JS_VEREN.A

Discussion in 'malware problems & news' started by Technodrome, Dec 8, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    TrendMicro

    Description:

    This Java Script malware behaves like a worm and executes on all Windows platforms. It uses Mail Application Program Interface applications to propagate via email and network shared drives. It sends email messages to all email addresses listed in the nearest active server of the network where the infected system is connected. The details of the email it sends are as follows:

    Subject: (this could be any of the following)
    Hello "+EmailUsers+"!
    Hey "+EmailUsers+"!
    Fwd: Hey You!
    Fwd: Check this!
    Fwd: Just Look
    Fwd: Take a look!
    EmailUsers+"!
    Fwd: Loop at this!
    Fwd: Check this out!
    Fwd: It's Free!
    Fwd: Look!
    Fwd: Free Mp3s!
    Fwd: Here you go!
    Fwd: Have a look!
    Look "+EmailUsers+"!"
    Fwd: Read This!

    Message Body: Hello!

    Check out this great list of mp3 sites that I included in the attachments!
    I can get any Mp3 file that I want from these sites, and its free! And please don't be greedy! forward this email to all the people that you consider friends, and Let them benefit from these Mp3 sites aswell!

    Enjoy!

    Attachments: (It could use any of these file names)
    Free_Mp3s.js
    Fwd_Mp3s.js
    Mp3_Sites.js
    Mp3_Web.js
    Mp3_List.js
    Mp3_Pages.js
    Web_Mp3s.js
    Mp3-Sites.js
    Fwd-Mp3s.js
    Mp3-Fwd.js
    Fwd-Sites.js

    "+EmailUsers+” is an email address from the Address Book on the infected system.
    In the network where the infected system is connected to, it searches for shared drives. It copies itself to a TEMPORARY.JS file in every shared drive it finds.

    Solution:



    Identifying the Malware Program

    Before proceeding to remove this malware, first identify the malware program.

    Scan your system with Trend Micro antivirus and NOTE all files detected as JS_REVEN.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

    Removing Autostart Entries from the Registry

    Removing autostart entries from registry prevents the malware from executing during startup. In this procedure, you will need the name(s) of the file(s) detected earlier.

    Open Registry Editor. To do this, click Start>Run, type REGEDIT, then hit the Enter key.
    In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
    In the right panel, locate and delete this registry entry, if it exists:
    JSCmd32= "Wscript.exe %SYSTEM%\CmdWsh32.js %1"
    If you do not find the above entry, double click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run

    and in the right panel, locate and delete this registry entry instead:
    JSCmd32= "Wscript.exe %SYSTEM%\CmdWsh32.js %1"

    In the left panel, proceed to the registry below:
    HKEY_CLASSES_ROOT>txtfile>shell>open>command
    Replace this value:
    "Wscript.exe C:\WINDOWS\SYSTEM\CmdWsh32.js %1"
    with this value:
    "C:\WINDOWS\NOTEPAD.EXE %1"

    In the left panel, double click the following:
    HKEY_CLASSES_ROOT>JSFile>Shell>Open>Command
    Replace this value:
    "Wscript.exe C:\WINDOWS\SYSTEM\CmdWsh32.js %1"
    with this value :
    "C:\WINDOWS\WScript.exe "%1" %*"

    In the left panel, double click the following:
    HKEY_CLASSES_ROOT>scrfile>shell>open>command
    Replace this value:
    "Wscript.exe C:\WINDOWS\SYSTEM\CmdWsh32.js %1"
    with this value:
    ""%1" /S"

    In the left panel, double click the followin g:
    HKEY_LOCAL_MACHINE>SOFTWARE>CLASSES>
    txtfile>shell>open>command
    Replace this value:
    "Wscript.exe C:\WINDOWS\SYSTEM\CmdWsh32.js %1"
    with this value :
    "C:\WINDOWS\NOTEPAD.EXE %1"

    In the left panel, double click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>CLASSES>JSFile>
    Shell>Open>Command
    Replace this value:
    "Wscript.exe C:\WINDOWS\SYSTEM\CmdWsh32.js %1"
    with this value:
    "C:\WINDOWS\WScript.exe "%1" %*"

    In the left panel, double click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>CLASSES>scrfile>
    shell>open>command
    Replace this value:
    "Wscript.exe C:\WINDOWS\SYSTEM\CmdWsh32.js %1"
    with this value:
    ""%1" /S"

    In the left panel, double click the following:
    HKEY_CURRENT_USER>Software>
    Locate and delete this entry:
    Never “@” = "Never by Zed/[rRlf]"
    In the left panel, double click the following:
    HKEY_USERS>.DEFAULT>Software
    Locate and delete this entry:
    Never
    “@” = "Never by Zed/[rRlf]"
    Close Registry Editor.

    http://www.trendmicro.com


    Technodrome
     
    Technodrome, Dec 8, 2002
    #1
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...