Remediate VBS malware

Remediate VBS malware




I have developed a small tool that will aid you to remove VBS malware (and unhide your files) from a machine, external drive (USB eg.) or in a network. I created the tool some months ago when I saw quite a lot of these doing the rounds.

The tool is simple and pretty much self-explanatory:


Remediate VBS Worm 8.0.0
















Instructions on using Rem-VBSworm

You should run the script in the following sequence, at least on a normal machine:
Plug in your infected USB (if any) and choose A (wait), then B (wait) and afterwards C.
After these steps, perform a full scan with your installed antivirus product or perform an online scan.

Instructions in other languages are also available, namely Dutch, French, German and Polish:
Security Tool Spotlight: Rem-VBSworm (Deutsch)
Remediate VBS Worm (fran�ais)
VBS malware verwijderen (Nederlands)
Infekcje z medi�w przeno?nych (Polski)

Some tips and tricks:


  • Using option A, the tool will attempt to clean the infection. It will also fix any registry changes made by the malware. (for example it will re-enable Task Manager should it be disabled).
  • ! When you use option B, be sure to type only the letter of your USB drive!
    So if you have a USB drive named G:, you should only type G
    This option will eradicate any related malware on the USB drive, as well as unhide your files (make them visible again).
  • With option C you can download Panda USB Vaccine to prevent any other autorun malware entering your computer.
  • With option D you have the possibility to disable or re-enable the Windows Script Host (WSH), to prevent any malware abusing it. 
  • I advise to end the script with Q as to ensure proper logfile closing. A logfile will open automatically, but is also created by default on the C: drive. (C:Rem-VBS.log)
  • When the tool is running, do not use the machine for anything else.
    (it takes about 30 seconds to run)
  • If VBS malware is found, it will be automatically removed and a copy will be placed at C:Rem-VBSqt.
  • Accidentally used an option and want to exit the script? Use CTRL + C to stop it.


You can use this to remedy the following malware:

  • Bladabindi?
  • Excedow
  • Jenxcus
  • Houdini/Dinihu
  • Autorun worms
  • Any other VBS (VBScript) or VBE malware
  • Any other malware that abuses the WSH (Windows Script Host)


Download

Download on BleepingComputer:
Rem-VBSworm 8.0.0 Download






File integrity check:

MD5: 4c37021f17e02fb9fdb7db3287906bd5
SHA1: 7fef4a43f70262710127051778e0a50ec7a94e64

Mirror:
Rem-VBSworm (ZIP file)



Changelog:

07/06/2016 - version 8.0.0:
FIXED: issue when executing from drive other than system drive (option A)
IMPROVED: detection of malicious scheduled tasks (option A)
IMPROVED: detection of certain autorun/VBS worms


11/03/2016 - version 7.0.0:
ADDED: detection of malicious scheduled tasks (option A)
ADDED: malware detected on USB now copied to quarantine (option B)
ADDED: usage information on top of the tool
FIXED: issue launching download of Panda USB Vaccine (option C)
IMPROVED: autorun.inf vaccination on NTFS formatted drives (option B)
IMPROVED: error handling
IMPROVED: log output (should be final now)

23/12/2015 - version 6.0.0:
ADDED: logging of USB device ID
CHANGED: Panda USB vaccine download (now on BleepingComputer)
IMPROVED: log output is now completely streamlined and cleaned
IMPROVED: disabling of WSH on Windows XP (option D)
IMPROVED: scanning time (option A)
IMPROVED: detection of certain autorun/VBS worms

21/10/2015 - version 5.0.0:
ADDED: logging of installed antivirus
ADDED: detection of malicious shortcut links in startup folders
ADDED: malicious VBS files now automatically copied to quarantine for research purposes (on C:Rem-VBSqt)
IMPROVED: handling of files, resulting in a false positive rate of almost zero
IMPROVED: detection of certain malware variants using autorun to spread or hide files
(Fanny worm, Andromeda/Gamarue malware)
IMPROVED: minor code cleanup, minor log output cleanup - greater visibility

21/04/2015 - version 4.0.0.:
ADDED: removal of AutoIT autorun worms
ADDED: version number (in main window and log)
ADDED: option D will now allow you to disable or re-enable the WSH
FIXED: false negative
IMPROVED: option B will now detect if you try to execute on system drive
IMPROVED: log output is cleaned and more streamlined

03/03/2015  - versio 3.0.0.:
ADDED: more information about attached drives & system
ADDED: root contents of removable drive will now be listed
FIXED: false positive
IMPROVED: general improvements

