Security Tool Spotlight: Use Rem-VBSworm to remove AutoRun Worms

[Batu69]

As the inaugural article in our Security Utlity Spotlight column, I would like to introduce the Rem-VBSworm utility, which is used to clean USB and VBS AutoRun infections from a computer and USB drives.

 

Rem-VBSWorm, or Remediate VBS Worm, was created in 2013 by Bart Blaze, a Panda Security employee and Malware Researcher, when he noticed an increase in USB/VBS AutoRun infections such as Bladabindi, Dinihu/Houdini, and Jenxcus. Originally created for his own use, when Bart saw these infections affecting others on the web he decided to enhance the tool and release it publicly.

 

To provide some background, USB and VBS AutoRun worms are malware infections that infect a computer and then spread to removable USB drives.  When an infected USB device is then plugged into another computer, older versions of Windows would automatically run the infection and infect your computer and connected USB devices.  Since Windows 7, the AutoRun feature on removable drives has been disabled, but these types of infections are still being spread through other methods such as SPAM attachments or as part of the payload for Trojan.Downloaders.

Figure 1. USB Drive infected with numerous Autorun Worms

The ability to spread to other computers, though, is only a single characteristic of these types of infections.  These infections also include threats such as as acting as a backdoor so a remote attacker can execute commands on the infected computer, stealing passwords and account information, keypress logging, corporate espionage, taking pictures through connected cameras, and downloading and executing other malware on your computer.  As you can see, these types of malware should not be taken lightly by consumers or the enterprise.

 

This is where a program like Rem-VBS comes into play as it is designed for one purpose; to scan for and eliminate these types of infections.

 

Once you download the program, double-click on the Rem-VBSworm.exe executable and you will be greeted with the main screen for the program.

Figure 2. Main Screen of Rem-VBSWorm

From this screen you can launch the various features of the program. The main features are:

 

A. Attempt to clean infection

This feature will scan your computer for VBS and USB AutoRun infections and clean any that are detected. While cleaning your computer it will also repair any registry modifications that may have been made such as disabling Task Manager or the Windows Registry Editor.

 

B. Clean USB Drive of Infections and restore files

This feature will allow you to specify a drive letter for a plugged in USB drive.  Once you select the drive, it will remove any malware from the drive and make any hidden files visible.

 

C. Download Panda USB Vaccine

This feature will download and install the Panda USB Vaccine utility, which blocks these types of malware from spreading via USB drives. It does this by preventing any AutoRun file from running, regardless of whether the device (memory stick, CD, etc.) is infected or not, on your computer. This program will also prevent your plugged in USB drive's AutoRun file from becoming a source of infection by disabling this file so it cannot be read, modified or replaced by malicious code.

 

D. Disable or enable Windows Script Host

This feature allows you to disable or enable the Windows Script Host.  The Windows Script Host is a legitimate Windows service that allows VBS and Javascript scripts to run directly in Windows. Unfortunately, many malware abuse this feature to execute malicious behavior on an infected computer.  If you have no need for these types of files to run on your computer, then you can select this option to disable it.  As it is just as easy to enable it again if you need this feature, it is suggested that you test your computer with this disabled and see if it affects any of your legitimate programs. If not, then keep it disabled to provide some extra security to your computer.

 

When using this tool, Bart recommends that you plug in your USB drives and then execute Rem-VBSWorm by choosing the A option, then B, and finally option C. After you have completed these steps you can press Q to quit the program and review the results in the log file located at C:\Rem-VBS.log.

 

Below you can see a logfile, that I split into two images, that was generated when I cleaned the infections off the infected USB key displayed in Figure 1.  

Figure 3. RemVBS.log Part 1

Figure 4. RemVBS.log Part 2

As you can see from the log above,  Rem-VBSWorm did a great job cleaning up the computer, cleaning the USB drive, and inoculating the USB drive so that it won't get infected again.  My USB drive, thanks to Bart's tool, was now clean again and a read-only folder was created called AutoRun.inf, which prevents future malware from creating that file and using it for malicious purposes.

Figure 5. Cleaned USB Drive

For those who are looking for another good utility that they can add to their Security ToolBox, Using Rem-VBSWorm is simple, simply download the program from the following link.

 

Rem-VBSworm 6.0.0 Download

 

Article source