LebGeeks

Brownies

Member

Bye bye worms! Hello files!

I don't know about other universities around here, but if you're a student at NDU, then you've obviously experienced the feeling of dread once you plug your USB into the computer and see that your files are gone.

Long story short; it's a worm. I was really frustrated with this happened all the time and my antivirus would either (1) find the virus but not display the files or (2) not find any virus at all. So I basically made this small batch file which then turned into an executable.
It cleans the virus, displays all your hidden files, disinfects the hard drive/USB (as well as the infected computer) and deletes all the virus junk files (this feature hasn't been fully tested yet).

It's a very simple program but still useful! Don't expect this amazing program that shoots laser beams and does your homework for you. It's pretty basic but effective.

Here's the download link if you're interested:

https://onedrive.live.com/redir?resid=1C907597FCF4B91C!204&authkey=!AIsytnNBEWmSwck&ithint=file%2czip

And you can read more about these types of worms. For example:

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm:VBS/Jenxcus.K#tab=1

Last edited by Brownies (August 4 2015)

nosense

Member

Re: Bye bye worms! Hello files!

it's the same at our university also,  I got some fixes using cmd and couple programs but if this can be done simply using your program it would be awesome,  will test it next fall

Brownies

Member

Re: Bye bye worms! Hello files!

it's the same at our university also,  I got some fixes using cmd and couple programs but if this can be done simply using your program it would be awesome,  will test it next fall

Guess it's everywhere! This program would do 90% of the work! -10% for the possibility of it not cleaning the virus junk folders after removing the virus; Like I said - still being tested.
I update it every now and then and I'll be sure to post updates.

Last edited by Brownies (August 4 2015)

Satfoun

Banned

Re: Bye bye worms! Hello files!

Yeah its at ours also ( Balamand)
I have Eset smart security, and it has always caught that virus, and all the files appeared

Brownies

Member

Re: Bye bye worms! Hello files!

Yeah its at ours also ( Balamand)
I have Eset smart security, and it has always caught that virus, and all the files appeared

Guess I've been outshined by Eset

nosense

Member

Re: Bye bye worms! Hello files!

Yeah its at ours also ( Balamand)
I have Eset smart security, and it has always caught that virus, and all the files appeared

Guess I've been outshined by Eset

for me,  Eset erases the virus but the files don't appear

NAM

Member

Re: Bye bye worms! Hello files!

yes we had that at AUST on every PC but i think a simple show hidden and system files would show your files .. it is a good thing the worm doesn't delete your files :) thx for sharing bro this will help many people :)

Stygmata

Banned

Re: Bye bye worms! Hello files!

I use usbfix... 2 min ..cleans everything and returns everything..also adds a log with the virus signature ..etc for investigation

Brownies

Member

Re: Bye bye worms! Hello files!

I use usbfix... 2 min ..cleans everything and returns everything..also adds a log with the virus signature ..etc for investigation

Interesting. I may look into that!

bermudapineapple

Member

Re: Bye bye worms! Hello files!

I've never encountered this problem at AUB. Who's spreading this worm?

Brownies

Member

Re: Bye bye worms! Hello files!

I've never encountered this problem at AUB. Who's spreading this worm?

I guess one idiot got infected and went around infecting university computers and such.
And no one really takes care of university computers. So they're a host for viruses.

NAM

Member

Re: Bye bye worms! Hello files!

AUB is actually under constant attack due to the very large network and because of old systems around campus (windows xp on many PCs) also the lack of a good antivirus .. but the IT team is vigilant and that is why you don't see many spread of viruses

NoReGreT

Member

Re: Bye bye worms! Hello files!

I don't know about other universities around here, but if you're a student at NDU, then you've obviously experienced the feeling of dread once you plug your USB into the computer and see that your files are gone.

Long story short; it's a worm. I was really frustrated with this happened all the time and my antivirus would either (1) find the virus but not display the files or (2) not find any virus at all. So I basically made this small batch file which then turned into an executable.
It cleans the virus, displays all your hidden files, disinfects the hard drive/USB (as well as the infected computer) and deletes all the virus junk files (this feature hasn't been fully tested yet).

It's a very simple program but still useful! Don't expect this amazing program that shoots laser beams and does your homework for you. It's pretty basic but effective.

Here's the download link if you're interested:

https://onedrive.live.com/redir?resid=1C907597FCF4B91C!204&authkey=!AIsytnNBEWmSwck&ithint=file%2czip

And you can read more about these types of worms. For example:

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm:VBS/Jenxcus.K#tab=1

Just some notes.
First of all, in these kinds of communities ( mostly technical ones ), don't post executables of your tools without the source code. Nobody would trust an executable no matter what you say about it. Secondly, use hashes (md5 or sha) for file integrity. File size is not always 100% reliable.

rolf

Member

Re: Bye bye worms! Hello files!

Still plugging around USB sticks like there is no tomorrow?

Brownies

Member

Re: Bye bye worms! Hello files!

Just some notes.
First of all, in these kinds of communities ( mostly technical ones ), don't post executables of your tools without the source code. Nobody would trust an executable no matter what you say about it. Secondly, use hashes (md5 or sha) for file integrity. File size is not always 100% reliable.

Good point. Though, I will not post the source code.
Feel free to
1. Scan with VirusTotal.com or any other online scanners.
2. Open the EXE in a sandboxie
3. Check for any possible outgoing or incoming connections the EXE might send while in the sandboxie. (SPOILER: There are none.)

Though I have to bring to light that the EXE was compiled using a packer. So there might be *some* false positives (such as "Packed/MPress" or "BehavesLike.______").

Thanks for your input!

EDIT: Here's an old scan of when the program was in Beta:

https://www.virustotal.com/en/file/3b4668fc8ec5e22c1907b2d60ff12c1d29741ac495f10e691ad7c25735d535f9/analysis/1415259289/

The source code comes directly from that Beta. Notice the false positives.

Last edited by Brownies (August 10 2015)