If you have downloaded the vbswormremover that I have posted here before, I mentioned in the header and my post that I have edited it to include pooh.vbs. True enough that it can remove the file pooh.vbs. However, I was able to encounter the fully working worm just today, thus I just found out how this worm really works.
One visual symptom of this worm is that it loads the internet explorer during the windows startup with a webpage with black backround and the word "aikelyu". (Sorry to screen shot, it wasn't my pc and I lost my flash drive recently, fixed the pc in a rush).
This worm, is almost similar to imkulot worm, except for the webpage. It is loaded via autorun.inf that runs pooh.vbs using wscript.exe and puts the following files in the windows/system32 folder
- kernell.dll.vbs
- aikelyu.html
- Download the vbswormremover
- restart in safemode
- run the vbswormremover - this will kill the wscript.exe from the task and delete the autorun.inf and pooh.vbs from the root directories of all available drives. I also added the lines that deletes the kernell.dll.vbs and aikelyu.html from the windows/system32 folder.
- Next is cleaning the registry manually.
Caution: Follow this instruction very carefuly!
- Run hijackthis
- click scan
- and check all entries with 'kernel.dll.vbs' and 'aikelyu.html'
- Click fix selected entries
Caution: Follow this instruction very carefuly!
- Run regedit (Program->Run->regedit)
- Select the Path: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
- Find Shell(String Value), modify its value to "Explorer.exe" (Do not delete)
- Remove this ->"C:\WINDOWS\system32\kernel.dll.vbs", you can see it is added to the Shell(String value)
3 comments:
so many nasty virus nowadays. the good thing is they are not destructing files.. they are just there to do the "annoying effect".
hehehe... encountered this "pooh" a while ago.....
How true, Stef. I think one reason why so many worms are popping up like ... worms on a good rainy day (pun intended heheh)... there is at least one site where you can download programs that generates worms! Can you believe that?!? I was tempted to post the site here but It would be like giving all kinds knives, blades and guns to everybody saying KILL ME! heheh.
BTW, did the remover got rid of pooh? (Hmmm This worm is giving that yellow bear a bad name heheh)
I didn't use the remover. It was already detected &deleted by Kaspersky although KAV left the autorun.inf file.
can you email me the link of the site that generates worms? very curious. Im gonna use my linux os in browsing the site to avoid infection on windows...hahaha... thanks to linux!
Post a Comment