"sujin.com" Removal with Ultimate Flash Drive Protection Tool v1.0 (UPDATED LINK)
Wednesday, December 5, 2007So I made a JavaScript that is designed to run and use local desktop resources to remove the "sujin.com" worm after reading a comment from a blog reader asking for suggestions to remove the worm. Hey dude, here's for you. ^_^.
Be sure that you're logged as Administrator before running this tool.
Download "sujin.com" Removal with Ultimate Flash Drive Protection Tool v1.0
http://www.2shared.com/file/2584042/d9cac703/ATool.html
(Look for "Save file to your PC" and click the link on its right)
Feel free to distribute and please report any bugs found.
Related article here.
UPDATE: Fixed
"sujin.com.np" - rough analysis and solution
Tuesday, December 4, 2007I always safeguard my flash drive from malwares that can be caught from using public computers. Whenever I insert it into my own computer, I always make sure that the autorun.inf of my flash drive, is "clean". Yep, I always set my autorun.inf file to look like this
[autorun]
open=cmd.exe
shell\open=Open
shell\open\Command=cmd.exe
So say when I insert my flash drive to a computer with autorun on and if the MS-DOS console comes out, I'm sure that my Flash Drive is clean.
And today, I noticed something weird happening on our e-portfolio computers. When Internet Explorer is up, it redirects to a blank "sujin.com.np". I smelled something fishy going on and I thought maybe someone did some fishy thing. I just thought that maybe the IT dept or the lab technicians will soon fix the start page or whatever. I'm too paranoid when it comes to pc stuffs. I don't want some malware to go to my workstation and do some unscrupulous things. When I got home and checked my flashdrive for any signs of "crap", I noticed immediately that the autorun.inf of my flash drive is modified to this.
[autorun]
open=wscript.exe VirusRemoval.vbs
shell\open=Open
shell\open\Command=wscript.exe VirusRemoval.vbs
Honeypot active!
So I checked the root directory of my flashdrive and got VirusRemoval.vbs. I examined the file and this is what I saw
So some guy programmed a Visual Basic script file that was stealthly installed on my flash drive. I don't know but even it does "virus removal" as its name says, but if its installed on my stuffs without letting me know, it will surely piss me off. With some DOS commands (dir /a and attrib -s -h), I was able to load the virusremoval.vbs to notepad and examine the file.
I found out that the VBScript
1.) Modifies registry settings to do tasks such as Disabling the Access To Taskbar, Setting The Start Page of Internet Explorer to "sujin.com.np" and modifies the UserInit settings to execute Virusremoval.vbs
2.) Stores a copy of itself to all Drives in root directory.
3.) Removes all vbs files in Windows directory and Root directory and all inf files in root directories of drives.
4.) Removes ravmon.exe, sxs.exe, winfile.exe and run.wsh.(Maybe these are the files of some malware that its author wants to remove)
5.) Stores VirusRemoval.vbs in root and adding the autorun.inf to make sure that it autoexecutes if it's installed in a removable disk (i.e. flashdrives).
6.) And its done.
Well, it's basically a harmless VBScript file. But thing is that it WAS installed on my flashdrive without my permission. And for those who are not so aware about computers and stuff, you know, misconceptions and fear can arise when one day, their browsers direct to some "http://sujin.com.np".
Annoying..
Update!!
Solution :
