Hi all,

I’m back with yet another pesky little malicious program, which none of the antiviruses seem to pick up. Some antivirus programs detect this virus as a version of the infamous Autoit worm. But this one seems like a very primitive attempt at a virus - and I’m still not sure what negative things it does, other than making your computer slow.

Symptoms

• Cannot directly double click and enter any drive (especially USB drives)
• Computer slows down
• A unknown "wscript.exe" or "monit.exe" or "scvhost.exe" in your Task Manager processes
• A hidden MSwin32.dll.vbs and autorun.inf files in every drive
• "We want Avnish sir back" in the Internet Explorer title space

If you have experienced any of the above problems, you have this little jerk on board your system.

What does it do?

• Makes it impossible to access the drives directly. i.e. You cannot enter the drives by double clicking on its icon in My Computer. If it does open, it opens in a new window.
• Makes your system slow.

Files involved

1. MSwin32.dll.vbs and autorun.inf in every drive
2. wscript.exe and monit.exe (and sometimes, scvhost.exe) in C:\Windows
3. 4 registry keys

Removal

The removal of this virus is simple. However, please note that this virus most often appears in tandem with another virus which creates .exe files inside a folder, with the same name as the folder. To remove that virus, check out the And Back Up blog, after you’re done with this removal. Fire up your Task Manager (Alt+Ctrl+Del) and end the processes wscript.exe and monit.exe

1. Open Folder Options (My Computer>Tools>Folder Options>View) and -
   > Enable Show hidden files and folders
   > Uncheck Hide extensions for known file types
   > Uncheck  Hide protected operating system files
   Click OK.
2. Go to each drive (C, D, E etc.) and delete(Shift+Delete and OK) the hidden files MSwin32.dll.vbs and autorun.inf. DO NOT insert your USB drive now. Finish the entire Removal procedure, do the Immunisation(given below) and THEN do this step (i.e. Step 3) for your USB drive(also Digicam, Mobile Phones, iPods, Music Players etc.).
3. Open Registry Editor (Start>Run>regedit>OK) and delete the following keys -
   ||  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
   CurrentVersion\Run\wscript

   ||  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
   CurrentVersion\Run\monit

   Then, browse to the key
   HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
   and double click on the key Window Title. Change the value of that key to "Microsoft Internet Explorer" (without the quotes :P).

Yup, thats it

Immunisation

Since this is a stupid little virus, its pretty easy to immunise yourself from it. And its pretty simple. Make a blank text file named autorun and change its file extension to .inf . (if you can’t see the file extension, repeat Step 2 given above). Now right click the autorun.inf file and check the option which says Read Only, and click OK.

You might also download and run the Symantec NoScript plugin - it disables all VBscripts on your system - making you less susceptible to viruses.

I still haven’t found out what great damage this virus does. Hopefully, the antiviruses will start picking up this creeper! Oh by the way, thanks to And Back Up blog for helping me out with removing the virus from my system - but many of his instructions do not work / are not foolproof / are not necessary. His removal program also does not work :(. And he provided the Symantec NoScript tip

Technorati Tags: MSwin32.dll.vbs, autorun.inf, autoit, virus removal, sohanad, noscript, vbscript, virus, removal, security, we want avnish sir back, internet explorer

Hi all,
There has been a mail circulating with the title “must see slideshow ….world is ending” and the mail body goes like this -

As per Nostradamus world will end in 2012 and the start of the end is march 2008, look at the slide show to unreveal the future events. click on the link below and login with your gmail.
http://www.freewebs.com/venkateshshenoi/index.html
regards

Do not click on the link

Do not provide your email id or password in the fields mention in the site, if at all you open the site

This is a phishing attempt against your Google account. It looks like the popular Google owned social networking website Orkut and asks for your Google account id and password to log in. Even the mail says “login with your gmail”. Once you enter your email and password, you are redirected to a page which looks like the Orkut-About Us page. And the information you provide (email and password) is sent to this guy’s email address.

Since I whole heartedly disagree with such stupid, hopeless and desperate phishing attempts, I hereby declare this phisher’s email address for public abuse

The email id of this phisher is kart_willshire@yahoo.com

This can be obtained by viewing the page source code.

Feel free to hurl abuses at him Also hoping that a few thousand spam bots will gather his email address from here.

Anyway, I’ve already reported this site to a few anti-phishing directories, and Google. Hopefully, his site will be removed in a couple of days. But until then, please spread this message. Stumble and Digg

Technorati Tags: phishing, google phishing, google account, hacking, phishing attempt, must see, slideshow, world ending, nostradamus

Files missing?
My Computer not opening?
Programs not opening?
Installations not occurring?
Task Manager not opening?
System deadly slow?

If your case can be matched with the conditions given above, in all probability, you’ve got the Autoit.BD worm, better known by a file it deposits in your C:\ drive, Funny UST Scandal.avi.exe. Pretty annoying. Almost nothing you can do. Only NOD32 v3 with updates can detect this trouble maker worm. Kaspersky can detect, but cannot remove. AVG, Norton, Avast! - all don’t even detect the virus.

Wait! Don’t format your system yet! Its a pretty simple virus to remove, and won’t take more than 10 minutes. It is recommended that you start up in Safe Mode before you do the following steps to remove the virus -

[scroll down for a file which automates all this]

1. Download and install TaskKiller (326 KB freeware). We’re doing this because we need to remove a few tasks running, and Windows Task Manager (Alt + Ctrl + Del) gets killed by the virus
2. Run Task Killer, and a red skull icon will appear on the system tray
3. Left click it, and click Processes
4. Select to kill these processes -
   • killer.exe
   • lsass.exe
   • smss.exe
5. Now open up Command Prompt (Start>Run>command). Type each command and press Enter to run it -
   • cd\
   • attrib -h -s smss.exe
   • attrib -h -s autorun.inf
     [NOTE : Type each command exactly as its given here]
6. Open My Computer and go to C:\ or whichever partition in which you’ve installed Windows.
7. Delete the following files -
   • smss.exe
   • autorun.inf
   • Funny UST Scandal.avi.exe
8. Go to Command Prompt again. Run this command -
   • attrib -h -s smss.exe
9. Go to C:\Windows or wherever else you’ve installed Windows, and delete the file smss.exe.
10. Now, go to C:\Documents and Settings\All users\Startmenu\Programs\Startup and delete the file lsass.exe.
11. Open Registry Editor (Start>Run>regedit)
12. Delete the key HKEY_LOCAL_MACHINE\Software\
    Microsoft\WindowNT\CurrentVersion\Winlogon=shell(killer.exe
13. Delete the key  HKEY_CURRENT_USER\Software\
    Microsoft\windows\Currentversion\Run=runonce(c:\windows\smss.exe)
14. You’re done!

OR, you can just download a remover file : Download Autoit.BD remover

• After downloading, unzip, and run the exe file.
• Then, do the steps 11, 12 and 13 as mentioned above.
• You’re done

Thanks to fs6519 for recommending these steps, and making the remover file.

I hope that this post was useful. Cheers

Technorati Tags: autoit.bd, worm, funny UST scandal, fs6519, removal, worm removal, virus removal, installation stopping, task manager not opening, smss.exe, Funny UST Scandal.avi.exe