Hi all,
Allow me to explain. All of these *.vbs or *.vbe files ( * = randomnamed ) script worms must use some loading point.
Most of them just establish himself in one of "Run" keys ( HKLM or HKCU ). All of them uses by legitimate wscript.exe process for loading (C:\Windows\system32\wscript.exe).
In this way it defends itself from been deleted.
Their job is to keep running in host system as long as possible while performing malicious act, waiting for new attached USB device that will serve as transfer to another hosts.
They are not file infector and they are not dangerous for the system itself, but are part of malware family, they have characteristics of a script worms.
There is one catch.
If this script worms is active on the host machine, MCShield can not fully disinfect the USB device. Why?
Well, while the MCS job is to remove any malware from USB, malware that is active on the host machine has a duty to re-infect USB any time. And thus resulting cleening loop.
Disinfection of these variants is the following:
* Delete malware from host sistem;
* Delete malware from USB devices;Cleaning the host system;- From task manager kill the wscript.exe process.
- When there is nothing to protect him, malware file is easy to delete (even manually by right click > delete).
- Delete related registry key
=> We from MyCity AMF Lab, have created new small tool which have a task to kill each. vbs or .vbe malware file from host system.
http://www.mcshield.net/download/tools/Anti-VBSVBE/Anti-VBSVBE is small utility that should clean vbs and vbe script worms form your host system, from your computer.
Cleaning the USB devices;When host system is clean (using Anti-VBSVBE or some other malware removal tool), there's nothing to spread malware on USB devices. MCShield has green light to clean malware without interference.
- Download and install MCShield and allow hit to remove all malware from USB devices.
http://www.mcshield.net/Cheers,