VBS/Cryf.A was created using visual basic scripting (not visual basic), first case happen on my cyber cafe on date 18 July 2009 it spreading from user flash disk and try to infected all PC in my network.

I’m not sure why so much Indonesian virus maker using lot of this VBS technique (maybe they know without msvbvm.dll VBS can executed on a lot target), Since I write about VBS article long long time ago (I forget maybe around year 2003-2005) in jasakom website with title “VBS sederhana yang berbahaya” many people has try to manipulate that simple code to become advanced code. Now I’m fell really stupid by share that Article to public…

How to know if you’re infected by this worm VBS/Cryf.A:

1.First time your computer turned on it will open web browser and show this pictures.

VBS-Cryf.A-3

2. VBS/Cryf.A will change your web browser start page become:

VBS-Cryf.A-4

3. There is folder “album bokep” (in Indonesian language this mean p**n) in all folder.

4. VBS/Cryf.A will change your system properties become like this:

VBS-Cryf.A-5

5. Change file type .lnk become “movie clip”

VBS-Cryf.A-6

6. It will control your DVD/CD-rom by make it open and close to make you panic.

VBS/Cryf.A Master file:

VBS/Cryf.A has a master file called “drconfig.drv” with file size 218 KB, it already encrypted and little hard to read the code inside it.

VBS-Cryf.A-8

On first time active it will called “svchost.vbs” then this vbs will executed this “drconfig.drv”. Then it will started created file list:

  • %Drive%\Recycled\S-1-5-21-343818398-18970151121-842a92511246-500\Thumbs.db
    • svchost.vbs
    • desktop.ini
    • drvconfg.drv
    • SHELL32.dll
  • %Systemroot%\windows
    • appsys.exe
    • Winupdt.scx
    • appopen.scx
    • Windowsopen.mht
    • Windows.html
    • Regedit.exe.lnk
    • Help.htm
  • %Systemroot%\Windows\system\svchost.exe
  • %Systemroot%\WINDOWS\system32
    • Svchost.dls
    • Corelsetup.scx
    • Appsys.dls
    • Kernel32.dls
    • Taskmgr.exe.lnk
  • %Systemroot%\WINDOWS\system32\
    • Winupdtsys.exe
    • ssmarque.scr
  • %Systemroot%\Program Files\FarStone\qbtask.exe
  • %Systemroot%\Program Files\ACDsee\Launcher.exe
  • %Systemroot%\Program Files\Common Files\NeroChkup.exe
  • %Systemroot%\Program Files\ExeLauncher
  • %ProgramFiles%\drivers\VGA\VGAdrv.lnk
  • %Systemroot%\Documents and Settings\%user%\Desktop\Local Disk (C).dls

This virus will make some action to keep him stay in computers target:

  • Disable Task Manager
  • Disable Regedit
  • Disable CMD (Command Prompt)
  • Disable MSConfig
  • Can’t change wallpapers

It will change your screensaver like this:

VBS-Cryf.A-19

Spreading Technique and Social Technique:

VBS/Cryf.A spreading using 2 technique, One of them as like in my first Article using autorun.inf files, beside that this virus maker know how to using social technique to tricky mostly people out there using p**n movie that actually virus.

VBS-Cryf.A-11

VBS-Cryf.A-12

VBS-Cryf.A-20

This virus maker try to manipulate people with his another social technique, he will try to tell people their computers infected and give the removal tools, actually don’t open that website (www.dinamikasolusi.co.nr) this virus maker maybe using some technique as I write a long time ago by insert some virus into computer target using html code.

VBS-Cryf.A-9

VBS-Cryf.A-10

Enough, let’s started to remove this stupid Worm VBS/Cryf.A

HOW TO REMOVE WORM VBS/Cryf.A:

1. Kill active virus process in your background memory using currprocess, then kill all process with product name “Microsoft (r) Windows Script Host

VBS-Cryf.A-13

2. Block virus so it can not run for a while when we are in cleaning progress by:

Start -> Run -> Type “SECPOL.MSC” -> Click “software restriction policies” -> Click “additional rules” -> Right click on “additional rules” and choose “New Hash Rules”

VBS-Cryf.A-14

In “File Hash” Click on Browse and choose which file you want to block (WSScript.exe) on “Security level” choose Disalllowed then click OK.

VBS-Cryf.A-15

3. Fix registry by using this 3rd tools, download it from HERE

VBS-Cryf.A-16

  • Shell Windows = explorer.exe
  • UserInit Windows
    • Windows NT/2000 = C:\WinNT\System32\userinit.exe,
    • Windows XP/2003/Vista = C:\Windows\System32\userinit.exe,

4. Deleted Virus Master files and all files he’s created. To help you deleted it in easy way I recommended to use this tools ExplorerXP, Then deleted all files list bellow:

  • %Drive%\Recycled\S-1-5-21-343818398-18970151121-842a92511246-500\Thumbs.db
    • svchost.vbs
    • desktop.ini
    • drvconfg.drv
    • SHELL32.dll
  • %Drive%\Album BOKEP\Naughty America
  • %systemroot%\windows
    • appsys.exe
    • Winupdt.scx
    • appopen.scx
    • Windowsopen.mht
    • Windows.html
    • Regedit.exe.lnk
    • Help.htm
  • %systemroot%\Windows\system\svchost.exe
  • %systemroot%\WINDOWS\system32
    • Taskmgr.exe.lnk
    • CMD.exe.lnk
    • Svchost.dls
    • Corelsetup.scx
    • Appsys.dls
    • Kernel32.dls
    • Winupdtsys.exe
    • ssmarque.scr
  • %systemroot%\Program Files\FarStone\qbtask.exe
  • %systemroot%\Program Files\ACDsee\Launcher.exe
  • %systemroot%\Program Files\Common Files\NeroChkup.exe
  • %systemroot%\Program Files\ExeLauncher
  • %ProgramFiles%\drivers\VGA\VGAdrv.lnk
  • %systemroot%\Documents and Settings\%user%\Desktop\Local Disk (C).dls
  • %Flash Disk%\Dataku Penting Jangan Dihapus.lnk

5. Showing back your files TaskMgr.exe, Regedt32.exe, Regedit.exe, CMD.exe, and Logoff.exe that hidden by virus:

VBS-Cryf.A-21

*repeated on all files you want to shown back.

6. For maximum cleaning I recommended to scan using your best antivirus programs, in my case Norman antivirus can deleted all of this virus part.

7. When all step done and no virus found, deleted blocking rules we made:

Start -> Run -> Type SECPOL.MSC -> Click “Software Restriction Policies” -> Click “Additional Rules” -> Then Deleted Rules we have made.

VBS-Cryf.A-18

8. Restart your computer then re-scanned again to make sure there is no left part of worm VBS/Cryf.A, then use updated antivirus to prevent it coming back again.

Have a nice day, GBU 😀

Similar Posts:

Related Search Terms:

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS

If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!