is the most comprehensive and informative as well. Now it has become even better.

And about the Microsoft thing, I didn't mean that Microsoft is evil to bundle IE with Windows. In fact, MS has done a good thing by bundling the software. If they hadn't bundled IE, the internet would not have been as popular as it is now. And may people would not have had such easy access to the internet. I just meant to say that Firefox is a lot better than IE. IE is just a basic browser and has many security loop holes.

Only if Microsoft had bundled Firefox it would have been even better. Just like सुनमा सु्गन्ध।
Navin said…
Hahaha, i agree with you यो मन त मेरो नेपाली हो
firefox is better than microsoft IE, and just like you wished.. wow. at least we can wish.. what else can we do??
Anonymous said…
I was wondering... Does RavMon delete your Group Policies? 'Cause the system tells me "gpedit.msc" doesn't exist. Plus, I no longer have any control over Folder Options.

I've already deleted RavMon.exe and it's goons; autorun in each HD partition. What should I do now to fix Folder Options?
Navin said…
Hi Leer,
no group policy must have been disabled.

please check links below for solutions

For autorun stuff:
http://www.meroguff.com/2007/05/autoruninf-worm-infecting-removable-usb.html

For disabled Folder option issue:
http://www.meroguff.com/2007/07/remove-restrictions-tool-v20.html

Hope that helps you. :)

Popular posts from this blog

Prashant Tamang -A Nepalese in Indian Idol 3

CONGRATULATION !!!! PRASHANT FOR BEING INDIAN IDOL Here in US, we don't have Sony channel, may be there is but the region where i am, we don't have. Whatever ... am glad to hear that PRASHANT became an INDIAN IDOL. Update(Sept,12 2007): Prashant Tamang in Boudha Prashant Tamang is becoming sensation day by day as the final decisive day is approaching nearer and nearer. For his support, lots of people are convincing people to vote for him. People are relating his victory with nation's pride which i don't like. Besides, the communal attachment for him is growing day by day. It's only we mongolian face supporting him in Nepal. Like in Dharan and other different place of our country,people has put his banners, posters showing support for him. Yesterday, it was no moon day and i was lighting butterlamps in front of BoudhaNath stupa and suddenly i saw, there is huge banner of Prashant Tamang. Tamangs of Boudha has done this admiration for him. Normally, we see portrays

जेनेरेटरबाट गाउमै कम्प्युटर कक्षा

त्रिवेणी र्-पर्वत, फागुन २८ - "जहा इच्छा, त्यहा उपाय " । प्रविधि मोहमा होम्मिएका पर्वतको दर्ुगम गाउ“ त्रिवेणीका युवाले यही उखानलाई चरितार्थ गरेका छन् । बिजुलीे पुग्न नसकेको दर्ुगम गाउ“का यी युवाले जेनेरेटर चलाएर कम्प्युटर सिक्न सुरु गरेका छन् । बेहुलीबास गाविसका दीपक काफ्लेले त्रिवेणीमा खोलेको ओम इन्स्िटच्युटमा यहा“का विद्यार्थी र अभिभावक कम्प्युटरमा झुम्मिन्छन् । इन्स्िटच्युटमा दैनिक २० जनाभन्दा बढी कम्प्युटर सिक्न थालेका छन् । एक जनाबाट महिनाको एक हजार पा“च सयदेखि २ हजारसम्म लिने गरेको काफ्ले बताए । सरकारले वितरण गरेको विद्युत् लाइन पुग्न नसके पनि लाखांै खर्चेर उनले जेनेरेटर र कम्प्युटर खरिद गरे । गाउ“लेलाई सेवा दिने र व्यवसायसमेत गर्ने उद्देश्यले आफूले यस्तो काम थालेको काफ्लेले बताए । 'सहरमा गएर यस्तै काम सिकियो गाउ“लेलाई पनि सिकाउने रहर लाग्यो,' उनले भने । सदरमुकामदेखि यातायात र सूचनाका लागि समेत निकै पछाडि परेको गाउ“मा स्थानीय व्यक्तिले नया“ प्रविधि सिकाउने कक्षा खोलेपछि जान्ने र सिक्ने रहर भएकास“गै रमाइलोका लागि पनि धेरै जना आउने गरेका छन् । काफ्लेका अनुसार

Do you have a Blogger(blogspot) Blog and do you know Google is deleting blogger blogs??

As usual, I was checking backlink tool to find some of the friends link (who has linked backed to me before) if they still have my link backlinked to me or not. Well, some of them didn't link back to me. I checked their site and the message I got upon visiting their blogspot(blogger) blog was something like "this blog has been deleted." As I was visiting some of the other blogspot blog, I found few of them got deleted too. I thought, may be they got over blogging. Recently more and more blogspot(blogger) blogs are unavailable or being deleted. Now, these things forced me to think why those blogs are being deleted. I usually check official google blog for any kind of stuff they are upto. Their blog was shut down too(it's some days before), they are online now though. But, it's quite eerie because this very blog of mine is hosted on blogger's server too. I don't know what happened to their official blog but it's confirmed news they are deleting blogs. M