Wednesday, February 5, 2014

Remediate VBS malware



I have developed a small tool that will aid you to remove VBS malware (and unhide your files) from a machine, external drive (USB eg.) or in a network. I created the tool some months ago when I saw quite a lot of these doing the rounds.

The tool is simple and pretty much self-explanatory:


Remediate VBS Worm 8.0.0
















Instructions on using Rem-VBSworm

You should run the script in the following sequence, at least on a normal machine:
Plug in your infected USB (if any) and choose A (wait), then B (wait) and afterwards C.
After these steps, perform a full scan with your installed antivirus product or perform an online scan.


Some tips and tricks:


  • Using option A, the tool will attempt to clean the infection. It will also fix any registry changes made by the malware. (for example it will re-enable Task Manager should it be disabled).
  • ! When you use option B, be sure to type only the letter of your USB drive!
    So if you have a USB drive named G:\, you should only type G
    This option will eradicate any related malware on the USB drive, as well as unhide your files (make them visible again).
  • With option C you can download Panda USB Vaccine to prevent any other autorun malware entering your computer.
  • With option D you have the possibility to disable or re-enable the Windows Script Host (WSH), to prevent any malware abusing it. 
  • I advise to end the script with Q as to ensure proper logfile closing. A logfile will open automatically, but is also created by default on the C:\ drive. (C:\Rem-VBS.log)
  • When the tool is running, do not use the machine for anything else.
    (it takes about 30 seconds to run)
  • If VBS malware is found, it will be automatically removed and a copy will be placed at C:\Rem-VBSqt.
  • Accidentally used an option and want to exit the script? Use CTRL + C to stop it.


You can use this to remedy the following malware:

  • Bladabindi‬
  • Excedow
  • Jenxcus
  • Houdini/Dinihu
  • Autorun worms
  • Any other VBS (VBScript) or VBE malware
  • Any other malware that abuses the WSH (Windows Script Host)


Download

Download on BleepingComputer:
Rem-VBSworm 8.0.0 Download






File integrity check:

MD5: 4c37021f17e02fb9fdb7db3287906bd5
SHA1: 7fef4a43f70262710127051778e0a50ec7a94e64

Mirror:
Rem-VBSworm (ZIP file)



Instructions in other languages are also available, namely Dutch, French, German and Polish:
Security Tool Spotlight: Rem-VBSworm (Deutsch)
Remediate VBS Worm (français)
VBS malware verwijderen (Nederlands)
Infekcje z mediów przenośnych (Polski)





Changelog:

07/06/2016
- version 8.0.0:
FIXED: issue when executing from drive other than system drive (option A)
IMPROVED: detection of malicious scheduled tasks (option A)
IMPROVED: detection of certain autorun/VBS worms


11/03/2016 - version 7.0.0:
ADDED: detection of malicious scheduled tasks (option A)
ADDED: malware detected on USB now copied to quarantine (option B)
ADDED: usage information on top of the tool
FIXED: issue launching download of Panda USB Vaccine (option C)
IMPROVED: autorun.inf vaccination on NTFS formatted drives (option B)
IMPROVED: error handling
IMPROVED: log output (should be final now)

23/12/2015 - version 6.0.0:
ADDED: logging of USB device ID
CHANGED: Panda USB vaccine download (now on BleepingComputer)
IMPROVED: log output is now completely streamlined and cleaned
IMPROVED: disabling of WSH on Windows XP (option D)
IMPROVED: scanning time (option A)
IMPROVED: detection of certain autorun/VBS worms

21/10/2015 - version 5.0.0:
ADDED: logging of installed antivirus
ADDED: detection of malicious shortcut links in startup folders
ADDED: malicious VBS files now automatically copied to quarantine for research purposes (on C:\Rem-VBSqt)
IMPROVED: handling of files, resulting in a false positive rate of almost zero
IMPROVED: detection of certain malware variants using autorun to spread or hide files
(Fanny worm, Andromeda/Gamarue malware)
IMPROVED: minor code cleanup, minor log output cleanup - greater visibility

