How to remove shortcut virus from USB – Dinihou – Houdini Worm.VBScript

SosVirus

It’s a recent worm having already infected scores of computers all around the world. It is also called Houdini.
Depending on the antivirus used, it is detected as :
It is spread through USB peripherals such as pendrives, external drives, but also smartphones or digital cameras through their memory cards.
Once the media is connected, for users, the contents appear normal. Here’s a view showing 2 photos and a MP3 audio-file :
Shortcut virus
But here is what the key really contains (which is “hidden” to users).
Shortcut virus
On the file on the right, we can notice a small arrow in the bottom left corner of the icon; it means this is a shortcut, and may be a sign of the infection
Shortcut virus
In 1, we can see the shortcuts (visible to users) and we may think they are real files; but in fact, these shortcuts, once clicked, will launch the infection (2) and then, open the original file (hidden to users).
You feel you have launched the file you wanted, and you won’t be aware the malware has been launched a few milli-seconds before.
YOU ARE CAUGHT!
Shortcut virus

What it does ?

The file is a VBS (Microsoft Visual Basic script).
This type of script is commonly used by managers
of operating systems and networks, to make small programs aiming at making repetitive tasks automatic.
Shortcut virus
Without entering technique too much,let’s say the malware is complexly encoded to camouflage itself, and so avoid detection by anti-virus.
Shortcut virus
Shortcut virus
  • Once loaded into the memory (RAM) of the computer, the malware  will make copies of its code in some precise folders of the system : temporary files and start.
Shortcut virus
  • It will make itself persistent, by creating 2 registry keys, in order to be launched when system re-starts
Shortcut virus
  •  it, then, will search for all removable peripherals, and infect them, thus, making new vectors of propagation.

On the hacker’s side :

The malware connects to the C&C server, to transmit some information :
  • Serial numbers of drives
  • Name of the computer and session
  • Operationg system
  • Name of the anti-virus (if any)
Shortcut virus
The hacker, thus, will be able to take control of the “victim” computer to :
  • Steal data
  • Update the malware (or delete it)
  • Install other malwares
  • He may also re-use the code, change it, enrich it
Here is a view of an ad for this type of malware :
Shortcut virus
Here is a view of a managing console (what the hacker can see on his scren) :
Shortcut virus
Shortcut virus
Even if the code is relatively simple, it is enough to corrupt the security of a whole organization, and retrieve personnal or confidential information from a great numberof people.
Shortcut virus

What to do ?

  • Not to be infected :

See this article : https://www.usb-antivirus.com/2014/03/infections-spreading-usb-peripherals/
In particular the passage : “How to avoid this type of infection?”

We recommend you, either firms, or particulars, to adopt a full antivirus protection like Bitdefender Internet Security.
bitdefender 2015

Bitdefender 2015 :

  • It offers protection against most viruses and other internet dangers
  • Light, silent, and quick
  • It protects your on-line shopping, and make your digital identification safe
  • It informs you about your children’s activities, and provide filter tools if needed
  • It integrates a firewall to protect your internet connexion

If you are infected, UsbFix can deal with this type of infection.

  • Download UsbFix on your computer, and execute it.
  • It will launch automatically, and a shortcut will be created on your desktop.
  • Connect all your external data sources to your PC (Usb keys, external drives, etc…) Do not open them.
  • Choose “Clean” option.

usbfix-clean

  • A pop-up will follow :
Connect all your external data sources to your PC (Usb keys, external drives, etc…)
  • Once you’re ready, click “OK”.

usbfix

  • While cleaning, you will loose access to your desktop, but this is normal.

2014-02-14_110534

  • The numbers of analysed and infected éléments are displayed.

usbfix

  • Once cleaning is over, you’ll be suggested to donate the author, El Desaparecido.

2014-02-14_112046

  • Donation is not compulsory, but is useful to go on developping the software, and meet the expense to maintain our website server.
  • Once you’ve made a choice, a report will open.

2014-02-14_112103

  • You can find a copy of this report on your desktop, and another at : C:UsbFixLogUsbFix [Clean 1] Your PC.txt
  • Copy/paste it on the board you’ve asked for help.
  • If you are not taken care, we invite you to create a subject on the forum of disinfection SosVirus and to transmit the report for analysis.

About Sujan Chakraborty

Leave a Reply

Your email address will not be published. Required fields are marked *