And it loads a process called wscript.exe on the resident memory of the PC.
The thing is, Avast won’t detect it as a virus, but the computer starts acting slow and the right clic on the hard drive in MyPC gives you something like $%"·$% instead of the common “Open” and “Explore” options.
I had to clean it manually thanks to several reports on Spyware websites and forums, but I still think it should be detected bye Avast, given that it hides files on the PC and tries to copy itself to any media used for storage.
I tried other antivirus to try and clean it, and AVG found it but couldn’t clean it.
Could someone form Avast please said something about this virus?
Can you send the samples to virus@avast.com ?
You can zip and password the files… Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.
Are you trying to use two antivirus at the same time or you’re talking about AVG antispyware?
About the sample, the thing is I don’t have it anymore, but I think a friend of mine must have it so I’m going to go hunting for the virus on his PC.
I was talking about AVG AntiVirus. I only use Avast, but given it wasn’t detecting the virus I got curious if any other do.
Then I uninstaled Avast, and instaled a few other programs. From which the only one that detected a virus on the .EXE file was AVG. But given that if you don’t clean the others the virus reinfects again, AVG didn’t suceed to clean.
So I went back to Avast, and had to manually clean it, going in “Failsafe mode” on XP and the stoping the process of wscript first.
Then checking the option for seeing the system files on My PC folders, and then erasing the virus files on the root and on the Windows/System32/ folder.
If a virus is replicant (coming and coming again), you should:
Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).
Windows Script Host is a valid process using a file named wscript.exe, but it can be utilized by vbs malware. It runs from C:\windows\system32\
If that’s the location of the file AVG alerts on and no other security program detects anything it could be a false positive on that particular file.
There is a back up of wscript.exe in the dll cache so Windows would probably replace the file if its deleted. This, of course, would look just like a recurring infection if it really was an infection, so be a little careful about what you delete. If you kill both copies you’re out of luck.
EDIT: You can disable Windows Script Host with NoScript
The wscript.exe proccess in memory is the one who keeps hiding files and reinfecting the disk root.
Like you said, I had to disable System Restore on Win XP and then proceed to search for those same files hiding in at least two other folders on the disk.
The file detected is not wscript.exe but the autorun.exe file of the virus. But if the script keeps runing, deleting it or sending it to virus chest won’t work at all.
I can’t just disable Windows script host because a program I use needs it, I already tried it.
I’m going to send the sample you asked Tech. Password: run
I uploaded the virus sample to virustotal and these are the results:
Complete scanning result of “sample.zip”, processed in VirusTotal at 05/09/2007 07:10:33 (CET).
[ file data ]
name: sample.zip
size: 30409
md5.: 8a663b8b83d1b60ed9e342599750ffe9
sha1: f43a8aea7cb70d0999488cacb5ddd93de647e10d
[ scan result ]
AhnLab-V3 2007.5.9.0/20070509 found nothing
AntiVir 7.4.0.15/20070508 found nothing
Authentium 4.93.8/20070508 found nothing
Avast 4.7.997.0/20070507 found nothing
AVG 7.5.0.467/20070508 found nothing
BitDefender 7.2/20070509 found nothing
CAT-QuickHeal 9.00/20070508 found nothing
ClamAV devel-20070416/20070509 found nothing
DrWeb 4.33/20070508 found nothing
eSafe 7.0.15.0/20070508 found nothing
eTrust-Vet 30.7.3618/20070508 found [REG/Aurun.A]
Ewido 4.0/20070508 found nothing
F-Prot 4.3.2.48/20070508 found nothing
F-Secure 6.70.13030.0/20070509 found [BAT/Smallworm.NZ]
FileAdvisor 1/20070509 found nothing
Fortinet 2.85.0.0/20070508 found nothing
Ikarus T3.1.1.7/20070509 found [Trojan-PWS.Legmir]
Kaspersky 4.0.2.24/20070509 found nothing
McAfee 5026/20070508 found nothing
Microsoft 1.2503/20070509 found nothing
NOD32v2 2250/20070508 found nothing
Norman 5.80.02/20070508 found [BAT/Smallworm.NZ]
Panda 9.0.0.4/20070508 found nothing
Prevx1 V2/20070509 found nothing
Sophos 4.17.0/20070508 found nothing
Sunbelt 2.2.907.0/20070505 found nothing
Symantec 10/20070509 found nothing
TheHacker 6.1.6.110/20070508 found [Trojan/Small.autorun]
VBA32 3.12.0/20070508 found [Trojan.PWS.Legmir]
VirusBuster 4.3.7:9/20070508 found nothing
Webwasher-Gateway 6.0.1/20070508 found nothing
All make sense why this autorun.*** lies undetected by most of av. There’s only command to execute wscript.exe or ms32dll.dll.vbs inside it. So this thing is not the real virus. You’ve to find ms32dll.dll.vbs to get rid of this virus. Del or sent it to the chest right after you’ve found it coz by a few sec it would disappear…
I understand that teh autorun.inf is not really the virus, but if you clean the virus file, and let the autorun.inf stay in your hard drive, then you may not be able to acces the unit by double-clic, because every time you do it there will be a message saying the files are missing, that means that the files for the infection aren’t anymore so the unit won’t open that way. You have to write the letter (c:) manually on the adddress bar of my pc to open it.
I’m still having to check every USB memory my friends bring double before opening, once with Avast and the manually in this virus case, because Avast won’t detect any file from the virus, not the .exe or th vbs files.
By the way, has someone had problems with the “virus of the Wizard”?
It seems that Avast clean the virus files but the damage in the boot remains. Had to correct it manually for a friend.
DEL /F /Q /A C:\autorun.*
DEL /F /Q /A D:\autorun.*
DEL /F /Q /A E:\autorun.*
DEL /F /Q /A F:\autorun.*
DEL /F /Q /A G:\autorun.*
DEL /F /Q /A H:\autorun.*
DEL /F /Q /A I:\autorun.*
DEL /F /Q /A J:\autorun.*
I think if Windows is unable to find the file it will not get past the welcome screen. Since the path differs for each version of Windows would a unique reg file be needed for each OS?
I am not an expert on reg files at all but I would refrain from using this for now.
