Possible new virus for Windows (cool.vbs)

Viruses and worms
1

The is anyone sees these new virus (cool.vbs)?

Avast can´t detect this. AVG, MS Defender and others free antivirus can´t detect either.

The major symptom is all removable drives (HD or pendrives) infected has the original file hidden and is created a link (*.lnk) with the same filename. These links points to “wbscript /b cool.vbs & originalfile.ext”… it appears when the user click on the link, they execute the cool.vbs script.

The script itself include a few keys to the windows’ registry to autostart on S.O. startup. It also copy itself to C:\Users<username>\AppData\Roaming to every user on computer.

*** Internal Information ***
These virus appears to create a simple and long string with a modified base 64 encoding. After a decoding I can see the script send a few information to a http server named “bog5151.zapto.org” on port 991.
The information is collected using WMI Services (like “set colitems = objwmiservice.execquery(“select * from win32_operatingsystem”,48)”)

*** Objective ***
I spent a few hours to get rid of these worm. Please include this on the next VPS.

2

I´m providing a copy of the virus script in txt format.

**** PLEASE, DO NOT RUN THIS. ****

3

NEVER put a link/code to (possible) malware on this webboard.
Submit it to AVAST

4

https://www.virustotal.com/ru/file/1dc3e72d90ae4047745a485ff4bc4cde57166e7f12f3491eb4ef154d81762735/analysis/1380957560/

5
The major symptom is all removable drives (HD or pendrives) infected has the original file hidden and is created a link (*.lnk) with the same filename. These links points to "wbscript /b cool.vbs & originalfile.ext".. it appears when the user click on the link, they execute the cool.vbs script.
Install MCShield. http://www.mcshield.net
6

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

7

Dear all,

I have this problem too…
I partially fix it with this tool: http://www.4shared.com/file/3z2l8mtv/PW_Clean_-_106_-_Atalhos.html
It removes the links from the USB and says that fix de PC… but after a reboot looks like the virus is still there…

It will be very nice if Avast could detect it, because this virus is very annoying…
Attached the files argus asked!

Thank you!
Regards,

8

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
HKCU\...\Run: [COOL] - C:\Users\barbieri\AppData\Roaming\COOL.vbs [167773 2013-08-21] ()
MountPoints2: {1591de38-1c3d-11e2-9fe1-0023148d0d5c} - G:\AutoRun.exe
MountPoints2: {1591de46-1c3d-11e2-9fe1-d8d38530e9a4} - G:\AutoRun.exe
MountPoints2: {472ef9ca-e166-11e1-9c41-d8d38530e9a4} - G:\application\Setup.exe
MountPoints2: {59e17892-c9bf-11e0-ba2c-0023148d0d5c} - G:\AutoRun.exe
MountPoints2: {cfd1e96f-c997-11e0-bdae-0023148d0d5c} - G:\AutoRun.exe
MountPoints2: {cfd1e9a5-c997-11e0-bdae-0023148d0d5c} - G:\AutoRun.exe
MountPoints2: {ee258c3d-e18a-11e1-bcda-881d9a1a874a} - G:\setup_vmc_lite.exe /checkApplicationPresence
MountPoints2: {ee258c4c-e18a-11e1-bcda-881d9a1a874a} - G:\setup_vmc_lite.exe /checkApplicationPresence
MountPoints2: {ee258c4e-e18a-11e1-bcda-881d9a1a874a} - G:\setup_vmc_lite.exe /checkApplicationPresence
Startup: C:\Users\barbieri\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COOL.vbs ()
URLSearchHook: (No Name) - {e0301295-ab3e-4af3-979f-3d453c5f9f48} -  No File
Toolbar: HKCU -  No Name - {E0301295-AB3E-4AF3-979F-3D453C5F9F48} -  No File
Toolbar: HKCU -  No Name - {30F9B915-B755-4826-820B-08FBA6BD249D} -  No File
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

.

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that MCShield has created.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

9

Dear argus,

Attached the txt files.

The MCShield detected the Malware, said that it was removed, but the files was still there as links…
Everytime I plug the USB MCShield detects it again.

After running the “PW Clean - 1.0.6 - [Atalhos]” I posted before, MCShield doesn’t warn about the Malware anymore.

Regards,

10

Rerun FRST.

11

Argus,

Looks like it is free now!
Below my perceptions about the tools I used:

1 - FRST and fixlist.txt: Using the correct fixlit.txt file, it finally cleaned up the PC!

2 - MCShield: cleans the USB Malware and avoids that connecting an infected USB infects the PC, but it doesn’t recover the USB files (doesn’t remove the links).

3 - "PW Clean - 1.0.6 - [Atalhos]: Cleans the USB and recover the files (also removing the links) but doesn’t remove totally the problem from the PC. After a system boot it is still there.

Thank you very much!

Best regards,

12
13

A interesting fact: The “decoded/uncompressed” has been detected by 28 antivirus.
However, if you send the original vbs (without decoding) only 6 detect it (and avast is not one of them):
https://www.virustotal.com/ru/file/735909ae8d14fe6298f3bb56362ce99a0cb89a6f7a24a6d2a48273c932948ddf/analysis/

14

Please rerun FRST again.

15

Yes, there is, in the decoded form of a few anti-virus shall designate this sample.

Personally, I sent a sample of a 2-virus labs (DrWeb and Avast) at the moment and DrWeb (Trojan.Hworm.1) added sample and Avast (VBS: Malware-gen) defines this sample.

16

hey guys I’m having the same problem, can I get some assistance?

I already scanned with FRST and MCShield and have attached their logs

MCShield says it detects the virus and deletes it, but nothing seems to change :frowning:

17

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
HKLM\...\Run: [COOL] - C:\Documents and Settings\user\Application Data\COOL.vbs [98222 2013-09-24] ()
HKCU\...\Run: [COOL] - C:\Documents and Settings\user\Application Data\COOL.vbs [98222 2013-09-24] ()
MountPoints2: {0aae1543-0ac9-11e0-b3d7-806d6172696f} - E:\Autorun.exe
MountPoints2: {3ce9458f-aa96-11e1-9bab-001e9082cb6f} - H:\AutoRun.exe
Startup: C:\Documents and Settings\user\Start Menu\Programs\Startup\COOL.vbs ()
Toolbar: HKCU - No Name - {32099AAC-C132-4136-9E9A-4E364A424E17} -  No File
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Documents and Settings\user\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

18

Hi,

Please help me too. I’ve attached the two FRST and the other one.

19

when asking for help you should start your own topic and attach logs there
helping multiple users in same topic will create chaos…

20

Done, the fixlist didn’t help :frowning: