programmers resources
  http://www.intel-assembler.it/  (c)2017 intel-assembler.it   info@intel-assembler.it
 
Search :  
Lingua Italiana    English Language   
Index
 
just an empty assembly space
just an arrow Intel Platform
just an arrow Article & Guides
just an arrow Download Software


23/01/2009 Featured Article: How to remove Buzus Virus (permalink)




:::3063287:::
Bottone Scambio Directory Pubblicitaonline.it
Home Page | Articles & Guides | Download | Intel Platform | Contacts

Google
 


Download 
Tell a friend
Bookmark and Share



How to remove Busuz ... manually ( by jes )

This article is online from 2988 days

Note: Backup you data before trying this procedure. The operations described in this article may cause data loss on your computer or lock the system up. Modifying the register could block the computer.There's no guarantee that what is written here will work.The author assumes no responsability for any damage should occur by following the procedure here described.


How to manually remove Buzus virus

Yesterday I inserted my 2GB usb pendrive in my notebook and the icon of the unit was somewhat different from usual. Instead of being a storage icon it was a yellow folder.
After a shot investigation I find out that the autorun.inf file on the pendrive has changed and contains some strange calls to exe files from in the RECYCLER folder (note, the pen is a FAT filesystem, not an NTFS like the notebook's hard disk). The suspicious exe files was named WINDE32.EXE.

That's what I found in the autorun.inf file:
[autorun]
open=RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winde32.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\
winde32.exe
shell\open\default=1
I googled "winde32.exe" and found some infos, not many usefull ones really, which talked about the Buzus virus. Diggin' down Busuz I find outthere's tons of different versions and that only a few of them had been analyzed, the others were simply reported by the different sites as trojans.
So I decide to remove it from my computer and from the pendrive.

Lets start


First thing you should disable autorun on the pendrive to avoid the virus get copied from the usb to the computer every time you insert it.
Do this using TWEAKUI (from Microsoft) selecting MyComputer->Autoplay->Drives and unchecking all units.

My first surprise is when I try to find the file on the drive H: (my pendrive)...
Using Windows Explorer I open the directory and I can't see any files... Sure, they're hidden... (uhm...) So I open a DOS Command Line(Start->Run->CMD) and write:
C:\Documents and Settings\jes>H:
H:>CD RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013
H:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013>dir /ah
Il volume nell'unitą H non ha etichetta.
Numero di serie del volume: 8C8A-AAD2

Directory di H:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013

21/01/2009 19.40 62 Desktop.ini
27/08/2008 14.09 38.410 winde32.exe
2 File 38.472 byte
0 Directory 184.287.232 byte disponibili

H:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013>
The first surprise happens when I try to remove WINDE32.EXE from the pendrive because the file is locked and cannot be deleted or renamedor anything, really.

So I start up Unlocker1.8.5, get back to windows folders, select the file and delete it pressing DEL.
Windows, of course, refuses to delete it, just click Ok and there pops up Unlocker and does the dirty job.
Yes, that's nice, the file's gone!

Count up to ten and the files is back on the pendrive again. Help! That means my notebook is infected and spreads the virus to any usb memory device I put into the computer.

That is strange... I never noticed anything wrong while using the computer... Uhm...

So, got to my first conclusion: I can remove the virus from the pendrive by just deleting the RECYCLER folder and AUTORUN.INF on a clean computer, but as soon as I put it into my notebook, TADA, there it is again.
I must remove the virus from the computer.

Quick checkup of the computer

Ok I'll start by checking the computer, who knows for how long the virus has been here!

Considering I daily check the system more than once I can't believe I've been infected for so long.

Detecting Buzus PropagationWith the pendrive stuck in I bring up FILEMON (from SysInternals) to find out which process writes the virus on the pendrive.

I set the filters in the program just to watch unit H: (from Volumes menu) and start capturing (CTRL+E).

Actually, I was expecting to find svchost.exe or something... but no, it's explorer.exe that infects the drive.

So now I know that Explorer writes the virus to the pendrive every 10 seconds, all day long. That is evil!

:D


Where is the source of the virus?

I must find out where the virus source is to discover where it's read from before being written to usb devices.

Got back into FILEMON and now set the volume filters to C: and H: to see what changes. Uhm, there a lot going on in Windows every second, isn't there? There's so much stuff that is becomes impossible to read anything.

Let start excluding some processes from the output windows in FILEMON. Just right-click on the line containing the process you want to exclude and choose "Exclude Process" from the popup menu.You can exclude every process (LSASS, CRSS, etc) and just leave Explorer.exe if you want.

Ok, that's interesting now. The scenario is the same as the figure above with the difference that now we can see Explorer reading the virus from C: and immediately after writing it to the pendrive.

And where is the virus source? Obviously on C: in the same folder used on the pendrive.

Virus source folder:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013

Replicates onto removable memories (well, mine is still H):
H:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013

Lets remove the damn thing from the Hard Disk


Ok, now we can remove the file from the Hard Disk without any problem. Unlocker, again, will help us deleting the file. If it doesn't get deleted first time just try a couples of times more and you will get rid of it.
Are we sure it won't come back onto the Hard Disk? Yes, because C: is the repository and the rewriting business will only happen on removable disks on which the virus propagates to. The little thing supposes that the repository always contains the source exe.

Ok, now that it's gone from the Hard Disk you can remove from the pendrive and be safe it won't come back again.

What happens now?

There's a problem remaining after removing the virus from the pendrive and from the Hard Disk. Explorer still tries to replicate the thing... every 10 seconds!
Yes, FILEMON will show you how this happens. Even though WINDE32.EXE is not found on the Hard Disk the attempts to propagate the virus will still go on.

Cleaning up the system

The last think to cleanup is Explorer. Lets open REGEDIT and search for the name of the fold, or, better, we'll search for 1482476501.
My ideas was: I find this string in the registry and remove all the keys which contain it.

Whatever key contains S-1-5-21-1482476501-1644491937-682003330-1013 can be removed.

At a certain point (on my notebook it was the last thing it found) you should find an occurrence of the string contained in a folder called {28ABC5C0-4FCB-11CF-AAX5-81CX1C735612}.Well, that is the name on my computer, not sure it will be the same on yours. For sure it's a folder and it will show up in the left pane of REGEDIT.
Save the name and after removing all the keys with the "S-1-5..." string now go and search the name of that folder (28ABC5C0... or whatever).
Remember that to start a new search in REGEDIT you must click on the root node again, right at the top of the tree.
I deleted then the only occurence of {28ABC5C0...} that was found.

I rebooted the computer and... voilą... Buzus is gone!

Julian Spina



Note: Backup you data before trying this procedure. The operations described in this article may cause data loss on your computer or lock the system up. Modifying the register could block the computer.There's no guarantee that what is written here will work.The author assumes no responsability for any damage should occur by following the procedure here described.

Windows, Microsoft, TwaekUI, Regedit, Filemon, Unlocker and all other reported names are trademarks of their legitimate proprietaries.



Top
Download 
Tell a friend
Bookmark and Share



webmaster jes
writers rguru, tech-g, aiguru, drAx

site optimized for IE/Firefox/Chrome with 1024x768 resolution

Valid HTML 4.01 Transitional


ALL TRADEMARKS ® ARE PROPERTY OF LEGITTIMATE OWNERS.
© ALL RIGHTS RESERVED.

hosting&web - www.accademia3.it

grossocactus
find rguru on
http://www.twitter.com/sicurezza3/
... send an email ...
Your name

Destination email

Message

captcha! Code