21/04/2015 - version 4.0.0.:
ADDED: removal of AutoIT autorun worms
ADDED: version number (in main window and log)
ADDED: option D will now allow you to disable or re-enable the WSH
FIXED: false negative
IMPROVED: option B will now detect if you try to execute on system drive
IMPROVED: log output is cleaned and more streamlined

03/03/2015  - versio 3.0.0.:
ADDED: more information about attached drives & system
ADDED: root contents of removable drive will now be listed
FIXED: false positive
IMPROVED: general improvements

23/04/2014 - version 2.0.0:
First public version
ADDED: detections & disinfections will now be logged
ADDED: all attached drives are now listed
FIXED: False positive on unrelated files
FIXED: Issue with Read-Only files
IMPROVED: Registry fixes
IMPROVED: Scanning time
IMPROVED: Disinfection mechanism for USB-drives

10/12/2013 - version 1.0.0:
Private use only
CREATION



Conclusion

In regards to autorun worms, you should follow these precautions:

  • Install all your Windows Updates.
  • Disable autorun. This should already be done by Windows Update, but if not you can use:
    • Panda USB Vaccine, download from CNET
    • Follow the steps in this Microsoft article (also for companies)
  • Don't simply insert a USB-drive in your machine without knowing who it is from. Found a USB-drive at your parking lot? Yeah, don't even think about it. You might want to read:
    Criminals push malware by 'losing' USB sticks in parking lots
  • You can install and run Script Defender along your antivirus/antimalware product:
    Script Defender by AnalogX
    This will effectively block the execution of malicious scripts like VBS, VBE, HTA, ...
  • If you aren't planning on ever using VBscripts at all, or you are not working on a company laptop (which may use scripts!), you can also simply disable the Windows Script Host. You can use option D in my tool.
  • For companies, take a look at this as well:
    Command line process auditing
  • Last but not least, install an Antivirus and update it regularly.

24 comments:

  1. Hello :)

    Do you know Usb-Set, a prevention tool to help to configure windows against USB Worms ?

    You can read presentation in english on Geeks to Go forum or SpywareInfo Forum :
    - http://www.geekstogo.com/forum/topic/272903-usb-set-15/
    - http://www.spywareinfoforum.com/topic/128367-usb-set-14/

    Regards,

    ReplyDelete
    Replies
    1. Hi Gof,

      I did not know about the existence of this tool, thank you for mentioning!

      I'll give it a go one of these days. Any idea if it's still in development?

      Cheers.

      Delete
    2. Hi :)

      Yes, i think it is still in development.

      Cheers,

      Delete
  2. Hi my friend,
    tool works perfectly in my tests. Keep up the good work!

    ReplyDelete
    Replies
    1. Glad to hear that, thanks for your comment! :)

      Cheers.

      Delete
  3. I wonder what will happen if I accidently use B command on window partition.
    And if it cause a problem what should I do (didnt find any problem occur yet using window 8.1)

    ReplyDelete
    Replies
    1. Hi Anonymous,

      Good point! As a matter of fact, this is NOT possible using the tool. So no worries there :)

      Thanks for your feedback and let me know should you have any other questions!

      Cheers.

      Delete
  4. What effects does the software have on a usb drive? Sometimes I use my usb on other computers and they kinda freeze...

    ReplyDelete
    Replies
    1. Hi Anonymous,

      You can use option B to clean your USB drive of any malware that my tool cleans, as well as unhide files. It is not meant to repair a USB drive - you may try chckdsk for that.

      Having said that, if your USB freezes on other machines, it's possible they don't have autorun/autoplay disabled, or they are infected or... It's a Windows issue.

      Let me know should you have other questions. Cheers :)

      Delete
    2. I thought so. Thanks.

      Delete
    3. Would option D help stop the spread of worms?

