look at the code below
If Fso.FileExists(Drives.Path & "\ravmon.exe") Then
Fso.DeleteFile(Drives.Path & "\ravmon.exe")
End If
If Fso.FileExists(Drives.Path & "\sxs.exe") Then
Fso.DeleteFile(Drives.Path & "\sxs.exe")
End If
If Fso.FileExists(Drives.Path & "\winfile.exe") Then
Fso.DeleteFile(Drives.Path & "\winfile.exe")
End If
If Fso.FileExists(Drives.Path & "\run.wsh") Then
Fso.DeleteFile(Drives.Path & "\run.wsh")
End If
Couple of things it did to intimidate people are:
1. It changed the Browser's homepage to www.sujin.com.np (once, me and my friend thups did the registry hack,taskbar lock to make our site appear as the browser's homepage everytime someone lauched the browser. I didn't know that same idea today, has proliferated into something called as "browser hijack".). Hard to revert it back to default.
2. Every 10 seconds, it seeks the removable drives on host and writes "Autorun.inf" to new removable drives if found,which sets to run 'the code to inject the same browser hijack script' on and on. That's why i called it WORM instead of VIRUS since it tries to propagates itself every 10 seconds without harmful intention.
if Count <> 1 then
Wscript.sleep 10000
end if
loop while Count<>1
3. And, it tried to keep it's VBS code to all the root drives of the system which is of course suspicious and somewhat it changed the registry in doing so. And, that caused it to load many times as a process eating bit of Physical RAM.
Do
If Not Fso.FileExists(SystemDir & "\VirusRemoval.vbs") then
set WriteAll = Fso.CreateTextFile(SystemDir & "\VirusRemoval.vbs",2,true)
WriteAll.Write AllFile
WriteAll.close
set WriteAll = Fso.GetFile(SystemDir & "\VirusRemoval.vbs")
WriteAll.Attributes = -1
End If
My Verdict:
This Sujin.com.np is just a mere browser hijack annoyance which sets the user's homepage to " www.sujin.com.np " and it tries to hijack other peoples browsers by injecting itself to removable drives every ten seconds. So, whoever poped in the Pen Drive or floppy drive, the infected host injected the Hijack script on them. They went to another computer with the infected pen drive and it infected another computer and that's how it seems exploded all over the region.
However, there is no malicious code inside it. The only motive is to set user's browser to 'Sujin.com.np'.
Solutions:
1. My first advise would be disable the autorun feature of your operating system at first. Because, the autorun feature of your system triggered the worm. Here's how:
Here is the step(for XP).
a. Start ---> run --> type "gpedit.msc" without the quotes and enter.
b. we'll be seeing Group Policy Console. There,under Local Computer Policy, there are a)Computer Configuration and b)User Configuration.
c. Since we are to tweak Computer configuration, under Computer Configuration-->Select "Administrative Templates"-->Select "System"--->Turn off Autoplay.
d. Double click that "Turn off Autoplay" option and select "disabled" on next screen.
(This will disable all kind of autorun)
** prevention is better than cure.
2. But, if Sujin.com.np is already resident in the memory, Download SCANNER here
Note: Thanks for your note ,यो मन त मेरो नेपाली हो !!!
Related links: http://www.meroguff.com/2007/05/autoruninf-worm-infecting-removable-usb.html
Comments
Nabin Bro!Can we share our blog links??.....
And also Sulabh has remembered you,but you may not recognize him exactly...
i won't call it I-crisis, everyone has pseudo name. :)
Aakar, sure bro, we can add our links. I'll add your blog to mine within 2 minutes :)
I have tried using both the tools/scrpits 'scanner.exe' and 'AntiSujin'. 'scanner.exe' works flawlessly but although 'AntiSujin' removes the worm it still changes the IE homepage to http://back2mangalman.blogspot.com/.
Mangalman is also trying to get popular by spreading some script which removes the worm but does something the users don't want (change their homepage).
So I can not agree to your second solution. I'd recommend the 'scanner.exe'.
"2. But, if Sujin.com.np is already resident in the memory, i strongly recommend you to download AntiSujin 2.0 by Mangalman .
Password to extract: www.meroguff.com
Note: And, i don't recommend the use of scanner.exe to remove the worm. Because, it's the remedy tool created by the same guy who created this worm."
Microsoft has bundled IE with Windows so people can not think of any browser other than IE. Firefox is a lot better option than any version of IE.
and for about Microsoft what you wrote, i totally disagree. I know firefox is good but microsoft is not evil to bundle IE and Windows together. I wish Microsoft would put all the necessary codec/drivers/browser/tools/players etc. on their OS but MS then would have to face hundreds of lawsuits. I'm with Microsoft all the time. Their virtuous intentions are being morphed into something evil.
And about the Microsoft thing, I didn't mean that Microsoft is evil to bundle IE with Windows. In fact, MS has done a good thing by bundling the software. If they hadn't bundled IE, the internet would not have been as popular as it is now. And may people would not have had such easy access to the internet. I just meant to say that Firefox is a lot better than IE. IE is just a basic browser and has many security loop holes.
Only if Microsoft had bundled Firefox it would have been even better. Just like सुनमा सु्गन्ध।
firefox is better than microsoft IE, and just like you wished.. wow. at least we can wish.. what else can we do??
I've already deleted RavMon.exe and it's goons; autorun in each HD partition. What should I do now to fix Folder Options?
no group policy must have been disabled.
please check links below for solutions
For autorun stuff:
http://www.meroguff.com/2007/05/autoruninf-worm-infecting-removable-usb.html
For disabled Folder option issue:
http://www.meroguff.com/2007/07/remove-restrictions-tool-v20.html
Hope that helps you. :)