Wednesday, December 5, 2007

Removing Pooh.vbs (update)

If you have downloaded the vbswormremover that I have posted here before, I mentioned in the header and my post that I have edited it to include pooh.vbs. True enough that it can remove the file pooh.vbs. However, I was able to encounter the fully working worm just today, thus I just found out how this worm really works.

One visual symptom of this worm is that it loads the internet explorer during the windows startup with a webpage with black backround and the word "aikelyu". (Sorry to screen shot, it wasn't my pc and I lost my flash drive recently, fixed the pc in a rush).

This worm, is almost similar to imkulot worm, except for the webpage. It is loaded via autorun.inf that runs pooh.vbs using wscript.exe and puts the following files in the windows/system32 folder

  • kernell.dll.vbs
  • aikelyu.html
and adds entries on the startup registry that runs this two files. I initially intended to make an instruction on how to completely remove the pooh.vbs worm (or some call it antz virus) to makeup what the vbswormremover is missing, however, I realized it's easier to edit that myself and just give the instruction on how to remove the registry entry of this worm.
  • Download the vbswormremover
  • restart in safemode
  • run the vbswormremover - this will kill the wscript.exe from the task and delete the autorun.inf and pooh.vbs from the root directories of all available drives. I also added the lines that deletes the kernell.dll.vbs and aikelyu.html from the windows/system32 folder.
  • Next is cleaning the registry manually.
Using Hijackthis (if you know how to use this safely, do it)
Caution: Follow this instruction very carefuly!
  • Run hijackthis
  • click scan
  • and check all entries with 'kernel.dll.vbs' and 'aikelyu.html'
  • Click fix selected entries
Using regedit
Caution: Follow this instruction very carefuly!

  • Run regedit (Program->Run->regedit)
  • Select the Path: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
  • Find Shell(String Value), modify its value to "Explorer.exe" (Do not delete)
  • Remove this ->"C:\WINDOWS\system32\kernel.dll.vbs", you can see it is added to the Shell(String value)
Now restart your computer to normal mode and check if the worm is still there.

3 comments:

Stefan M. said...

so many nasty virus nowadays. the good thing is they are not destructing files.. they are just there to do the "annoying effect".
hehehe... encountered this "pooh" a while ago.....

TekBytes said...

How true, Stef. I think one reason why so many worms are popping up like ... worms on a good rainy day (pun intended heheh)... there is at least one site where you can download programs that generates worms! Can you believe that?!? I was tempted to post the site here but It would be like giving all kinds knives, blades and guns to everybody saying KILL ME! heheh.

BTW, did the remover got rid of pooh? (Hmmm This worm is giving that yellow bear a bad name heheh)

Stefan M. said...

I didn't use the remover. It was already detected &deleted by Kaspersky although KAV left the autorun.inf file.

can you email me the link of the site that generates worms? very curious. Im gonna use my linux os in browsing the site to avoid infection on windows...hahaha... thanks to linux!

About TekBytes

1st of All I'm not a Computer /IT guru. I just wanted to share the little things I know about the current technologies and to bridge the gap between the real techies and the non-techies. This blog is mainly for those who wants to make the best use of the hi-tech gadgets in their hands but are not technically inclined. You may send questions about IT too, and I'll try to answer them the best as I could and if I can't and if it's worth it, I'll post your queries here in hoping we could find someone who can answer. No spamming pls.