Wednesday, November 26, 2008

removing aikelyu virus

i would like to start up again this blog site with something useful. :)

my brother's laptop got infected by a virus called aikelyu which is basically a vbs based script being executed and spread itself thru the autorun when the usb memory stick is plugged into the computer. once the laptop gets infected, it infects all writable drives including removable ones and creates the autorun.inf file targetting the same vbs script copied on that drives for auto-execution. i was able to get a copy of that script and created the removal script below.

how to use:

  1. create an empty text file.
  2. paste the code below and save it as remscript.vbs
  3. if you have an infected usb memory stick, plug them into your computer
  4. run or double-click the created script file

you can also get the file here if you don't like creating one.
please find the removal vbscript code listing below. and if you have questions or any suggestions, feel free to add any comments.

'Aikelyu removal script starts here:
'jo.gel.santiago[at]gmail.com

Option Explicit
'bootstrap to check if this script is run via WScript
'this script will re-run itself on cscript to avoid the taskkill process
Const tN = "wscript.exe"
Dim oShl: Set oShl = CreateObject("WScript.Shell")
If IsWSEnv Then
RunInCS
WScript.Quit 0
End If

'core code starts here
Const xN = "\DEADLY-c.vbs"
Const xE = "Explorer.exe"
Const pA = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Aikelyu"
Const pS = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"
Dim oFso,  oLog, oL, x
oL = WScript.ScriptFullName & ".log"
x = Array( xN, _
"\system32\kernel.dll.vbs", _
"\system32\GroupPolicy\Machine\Scripts\Startup" & xN, _
"\system32\tonton.html", _
"\system32\GroupPolicy\Machine\Scripts\scripts.ini" , _
"\system32\GroupPolicy\User\Scripts\scripts.ini" , _
"\Debug" & xN)

Set oFso = CreateObject("Scripting.FileSystemObject")
Set oLog = oFso.CreateTextFile(oL, 2, True)

'call the main process
CleanSystem
WriteLog ""
oLog.Close
OpenLog oL

'cleanup
Set oLog = Nothing
Set oShl = Nothing
Set oFso = Nothing

Sub CleanSystem
On Error Resume Next
KillTask tN
Dim z, oRot
Set oRot = oFso.GetSpecialFolder(0)
For Each z In x
DeleteFile oRot & z
Next
DeleteReg pA
ChangeReg pS, xE
CleanDrives
End Sub

Sub CleanDrives
Dim d
For Each d In oFso.Drives
If (d.DriveType=1 Or d.DriveType = 2) And d.Path <> "A:" Then
     WriteLog " "
 DeleteFile d.Path & xN
 DeleteFile d.Path & "\autorun.inf"
End If
Next
End Sub

Sub DeleteFile(path)
WriteLog " "
If oFso.FileExists(path) Then
Dim f: Set f = oFso.GetFile(path)
f.Attributes = 32
f.Delete True
WriteLog "FileDeleted:  "  & path
Else
WriteLog "FileNotFound:  "  & path
End If
End Sub

Sub DeleteReg(path)
WriteLog " "
WriteLog "Path: " & path
oShl.RegDelete path
End Sub

Sub ChangeReg(path, value)
WriteLog " "
WriteLog "Path: " & path
WriteLog "Before: " & oShl.RegRead(path)
oShl.RegWrite path, value
WriteLog "After: " & oShl.RegRead(path)
End Sub

Sub WriteLog(str)
oLog.WriteLine str
End Sub

Sub RunCmd(cmd, bWait)
On Error Resume Next
oShl.Run  cmd, 0, bWait 
End Sub

Sub KillTask(exName)
WriteLog " "
Dim c: c =  "taskkill /f /im " & exName & " /t"
RunCmd c, True
WriteLog "Cmd:  "  & c
End Sub

Sub OpenLog(path)
If Not oFso.FileExists(path) Then Exit Sub
RunCmd "%comspec% /c notepad " & path, False
End Sub

Sub RunInCS
RunCmd  "%comspec% /c cscript.exe //nologo " & """"  & WScript.ScriptFullName & """", False
End Sub

Function IsWSEnv
IsWSEnv = (InStr(1, WScript.FullName,tN,1) > 1 )
End Function

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)