One of the most famous worms which attained star status during 2000 was the ILOV EYOU

worm. It was followed by many variations of the same, but not deadly as the original. Indeed it was a surprise worm to the world, wrapping itself as a simp le love letter text file. The ILOVEYOU worm spreads through emails using the Mic rosoft outlook mail software. Next came the netlog worm or Network.vbs, which infects the Microsoft operating systems. This worm spreads through windows file shares instead of emails. It can easily spread to the entire network connected with the file share. Just searchi ng and deleting Network.vbs file in the computer can remove this kind of worm si nce it wasn t that much intelligent. Here I m going to disassemble a similar type of worm which spreads itself through USB pen drives. It has got many variants like lord rahul cool or boot.vbs, sys.vbs , VirusRemoval.vbs and Semiantivirus.vbs. Actually it s my first hand experience w ith this worm which affected one my colleague s PC that prompted me to write this article. The attack: One fine day some of my colleagues complained that some sort of virus has attack ed their system which pops up messages when they open the internet explorer brow ser. I tried to find out what they did in common. They didn t install any new soft ware, or didn t access any network share nor did they download any new exe program . But they were all listening to the same music! As we used to share mp3 s and movies in our office, it s quite usual that we use pen drives for transferring the files. And one of these could have infected their s ystem. Work lifecycle: It starts of as soon as the USB pen drive is plugged in. The Autorun.inf file in the pen drive loads our worm script which is hidden in the pen drive itself. Th e Autorun.inf file has a similar entry like: [autorun] open=hiddenscript.vbs icon=autorun.ico Since the Visual basic script can access the file system and windows registry th ese worms do alter the files/registry values according to their author s purpose. They copy themselves to the windows system32 folder and make them hidden in wind ows explorer by modifying the registry value at: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\S HOWALL\CheckedValue This worm has got the following characteristics: * Changes the internet explorer window title to the author s own statement like LOR D RAHUL COOL . This is done by editing the registry at HKCU\Software\Microsoft\Int ernet Explorer\Main\Window Title * Changes the internet explorer startup page to their own by editing the value a t HKCU\Software\Microsoft\Internet Explorer\Main\Start Page * Also modifies the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\U serinit registry value to launch the vbs script on windows login by calling wscr ipt.exe. * These modifications are done even if we try to alter it manually, since it is programmed to repeat the same action every 1 second. Removal: At first I thought removal was quite easy. So I just terminated the wscript.exe which runs the script from the task manager and then tried to look for the vbs s cript but couldn t find it. But once the system was restarted the worm came back i n action. This time I spotted all the registry keys and removed them and then te rminated the wscript.exe. But still the worm was inside. Then after learning abo ut the visual basic script worms I found it that they can exist with vbe extensi on. So I searched for them and found them hidden inside the windows folder. Now I first stopped the wscript and next trashed the vbe file and then altered a ll the registry values back to normal. Now I restarted the system and it was all gone.

One thing I d not like to forget mentioning is to trash the vbe file in the pen dr ive and edit or remove the autorun.inf in the usb pen drive. After all that s the source of trouble! Follow the steps: 1. Go to Run and type System 32 2. Search for wscript.exe which will have a red icon. Click on stop and apply an d ok. 3. Now search for rahulsvirusprotection.vbe and press shift + Del. 4. Now restart the system. 5. Then connect ur pen drive Go to folder options and select Show hidden folders and files. 6. Now u will find autorun.inf and lord rahuls protection.vbs, press shift + Del . 7. Now ur browser will be free from it. 8. Now open regedit, HKCU\Software\Microsoft\Internet Explorer\Main\Start Page a nd change the value to ur own webpage.