      Delete
    4. Hi Anonymous,

      Yes, option D - thus disabling Windows Script Host (WSH) will stop the spreading of certain malware. (not all, but it's certainly another layer of protection)

      Should you ever need WSH, you can enable it again using the same option, then disable it afterwards when you are done.

      Cheers!

      Delete
  5. What is meant by "adding image hijacks" in the log file after cleaning the system of infections?

    ReplyDelete
    Replies
    1. Hi Anonymous!

      An image hijack allows you to load program B when opening program A for example. Many years ago, this was a tactic used by cybercriminals, but it's quite rare now.

      The pro here is that we can use the same tactic to stop malware from running. My tool adds some image hijacks for known malware executables used in autorun worms. You may find some additional information about image hijacks here: http://geekswithblogs.net/ssimakov/archive/2005/03/22/26930.aspx

      Let me know if you have other questions!

      Cheers.

      Delete
  6. My last question is, how does this program keep my network safe from malware? I think I read some where that it can clean my network. I'm only asking these questions because I am amazed at how well this program works.

    ReplyDelete
    Replies
    1. Hi Anonymous,

      Not sure where you've read that, but what my tool can do is clean your network drives of autorun worms and other related (VBS/VBE/...) malware.

      It does not protect you from network attacks. You'll need a firewall for that.

      Hope that answers your question! Regards.

      Delete
  7. WARNING !!! This software delete the entire contents of my SSD!
    You should not hide this information to your visitors!

    ReplyDelete
    Replies
    1. Hey Anonymous,

      Apologies for the delay, but both your comments (I'm guessing your earlier one was yours) ended up in spam, which I don't check too often.

      I have never heard or encountered this issue with my tool before. Can you give me some more information to see how this could have happened?

      a) Where did you download my tool from?
      b) Where did you execute the tool from? (Desktop, Downloads, ...)
      c) Can you give me the specs of your SSD? (size, Drive Letter, type/make/brand/model)
      d) Please send me the log, found on C:\Rem-VBSworm.log

      As in regards to your files, sorry to hear this has happened to you. Try a data recovery tool (such as Recuva) to get your files back. This should pose no issue.

      Regards

      Delete
    2. Hi!

      I downloaded here:
      http://www.fosshub.com/Rem-VBSworm.html

      I executed on SSD
      (I use this SSD as a temporary folder for download, upload, conversion, ...)

      This is a Samsung SSD 850 Pro 256GB (F:\)

      I had doubts about a infection. I downloaded it and choose option A. After that, there was only the tool and a current download file, on the SSD!

      Sorry, I deleted the log. I tried to use Wise data recovery and a tool called "Restoration" but I did not insist...

      Delete
    3. Hi,

      That's indeed a valid mirror, albeit I need to update the version there (current is 7.0.0).

      I will try next week to reproduce the behaviour you reported and implement a fix if necessary.

      Thanks again for the report and apologies for any inconvenience caused,

      Regards
      Bart

      Delete
    4. Hi Anonymous,

      Yesterday-evening I was able to reproduce the issue. It seems to happen when executing the tool from a removable drive and in some rare cases it fails to properly change directory.

      I have solved this in the next version (8.0), which will be released on Monday.

      Thanks for your help.

      Regards
      Bart

      Delete
    5. Hi Steffen,

      As said earlier, this issue is fixed in the latest version (8.0), which is also on Fosshub:
      http://www.fosshub.com/Rem-VBSworm.html

      Cheers!
      Bart

      Delete
  8. Hi Bart,

    I downloaded your tool here to my hdd (D:\Downloads) and after selecting option "A" all content of D:\Downloads was deleted :-(
    So it was not executed on a removable disk...
    And sorry, I have no log (any more).
    But thanks for rescuing my usb-stick never the less!

    Best regards
    Steffen

    ReplyDelete
    Replies
    1. Hi Steffen!

      This issue was fixed in the new version, which is coming out on Monday.

      However, if you want to try already, you can download it here: http://www.filedropper.com/rem-vbsworm

      Is the issue also solved for you?

      My pleasure and thank you.

      Regards
      Bart

      Delete