Author Topic: .MS32DLL.dll.vbs wscript.exe  (Read 10841 times)

0 Members and 1 Guest are viewing this topic.

sanouk_666

  • Guest
.MS32DLL.dll.vbs wscript.exe
« on: March 01, 2007, 05:39:05 AM »
Hi all,

my computer was infected by this .vbs worm, on the system as .MS32DLL.dll.vbs and avast home 4.7 with the updated definition does not detect it.
This worm or virus seems to copy itself to the system via removable storage, e.g. handy drives and usb memory sticks.


I found some info on this, godzilla or zogilla or solowa as mentioned in the reports below, I dont know which flavor I got anyway I sent it zipped to virus@avast.com

http://howto.redcomputer.net/windows/hacked_by_godzilla.php
http://www.symantec.com/security_response/writeup.jsp?docid=2006-112416-3424-99&tabid=2
http://www.sophos.com/security/analyses/vbssolowa.html

regards,

San
« Last Edit: March 03, 2007, 07:07:08 AM by sanouk_666 »

sanouk_666

  • Guest
Re: .MS32DLL.dll.vbs
« Reply #1 on: March 02, 2007, 04:00:19 PM »
I sent the email with the undetected virus/worm to virus@avast.com, but did not get any reply.
will anything be done?

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89438
  • No support PMs thanks
Re: .MS32DLL.dll.vbs
« Reply #2 on: March 02, 2007, 04:14:45 PM »
You will not normally get a reply unless they require more information, they receive in excess of 4000 emails a day at that address.

If you still have the sample, add the file to the User Files (File, Add) section of the avast chest and send it from there (select the file, right click, email to Alwil Software), it won't hurt to send it again. No need to zip and PW protect when the sample is sent from chest.

Submissions from the chest get filtered, so should hopefully stand out from the crowd and in the avast chest it can do no harm and you can periodically scan it to see if it has been added to the VPS.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: .MS32DLL.dll.vbs
« Reply #3 on: March 02, 2007, 06:40:33 PM »
Please, avast team, improve detection here  8)
The best things in life are free.

sanouk_666

  • Guest
Re: .MS32DLL.dll.vbs
« Reply #4 on: March 03, 2007, 07:05:17 AM »
Thanks for the info DavidR!

I added it to the chest and sent it like you said.

Some more info on this virus:
it resides on the root of every drive and in c:\windows
it creates a file 'autorun.inf' on the root of every drive, containing :
[autorun]
shellexecute=wscript.exe .MS32DLL.dll.vbs

it looks like viewing a folder where the virus resides (drive root) in explorer activates the script.
For one brief second you see the file (the first time) and then it vanishes.

it will start a process called wscript, visible in task manager.
If you dont kill this process the virus file ms32dll.dll.vbs remains invisible. -when you change 'show hidden files', it will not take effect, as long as wscript is running.

It also changes the search behavior the windows search application to search for files.

it is a pain to remove all files and registry edits, to get infected 5 minutes later as soon as someone hands over his usb memory stick.
It seems to be extremely common and present on every computer I came across here in Bangkok!
I hope this virus will be detected by avast or that there will be a fix.

« Last Edit: March 03, 2007, 07:09:04 AM by sanouk_666 »

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89438
  • No support PMs thanks
Re: .MS32DLL.dll.vbs wscript.exe
« Reply #5 on: March 03, 2007, 02:04:28 PM »
Thanks for the feedback.
A belated welcome to the forums.

Perhaps you should also send autorun.inf although not a virus in itself it is an indication. the same
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security