Hi all,

I’m back with yet another pesky little malicious program, which none of the antiviruses seem to pick up. Some antivirus programs detect this virus as a version of the infamous Autoit worm. But this one seems like a very primitive attempt at a virus - and I’m still not sure what negative things it does, other than making your computer slow.

Symptoms

• Cannot directly double click and enter any drive (especially USB drives)
• Computer slows down
• A unknown "wscript.exe" or "monit.exe" or "scvhost.exe" in your Task Manager processes
• A hidden MSwin32.dll.vbs and autorun.inf files in every drive
• "We want Avnish sir back" in the Internet Explorer title space

If you have experienced any of the above problems, you have this little jerk on board your system.

What does it do?

• Makes it impossible to access the drives directly. i.e. You cannot enter the drives by double clicking on its icon in My Computer. If it does open, it opens in a new window.
• Makes your system slow.

Files involved

1. MSwin32.dll.vbs and autorun.inf in every drive
2. wscript.exe and monit.exe (and sometimes, scvhost.exe) in C:\Windows
3. 4 registry keys

Removal

The removal of this virus is simple. However, please note that this virus most often appears in tandem with another virus which creates .exe files inside a folder, with the same name as the folder. To remove that virus, check out the And Back Up blog, after you’re done with this removal. Fire up your Task Manager (Alt+Ctrl+Del) and end the processes wscript.exe and monit.exe

1. Open Folder Options (My Computer>Tools>Folder Options>View) and -
   > Enable Show hidden files and folders
   > Uncheck Hide extensions for known file types
   > Uncheck  Hide protected operating system files
   Click OK.
2. Go to each drive (C, D, E etc.) and delete(Shift+Delete and OK) the hidden files MSwin32.dll.vbs and autorun.inf. DO NOT insert your USB drive now. Finish the entire Removal procedure, do the Immunisation(given below) and THEN do this step (i.e. Step 3) for your USB drive(also Digicam, Mobile Phones, iPods, Music Players etc.).
3. Open Registry Editor (Start>Run>regedit>OK) and delete the following keys -
   ||  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
   CurrentVersion\Run\wscript

   ||  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
   CurrentVersion\Run\monit

   Then, browse to the key
   HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
   and double click on the key Window Title. Change the value of that key to "Microsoft Internet Explorer" (without the quotes :P).

Yup, thats it

Immunisation

Since this is a stupid little virus, its pretty easy to immunise yourself from it. And its pretty simple. Make a blank text file named autorun and change its file extension to .inf . (if you can’t see the file extension, repeat Step 2 given above). Now right click the autorun.inf file and check the option which says Read Only, and click OK.

You might also download and run the Symantec NoScript plugin - it disables all VBscripts on your system - making you less susceptible to viruses.

I still haven’t found out what great damage this virus does. Hopefully, the antiviruses will start picking up this creeper! Oh by the way, thanks to And Back Up blog for helping me out with removing the virus from my system - but many of his instructions do not work / are not foolproof / are not necessary. His removal program also does not work :(. And he provided the Symantec NoScript tip

Technorati Tags: MSwin32.dll.vbs, autorun.inf, autoit, virus removal, sohanad, noscript, vbscript, virus, removal, security, we want avnish sir back, internet explorer