I have developed a small tool that will aid you to remove VBS malware (and unhide your files) from a machine, external drive (USB eg.) or in a network. I created the tool some months ago when I saw quite a lot of these doing the rounds.
The tool is simple and pretty much self-explanatory:
|Remediate VBS Worm 8.0.0|
Instructions on using Rem-VBSworm
You should run the script in the following sequence, at least on a normal machine:
Plug in your infected USB (if any) and choose A (wait), then B (wait) and afterwards C.
After these steps, perform a full scan with your installed antivirus product or perform an online scan.
Instructions in other languages are also available, namely Dutch, French, German and Polish:
Security Tool Spotlight: Rem-VBSworm (Deutsch)
Remediate VBS Worm (français)
VBS malware verwijderen (Nederlands)
Infekcje z mediów przenośnych (Polski)
Some tips and tricks:
- Using option A, the tool will attempt to clean the infection. It will also fix any registry changes made by the malware. (for example it will re-enable Task Manager should it be disabled).
- ! When you use option B, be sure to type only the letter of your USB drive!
So if you have a USB drive named G:\, you should only type G
This option will eradicate any related malware on the USB drive, as well as unhide your files (make them visible again).
- With option C you can download Panda USB Vaccine to prevent any other autorun malware entering your computer.
- With option D you have the possibility to disable or re-enable the Windows Script Host (WSH), to prevent any malware abusing it.
- I advise to end the script with Q as to ensure proper logfile closing. A logfile will open automatically, but is also created by default on the C:\ drive. (C:\Rem-VBS.log)
- When the tool is running, do not use the machine for anything else.
(it takes about 30 seconds to run)
- If VBS malware is found, it will be automatically removed and a copy will be placed at C:\Rem-VBSqt.
- Accidentally used an option and want to exit the script? Use CTRL + C to stop it.
You can use this to remedy the following malware:
- Autorun worms
- Any other VBS (VBScript) or VBE malware
- Any other malware that abuses the WSH (Windows Script Host)
Download on BleepingComputer:
File integrity check:
Rem-VBSworm (ZIP file)
07/06/2016 - version 8.0.0:
FIXED: issue when executing from drive other than system drive (option A)
IMPROVED: detection of malicious scheduled tasks (option A)
IMPROVED: detection of certain autorun/VBS worms
11/03/2016 - version 7.0.0:
ADDED: detection of malicious scheduled tasks (option A)
ADDED: malware detected on USB now copied to quarantine (option B)
ADDED: usage information on top of the tool
FIXED: issue launching download of Panda USB Vaccine (option C)
IMPROVED: autorun.inf vaccination on NTFS formatted drives (option B)
IMPROVED: error handling
IMPROVED: log output (should be final now)
23/12/2015 - version 6.0.0:
ADDED: logging of USB device ID
CHANGED: Panda USB vaccine download (now on BleepingComputer)
IMPROVED: log output is now completely streamlined and cleaned
IMPROVED: disabling of WSH on Windows XP (option D)
IMPROVED: scanning time (option A)
IMPROVED: detection of certain autorun/VBS worms
21/10/2015 - version 5.0.0:
ADDED: logging of installed antivirus
ADDED: detection of malicious shortcut links in startup folders
ADDED: malicious VBS files now automatically copied to quarantine for research purposes (on C:\Rem-VBSqt)
IMPROVED: handling of files, resulting in a false positive rate of almost zero
IMPROVED: detection of certain malware variants using autorun to spread or hide files
(Fanny worm, Andromeda/Gamarue malware)
IMPROVED: minor code cleanup, minor log output cleanup - greater visibility
21/04/2015 - version 4.0.0.:
ADDED: removal of AutoIT autorun worms
ADDED: version number (in main window and log)
ADDED: option D will now allow you to disable or re-enable the WSH
FIXED: false negative
IMPROVED: option B will now detect if you try to execute on system drive
IMPROVED: log output is cleaned and more streamlined
03/03/2015 - versio 3.0.0.:
ADDED: more information about attached drives & system
ADDED: root contents of removable drive will now be listed
FIXED: false positive
IMPROVED: general improvements
23/04/2014 - version 2.0.0:
First public version
ADDED: detections & disinfections will now be logged
ADDED: all attached drives are now listed
FIXED: False positive on unrelated files
FIXED: Issue with Read-Only files
IMPROVED: Registry fixes
IMPROVED: Scanning time
IMPROVED: Disinfection mechanism for USB-drives
10/12/2013 - version 1.0.0:
Private use only
In regards to autorun worms, you should follow these precautions:
- Install all your Windows Updates.
- Disable autorun. This should already be done by Windows Update, but if not you can use:
- Don't simply insert a USB-drive in your machine without knowing who it is from. Found a USB-drive at your parking lot? Yeah, don't even think about it. You might want to read:
Criminals push malware by 'losing' USB sticks in parking lots
- You can install and run Script Defender along your antivirus/antimalware product:
Script Defender by AnalogX
This will effectively block the execution of malicious scripts like VBS, VBE, HTA, ...
- If you aren't planning on ever using VBscripts at all, or you are not working on a company laptop (which may use scripts!), you can also simply disable the Windows Script Host. You can use option D in my tool.
- For companies, take a look at this as well:
Command line process auditing
- Last but not least, install an Antivirus and update it regularly.