Remove Worm VBS/Cryf.A, Shemale by CRY

VBS/Cryf.A was created using visual basic scripting (not visual basic), first case happen on my cyber cafe on date 18 July 2009 it spreading from user flash disk and try to infected all PC in my network.

I’m not sure why so much Indonesian virus maker using lot of this VBS technique (maybe they know without msvbvm.dll VBS can executed on a lot target), Since I write about VBS article long long time ago (I forget maybe around year 2003-2005) in jasakom website with title “VBS sederhana yang berbahaya” many people has try to manipulate that simple code to become advanced code. Now I’m fell really stupid by share that Article to public…

How to know if you’re infected by this worm VBS/Cryf.A:

1.First time your computer turned on it will open web browser and show this pictures.

VBS-Cryf.A-3

2. VBS/Cryf.A will change your web browser start page become:

VBS-Cryf.A-4

3. There is folder “album bokep” (in Indonesian language this mean p**n) in all folder.

4. VBS/Cryf.A will change your system properties become like this:

VBS-Cryf.A-5

5. Change file type .lnk become “movie clip”

VBS-Cryf.A-6

6. It will control your DVD/CD-rom by make it open and close to make you panic.

VBS/Cryf.A Master file:

VBS/Cryf.A has a master file called “drconfig.drv” with file size 218 KB, it already encrypted and little hard to read the code inside it.

VBS-Cryf.A-8

On first time active it will called “svchost.vbs” then this vbs will executed this “drconfig.drv”. Then it will started created file list:

  • %Drive%\Recycled\S-1-5-21-343818398-18970151121-842a92511246-500\Thumbs.db
    • svchost.vbs
    • desktop.ini
    • drvconfg.drv
    • SHELL32.dll
  • %Systemroot%\windows
    • appsys.exe
    • Winupdt.scx
    • appopen.scx
    • Windowsopen.mht
    • Windows.html
    • Regedit.exe.lnk
    • Help.htm
  • %Systemroot%\Windows\system\svchost.exe
  • %Systemroot%\WINDOWS\system32
    • Svchost.dls
    • Corelsetup.scx
    • Appsys.dls
    • Kernel32.dls
    • Taskmgr.exe.lnk
  • %Systemroot%\WINDOWS\system32\
    • Winupdtsys.exe
    • ssmarque.scr
  • %Systemroot%\Program Files\FarStone\qbtask.exe
  • %Systemroot%\Program Files\ACDsee\Launcher.exe
  • %Systemroot%\Program Files\Common Files\NeroChkup.exe
  • %Systemroot%\Program Files\ExeLauncher
  • %ProgramFiles%\drivers\VGA\VGAdrv.lnk
  • %Systemroot%\Documents and Settings\%user%\Desktop\Local Disk (C).dls

This virus will make some action to keep him stay in computers target:

  • Disable Task Manager
  • Disable Regedit
  • Disable CMD (Command Prompt)
  • Disable MSConfig
  • Can’t change wallpapers

It will change your screensaver like this:

VBS-Cryf.A-19

Spreading Technique and Social Technique:

VBS/Cryf.A spreading using 2 technique, One of them as like in my first Article using autorun.inf files, beside that this virus maker know how to using social technique to tricky mostly people out there using p**n movie that actually virus.

VBS-Cryf.A-11

VBS-Cryf.A-12

VBS-Cryf.A-20

This virus maker try to manipulate people with his another social technique, he will try to tell people their computers infected and give the removal tools, actually don’t open that website (www.dinamikasolusi.co.nr) this virus maker maybe using some technique as I write a long time ago by insert some virus into computer target using html code.

VBS-Cryf.A-9

VBS-Cryf.A-10

Enough, let’s started to remove this stupid Worm VBS/Cryf.A

HOW TO REMOVE WORM VBS/Cryf.A:

1. Kill active virus process in your background memory using currprocess, then kill all process with product name “Microsoft (r) Windows Script Host

VBS-Cryf.A-13

2. Block virus so it can not run for a while when we are in cleaning progress by:

Start -> Run -> Type “SECPOL.MSC” -> Click “software restriction policies” -> Click “additional rules” -> Right click on “additional rules” and choose “New Hash Rules”

VBS-Cryf.A-14

In “File Hash” Click on Browse and choose which file you want to block (WSScript.exe) on “Security level” choose Disalllowed then click OK.

