tag:blogger.com,1999:blog-7067018706825688992.post5625131560363704288..comments2021-08-13T08:22:11.223+01:00Comments on The malwarewolf*: M0rPheuS.tplGaryhttp://www.blogger.com/profile/05865364829367368959noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-7067018706825688992.post-29924122014969023282012-05-05T16:14:31.262+01:002012-05-05T16:14:31.262+01:00Sorry for the delay! The malscript - it's not ...Sorry for the delay! The malscript - it's not really a virus - does three things. 1) It hides all files and folders on network drives that the user has write access to, so you need to unhide them, 2) it copies itself to the network drives, so you need to delete it* (see note below), and 3) it creates a shortcut to all of the hidden folders and files, each shortcut containing a link back to the script. So, any shortcut which is clicked will also run the script, copying starting the process afresh with a new victim, and you need to delete the shortcuts. Pretty simple really, if you open the .tpl file in notepad, you can see it's just javascript. <br /><br />*We started out by deleting the script files, HOWEVER they kept getting recreated as users clicked compromised shortcuts, and for a while we were playing whack-a-mole across all of our network drives. So, we got a little smarter, and created a read-only blank (empty, null, useless..) copy of the script, so that if a compromised shortcut was clicked on another drive, the script would be unable copy itself over the read-only dummy script, and would fail to replicate.Garyhttps://www.blogger.com/profile/05865364829367368959noreply@blogger.comtag:blogger.com,1999:blog-7067018706825688992.post-20665060482012464222012-05-02T21:45:09.242+01:002012-05-02T21:45:09.242+01:00Hey Gary,
What are the exact steps you took to r...Hey Gary, <br /><br />What are the exact steps you took to remove this virus? we have a handful of users with the same problem and getting rid of it has been a pain in the ass. <br /><br />we don't quite understand your removal instructions, though we're General IT staff. <br /><br />We'd like your help in generating a concise set of instructions or a script that will help rid us of this problem. Please let me know, Thank you.Disheveled_Keyboarderhttps://www.blogger.com/profile/05451561556424584882noreply@blogger.com