I spent last few days trying to heal computers affected by Worm:VBS/Banie.A. I noticed that, on the affected computers, the worm hides the original Microsoft Word files and create multiple Word files (files with extension .doc or docx) with the following extension: “filename.doc.vbe” or “filename.docx.vbe”. Opening this document would run the script and affects the computer. Once the computer is infected with the worm, it automatically spreads through other computers connected to the same network causing more damages.
I have also noticed that, this worm iserts malicious Javascript inside the header of HTML files, causing more damages. For example, if your Browser’s Home page is your Intranet page, the worm inserts malicious codes into the HTML file. Running the browser would then execute this code and infect the computer.
Worm Details:
Name: Worm:VBS/Banie.A
Alert Level: Severe
Name: Worm:VBS/Banie.A!inf
Alert Level: Severe
I tried using AVG Business Edition to scan and heal the infected computers, but was disappointed! AVG cannot detect this worm or heal the affected documents. However, Microsoft Security Essentials can detect and remove the affected files, but wasn’t 100% successful. The following methods would help you remove the worm from infected computers fully:
Removing Worm:VBS/Banie.A and / or Worm:VBS/Banie.A!inf from an Infected Computer
Note: If any of the tools I suggested here and allow you to download violates any rights, please let me know, it can be removed upon request.
Download the following tools before you proceed further:
1: Process Explorer for Windows: This is a tool created by Microsoft to allow see information about which Processes, Handles and DLLs are open and running on your computer.
2. Autoruns for Windows: This tool, created by Microsoft, shows you all the programs that are configured to run when you start up your computer. It shows all the auto-starting locations such as Registry keys, etc.
3. CCleaner: One of the best system cleaning applications for Windows. It allows you to clear temparory files, caches, broken Registry keys, etc. from your computer. You can download it from here.
Scan the downloaded file with an Anti-Virus application and install it on your computer.
4. PCMAV Express: This tiny tool created by PCMedia, Indonesia, is really powerful and cleans up all infected files and remove the worm from your computer.
You can download all the tools from here.
IMPORTANT: Please scan all these downloaded files with an Anti-Virus program before executing it. Also, while my experience with these programs and tools were very satisfactory, I will not be responsible for any damages that may happen to your computer by using these tools.
I would recommend that you rename all these downloaded files before executing as the Worms and Viruses may learn these names and block such programs from executing.
Steps to Remove The Worm:
Step 1: Execute the Process Explorer tool on the infected Computer. Look through all the running process for processes with name, “CScript.exe”, kill those processes. Close the application.
Step 2: Execute the Autoruns tool. Go through all the auto running application. Kill all the suspecious programs from autorun. This worm try to load programs with name, “Annie.sys” and / or “Annie.ani”. Delete these entries from Autoruns to prevent these from loading when you start up your computer. Close the application.
Step 3: Recommended: Restart the computer and log on back in Safe Mode. Check this if you do not know how to enter into Safe Mode.
Step 4: If you’ve administrator login, login using the credentials. If you don’t it’s fine too. Go to the following locations and delete all Temp files.
On Windows 7: C:\Users\%username%\AppData\Local\Temp
On Windows XP: C:\Documents and Settings\%username%\Local Settings\Temp
Step 5: Run CCleaner and delete all Temp files and Cache (Windows Tab and Applications Tab). Then switch to Registry, scan and remove all broken Registry entries.
Step 6: Restart the computer in normal mode. Login back.
Step 7: Run the PCMAV Express tool and scan your computer. For best result, disconnect your computer from Internet before scanning. Leave the PC till the scanning is completed. The application would ask you to restart your computer once the scanning is completed.
You are done. Enjoy!
Do you find this information useful? Why don’t you tell your friends by sharing it on Facebook, Google+ or Twitter. You can also follow me on Twitter @sarayoo.info or Google+ or Like me on my Facebook or on my LinkedIn for more updates, technology tips and tricks, iPhone, iPad, other iOS devices tips, iOS App Deals, Blogging tips, etc. Please leave your comments in the comment section or contact me if you have any other questions.