23/04/2014 - version 2.0.0:
First public version
ADDED: detections & disinfections will now be logged
ADDED: all attached drives are now listed
FIXED: False positive on unrelated files
FIXED: Issue with Read-Only files
IMPROVED: Registry fixes
IMPROVED: Scanning time
IMPROVED: Disinfection mechanism for USB-drives

10/12/2013 - version 1.0.0:
Private use only
CREATION



Conclusion

In regards to autorun worms, you should follow these precautions:

  • Install all your Windows Updates.
  • Disable autorun. This should already be done by Windows Update, but if not you can use:
    • Panda USB Vaccine, download from CNET
    • Follow the steps in this Microsoft article (also for companies)
  • Dont simply insert a USB-drive in your machine without knowing who it is from. Found a USB-drive at your parking lot? Yeah, dont even think about it. You might want to read:
    Criminals push malware by losing USB sticks in parking lots
  • You can install and run Script Defender along your antivirus/antimalware product:
    Script Defender by AnalogX
    This will effectively block the execution of malicious scripts like VBS, VBE, HTA, ...
  • If you arent planning on ever using VBscripts at all, or you are not working on a company laptop (which may use scripts!), you can also simply disable the Windows Script Host. You can use option D in my tool.
  • For companies, take a look at this as well:
    Command line process auditing
  • Last but not least, install an Antivirus and update it regularly.


download file now

Comments

Post a Comment

Popular posts from this blog

Top 3 Custom Contact Us Form Widgets for Blogger

Image
Top 3 Custom Contact Us Form Widgets for Blogger Adding Contact Form 1. Log in to Blogger dashboard than go to "Layout" > "Add Widget". 2. Click on "More Widget" below "Basic" Tab on left Side. 3. Add "Contact Form" Widget Hiding Contact Form from Slidebar 1. Go to "Theme" click on "Edit HTML". 2. Click Anywhere & Press "CTRL + F" from "Keyboard" and a Search Box Will be Opened. 3. Paste the Below Code to Find it 4. Paste the Below Code Just Above the Tag (You Search in Last Step) #ContactForm1{display: none !important;} 5. Then Click on "Save Template" Adding Custom Contact Form 1. Go to "Pages" create a new page by click "New Page" 2. Give it any Title you like i.e "Contact Us" or "Contact" etc 3. Click on the "Options" from Right Sidebar & click on "Dont Allow" and "Done" 4. Now, Below there are 3 Custom ...
Read more

Que Whatsapp Descargar Para Ipad

Image
que whatsapp descargar para ipad Aunque esta app no cuenta con una versión para tabletas te contamos cómo instalar whatsapp en ipad si has practicado jailbreaking a la tablet de apple. Descargar whatsapp para apple, descargar whatsapp para ipad, descargar whatsapp para tablet, descargar whatsapp para ipod, descargar whatsapp para iphone, descargar. Whatsapp para ipad - tendrá que abrir cualquiera de los navegadores desde su dispositivo y luego visitar el sitio oficial de whatsapp.. Hay un enlace a “descargar whatsapp” pero enlaza con una web en la que informan de las (ios para ipad, en este caso, ya que soluciona algunos problemas. Facebook compra whatsapp por 16 bilhões de dólares | blog do iphone Gmail”, dependiendo de la aplicación de correo electrónico que ...
Read more

TONELADAS DE FONTES NÃO TESTEI

TONELADAS DE FONTES NÃO TESTEI   recebido por e-mail, desconhe�o a origem.         V�rios links de fontes... 007 Fonts 1001 Fonts 1001 Free Fonts Unrender CGI 4YEO Absolute Fonts Abstract Fonts Acid Fonts AENIGMA Anke-Art Apostrophic Lab Artsy Lady Atomic Media Benfonters Font Page Billy Bears Playground Blambot! Comic Fonts Blue Jay Font Studio Blue Vinyl BTgraphics Chank Cool Archive Cool Fonts Core Corons Homepage Create 8 Cumberland Fontworks Czcionki DaFONT Dennis Palumbo Desperados Font Gallery Dinc Type Dingbat Pages Divide By Zero Dust Bust Elks Font Archive Fairs Fonts Famous Fonts Flat Earth Foam Train Foundry Fontage Font-A-Licious Font-A-Sea Fontasy.de Font Diner Font Emporium Fontes Gratis Font Face Font Fairy Font Flood Font Foundry Font Freak Font Funk Factory Font Guy Font Island Font Mania Font Paradise Font Pool Font Salon Fonts & Things Fonts By Anastacia Fon...
Read more