JS_VEREN.A

[Technodrome]

TrendMicro

Description:

This Java Script malware behaves like a worm and executes on all Windows platforms. It uses Mail Application Program Interface applications to propagate via email and network shared drives. It sends email messages to all email addresses listed in the nearest active server of the network where the infected system is connected. The details of the email it sends are as follows:

Subject: (this could be any of the following)
Hello "+EmailUsers+"!
Hey "+EmailUsers+"!
Fwd: Hey You!
Fwd: Check this!
Fwd: Just Look
Fwd: Take a look!
EmailUsers+"!
Fwd: Loop at this!
Fwd: Check this out!
Fwd: It's Free!
Fwd: Look!
Fwd: Free Mp3s!
Fwd: Here you go!
Fwd: Have a look!
Look "+EmailUsers+"!"
Fwd: Read This!

Message Body: Hello!

Check out this great list of mp3 sites that I included in the attachments!
I can get any Mp3 file that I want from these sites, and its free! And please don't be greedy! forward this email to all the people that you consider friends, and Let them benefit from these Mp3 sites aswell!

Enjoy!

Attachments: (It could use any of these file names)
Free_Mp3s.js
Fwd_Mp3s.js
Mp3_Sites.js
Mp3_Web.js
Mp3_List.js
Mp3_Pages.js
Web_Mp3s.js
Mp3-Sites.js
Fwd-Mp3s.js
Mp3-Fwd.js
Fwd-Sites.js

"+EmailUsers+” is an email address from the Address Book on the infected system.
In the network where the infected system is connected to, it searches for shared drives. It copies itself to a TEMPORARY.JS file in every shared drive it finds.

Solution:



Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as JS_REVEN.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup. In this procedure, you will need the name(s) of the file(s) detected earlier.

Open Registry Editor. To do this, click Start>Run, type REGEDIT, then hit the Enter key.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete this registry entry, if it exists:
JSCmd32= "Wscript.exe %SYSTEM%\CmdWsh32.js %1"
If you do not find the above entry, double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run

and in the right panel, locate and delete this registry entry instead:
JSCmd32= "Wscript.exe %SYSTEM%\CmdWsh32.js %1"

In the left panel, proceed to the registry below:
HKEY_CLASSES_ROOT>txtfile>shell>open>command
Replace this value:
"Wscript.exe C:\WINDOWS\SYSTEM\CmdWsh32.js %1"
with this value:
"C:\WINDOWS\NOTEPAD.EXE %1"

In the left panel, double click the following:
HKEY_CLASSES_ROOT>JSFile>Shell>Open>Command
Replace this value:
"Wscript.exe C:\WINDOWS\SYSTEM\CmdWsh32.js %1"
with this value :
"C:\WINDOWS\WScript.exe "%1" %*"

In the left panel, double click the following:
HKEY_CLASSES_ROOT>scrfile>shell>open>command
Replace this value:
"Wscript.exe C:\WINDOWS\SYSTEM\CmdWsh32.js %1"
with this value:
""%1" /S"

In the left panel, double click the followin g:
HKEY_LOCAL_MACHINE>SOFTWARE>CLASSES>
txtfile>shell>open>command
Replace this value:
"Wscript.exe C:\WINDOWS\SYSTEM\CmdWsh32.js %1"
with this value :
"C:\WINDOWS\NOTEPAD.EXE %1"

In the left panel, double click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>CLASSES>JSFile>
Shell>Open>Command
Replace this value:
"Wscript.exe C:\WINDOWS\SYSTEM\CmdWsh32.js %1"
with this value:
"C:\WINDOWS\WScript.exe "%1" %*"

In the left panel, double click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>CLASSES>scrfile>
shell>open>command
Replace this value:
"Wscript.exe C:\WINDOWS\SYSTEM\CmdWsh32.js %1"
with this value:
""%1" /S"

In the left panel, double click the following:
HKEY_CURRENT_USER>Software>
Locate and delete this entry:
Never “@” = "Never by Zed/[rRlf]"
In the left panel, double click the following:
HKEY_USERS>.DEFAULT>Software
Locate and delete this entry:
Never
“@” = "Never by Zed/[rRlf]"
Close Registry Editor.

http://www.trendmicro.com


Technodrome