Hacked By GNUlihd???
One day I was analyzing code of a simple worm “VBS/Solow-A” for educational purpose. I had explained to my friends that how it was exploiting the VB script host to spread itself from removable drive. I was surprised to be informed that same thing was modified to include my email address. I noticed that only when my brother’s friend informed me about that.
I told them not to worry as it simply modifies some common registry keys and nothing more. I am not that stupid to put my email address that way anyway. Who wants to help spammers ;-)
What it does.
1) Copies itself (MFC32DLL.dll.vbs) to windows directory and all drives root path
2) Modifies registry value “Window Title” at HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ with value “Hacked by GNUl..@...”
3) Adds registry entry “MS32DLL” at HKEY_LOCAL_MACHINE\Software\Microsoft\W indows\ CurrentVersion\Run\ with value “
Here is how to remove it. If you find following instructions difficult to understand you can read this one (http://www.icimod.org.np/icimodwiki/images/8/87/Mfc32dll.pdf). Thanks Anjesh. I gave a thought of writing a removal tool but the instructions are more educational.
1) Open taskmanager and end process “wscript.exe”. “wscript.exe” is a Microsoft VB script host application which is running the script in the background. Mark’s ProcessExplorer is the best replacement of simple taskmanager.
2) Delete “autorun.inf” and “MFC32DLL.dll.vbs” files from following directories. (you may need to check “Show hidden files and folders” and uncheck “Hide protected operating system files” at Folder Options->View which you can restore after removal)
a. All Drives root paths. i.e. C:\autorun.inf; C:\ MFC32DLL.dll.vbs; D:\autorun.inf; D:\ MFC32DLL.dll.vbs etc.
b. Only “MFC32DLL.dll.vbs” from Windows directory. e.g. C:\Windows
3) Delete registry value “MS32DLL” from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. (For those who don’t know: type “regedit.exe” at run and navigate to path HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run to get the entry “MS32DLL” for deletion. There might be other entries too which are the autorun entries for each windows start.)
4) This one is interesting one if you already don’t know. Navigate in regedit.exe to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main and find “Window Title” value in the other pane. Double click to edit its value to anything you like (“My IE” to “IE Sucks”). Re-Open internet explorer and enjoy. (No thing to do with Firefox fans like me)
posted by GNUlihd @ 4:28 AM
3 Comments:
Hi need to know where I can delete autorun.inf. Hope this thing is not harmful! Can u give information how to get rid of this for amateurs please! I have been tryin for hours but still cannot find any clue.
P.S
I' m not an IT expert
greets
George
i've deleted everything from my drives and process and autorun also.
the only thing that sucks is that my pendrive always says "MFC32.dll.vbs canno't be found"
what can i do against that?
btw: i also dont have the autorun file on the drive...
The instructions worked very well for me.
If your pendrive still says "MFC32.dll.vbs cannot be found", then autorun.inf is still present on tyhe pendrive drive with the hidden as well as the system tag set. You just don't see it in the standard Explorer view because then system files and hidden files are not visible.
Suggestion: Connect the pen-drive to a linux pc, and you will see the MFC32.dll.vbs and coresponding autorun.inf immediately.
Post a Comment
<< Home