VBS-Cryf.A-15

3. Fix registry by using this 3rd tools, download it from HERE

VBS-Cryf.A-16

  • Shell Windows = explorer.exe
  • UserInit Windows
    • Windows NT/2000 = C:\WinNT\System32\userinit.exe,
    • Windows XP/2003/Vista = C:\Windows\System32\userinit.exe,

4. Deleted Virus Master files and all files he’s created. To help you deleted it in easy way I recommended to use this tools ExplorerXP, Then deleted all files list bellow:

  • %Drive%\Recycled\S-1-5-21-343818398-18970151121-842a92511246-500\Thumbs.db
    • svchost.vbs
    • desktop.ini
    • drvconfg.drv
    • SHELL32.dll
  • %Drive%\Album BOKEP\Naughty America
  • %systemroot%\windows
    • appsys.exe
    • Winupdt.scx
    • appopen.scx
    • Windowsopen.mht
    • Windows.html
    • Regedit.exe.lnk
    • Help.htm
  • %systemroot%\Windows\system\svchost.exe
  • %systemroot%\WINDOWS\system32
    • Taskmgr.exe.lnk
    • CMD.exe.lnk
    • Svchost.dls
    • Corelsetup.scx
    • Appsys.dls
    • Kernel32.dls
    • Winupdtsys.exe
    • ssmarque.scr
  • %systemroot%\Program Files\FarStone\qbtask.exe
  • %systemroot%\Program Files\ACDsee\Launcher.exe
  • %systemroot%\Program Files\Common Files\NeroChkup.exe
  • %systemroot%\Program Files\ExeLauncher
  • %ProgramFiles%\drivers\VGA\VGAdrv.lnk
  • %systemroot%\Documents and Settings\%user%\Desktop\Local Disk (C).dls
  • %Flash Disk%\Dataku Penting Jangan Dihapus.lnk

5. Showing back your files TaskMgr.exe, Regedt32.exe, Regedit.exe, CMD.exe, and Logoff.exe that hidden by virus:

VBS-Cryf.A-21

*repeated on all files you want to shown back.

6. For maximum cleaning I recommended to scan using your best antivirus programs, in my case Norman antivirus can deleted all of this virus part.

7. When all step done and no virus found, deleted blocking rules we made:

Start -> Run -> Type SECPOL.MSC -> Click “Software Restriction Policies” -> Click “Additional Rules” -> Then Deleted Rules we have made.

VBS-Cryf.A-18

8. Restart your computer then re-scanned again to make sure there is no left part of worm VBS/Cryf.A, then use updated antivirus to prevent it coming back again.

Have a nice day, GBU 😀

Similar Posts:

RELATED SEARCH TERMS:

9 thoughts on “Remove Worm VBS/Cryf.A, Shemale by CRY”

  1. it got a virus on my computer cry, but could not the normal way .. be so alive, appeared wallpaper continues straight into standby mode … hence for applications above means can not … what then?? there are not any other way, besides the above and re-install?
    because someone said that if it were only in the format of drive C alone, the virus could be back again, right?

    thanks.

  2. Thank you .. I and all my friends in office also got all of these viruses, the tutorial is very easy followed. but point number 2 “in” File Hash “Click on Browse and choose which files you want to block (WSScript.exe)” a bit unclear. Thank you

  3. Just follow the pictures you will understand it, please try to use english only on this blog, if you want to ask in Bahasa Indonesia go to my personal blog on id.istanto.net

  4. Wah aku pusing berbagai cara udah aku coba tp kok masih ndak bisa ya? tampilan orang menangis dah hilang tapi screensaver masih nampak…. regedit & task manager tertutup…. tapi cmd dah kebuka?

    Aku salah langkah dimana ya?

    Thanks infonya

  5. Hi, thanks for the kind words, and yes, feel free to post this on your blog. It’s always nice to get conversation and links from others interested in the same things.Very special!

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.