Malware Analysis is time-consuming, especially when a researcher relies on manual detection and removal of the malware from its root.
That’s my preferred method I aim to completely remove malware from every device I’m hired to clean.
Today, I was contacted by someone whose system is infected with a virus that replicates itself and creates a shortcut file along with two .rtf files in every folder within the user’s file system. The names of these .rtf files are "Baca AQ.rtf" and "My name is Yuyun.rtf."
The malware is delivered via USB drives likely used for media file transfers which infect the computer when connected. The malware structure is self-replicating, and it consistently creates .lnk (shortcut) files and .rtf files. One of the unique characteristics of this worm is that it relies on the Thumbs.db file for spreading, as this file contains the main infection chain.
Well, the first thing I started looking into was the %temp% directory to find any kind of .exe file. Luckily, I found a file named auto.exe, but it turned out not to be a fully executable file. Instead, it’s more like a configuration file used for the worm’s spreading mechanism. Before diving into the contents of this file, I noticed that each shortcut created by the worm has a target like this: C:\Windows\system32\wscript.exe //e:VBScript thumb.db "Microsoft". This shows that the worm relies heavily on the thumb.db file, as it contains the actual infection chain that allows the malware to spread from the infected computer. The .lnk files point to this script, which triggers the infection process.
So far, I’ve started looking into the configuration file, and it contains some configuration code that looks like this:
[autorun]
open=WScript.exe //e:VBScript thumb.db auto
shell\open=Open
shell\open\Command=WScript.exe //e:VBScript thumb.db auto
shell\open\Default=1
shell\explore=Explore
shell\explore\Command=WScript.exe //e:VBScript thumb.db auto
To begin, look for Thumb.db files using Command Prompt by typing the command dir /s /b c:\Thumb.db, which will search recursively through the entire C: drive. If you want to delete a specific Thumb.db file from a known location, such as in your Documents folder, use the following command to forcefully and quietly delete it: del /f /q "C:\Users\admin\Documents\Thumb.db". You can also use tools like ChatGPT or write your own script to automate the deletion of all Thumb.db files found during the search.
Next, search for .rtf files that may have been created by a worm. Use the command dir /s /b c:\*.rtf to list all .rtf files on your system, and pay close attention to any files named Baca AQ.rtf and My name is Yuyun.rtf. After locating these, save all the paths containing them into a text file named paths.txt.
Once you have this list, use a batch script to delete the targeted .rtf files. Save the following script into a .bat file and run it: https://justpaste.it/imt7d.
Finally, to ensure no malware remnants are left behind, run Windows Defender. Perform a quick scan or, preferably, a full system scan one to three times to thoroughly remove any lingering traces of infection.
Comments
Post a Comment