Wednesday, December 06, 2006

New virus/worm/whatever!

last night (or in the early hours of this morning), someone asked me to take a look at his WinXP computer. he said it was giving some weird text on right click. sure enough, when i right clicked his C: drive, the first two items were in some gibberish, the kind you only see when you don't have Asian fonts installed. However, the first two menu items (&Open and E&xplore), have their accesskeys underlined, like normal. i first started checking the registry to see if there was any custom autorun handler. there didn't seem to be. the thought was then brought to my mind the autorun.inf trick. so i checked, and there were a number of files named autorun* (that is, files that had the name autorun-something. apparently, the worm spreads via removable drives, and executes itelf using Windows Scripting Host. i'm not sure exactly what the payload (the actual damage caused by it other than being annoying) at any rate, disabling Windows Script Host is very easy if you have the right tools, or if you don't mind running around in the registry. i can't tell you exacty what registry key to modify other than HKLM\Software\Microsoft\Windows Script Host\Settings\ (set both the Enabled and Remote values to 0). use Task Manager or any other process manager to kill any instances of Windows Script Host (wscript.exe) running, otherwise, cleaning the worm will be really difficult. Next, make sure that the worm doesn't start up with the system by searching for and deleting all intances of "autorun.bat" in the HKLM\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini key. Finally, at the console, run: attrib -h -s -r autorun* and delete the files that appear if you have the default setting, which is to hide system and hidden files. if this doesn't make sense, post a comment. i'm falling asleep at my computer and i don't want it to drop off my lap. later then! oh, yeah - tools you can easily use to disable Windows Scripting include the excellent Xpy and AVG Antispyware. With Xpy, simply download, unzip and run the application. you'll see it under the 'General' settings. For AVG Antispyware, go to the Tools tab and expand Other services (or something like that; i don't have it installed for a number of reasons).

No comments: