Friday, December 14, 2012

Find and remove W32/VBNA-X worm

This is how we found and removed the W32/VBNA-X worm or sexy,x.mpeg,porn worm


    Info on the Worm
    http://www.net-security.org/malware_news.php?id=2340
   
    Clean up
    step 1
        change GPO to disable autorun on all drives
       
        find local dns servers or where gpo policies are pushed out from on the network
        log in to the dns server
       
        start up group policy editor
        start
        command line
        type in gpedit.msc
       
        Change GPO
           Local Computer Policy
           Computer Configuration
           Administrative Templates
           Windows Components
           AutoPlay Policies
           Turn off Autoplay       
        Double click on Turn off Autoplay
           enable GPO
           and turn off for All drives
           Click Apply
           Click OK

    need to download a virus scanner that will help us out we used the emisoft emergency kit

    once you have the zip file and unzip it you can move the directory to each server that you want to scan so you do not have to download each time
   
    goto http://www.emsisoft.com/en/software/eek/ and download emisoft emergency kit for free
    once you have the zip file
    unzip zip file
    open EmisoftEmergencyKit directory
    double click start.exe
    Click on Emergency Kit Scanner
      sometimes it takes a little while to open that is ok just wait
     Click on Update now to get the latest signatures
     Once all updated
     click on scan pc on left hand side of screen
     Click on deep scan
     Click on scan
     this will take a while so let it go on the server
       
    the .exe worm/malware/virus variant has these files
        ..exe
        tskoe.exe
        autorun.inf
        x.mpeg
        porn.exe
        sexy.exe
        secret.exe
        changed all files and directories to [file].exe
       
        The file are not gone don't worry they are just hidden

        Log on to servers where network shares are located
        this will need to be done to all servers
       
        start up command window
        this will display all hidden files and in current directory
        type
        dir /ah
       
        if anything appears other than for example system folders then you are still infected
        The follow command will unhide all files and directories
        this sometimes takes awhile so let it go
        also you might get errors that it can not do system files that is ok
        The following command clears the system attribute, clears the hidden attribute,
        include all sub-directories, and apply command to directories also
       
        type
        attrib *.* -h -s /s /d
       
        now what we did was move the exe files to another directory just in case
        there where actual exe that people wanted
        The following command creates a directory called exe
       
        type
        mkdir exe
       
        the following command moves all files .exe in current directory to new exe directory
        move *.exe .\exe
       
        this will hide the exe directory so only you guys can see it and pull back what is needed
        attrib +h exe

        If you know that all these files are corrupt then delete them out
       
        this will take some time
        on each server do a search for autorun.inf
        you can open an inf file in notepad
        now open each autorun.inf and see if it an actual autorun.inf
        or if the contents do not look correct then close notepad and delete the autorun.inf file
       
        also on each server do a search for x.mpeg
        we found these and just deleted them

        also on each server do a search for secret.exe
        we found these and just deleted them

        also on each server do a search for porn.exe
        we found these and just deleted them

        also on each server do a search for sexy.exe
        we found these and just deleted them
       
        also dont forget to make a log someplace that you have shut off autorun on all drives for later because someone might complain that there CD or DVD or usb just does not start up anymore they have to go and click on the files manually
       
        If possible try to find computer 0
        so you can ask them for there usb and also to check there home computer

1 comment: