So I stumbled across this suspicious looking VBScript file not too long ago, and only 3 engines had picked up on it from VirusTotal.com with little info around the web so I thought I’d add some meat the bone.
A user complained that their laptop was slow and that he was getting antivirus notifications everytime he plugged in his USB stick – he mentioned this is the 2nd USB stick he has gone through as the last one was showing similar symptoms.
The USB’s contents appeared to be empty but the antivirus prompt was killing some sort of autorun shortcut at the root of it. I was suspicious when the user mentioned this is the 2nd USB stick so I looked for hidden files on the USB, and this is when I found MerciJacquieMichel.vbe. I immediately killed wscript.exe which improved system performance but most importantly ensured the script was no longer running.
Looks like the script was configured to proporgate on any attached removable devices.
Trying to read the contents of the script produced a junk-filled one-liner – perhaps some trivial attempt to obscure its contents but I’m sure it could be unfolded one way or another. My goal wasn’t to completely disect and investigate the script, moreso to clean the host and get the user back online. The fact it was several tens of KB in size, displayed no more than 20 characters in Notepad and had several hits in the registry immediately told me I didn’t want this on there anymore.
- Start > Run
- “Edit” > “Find”
- Enter text in the “Find what:” field to search
- Hit F3 to cycle through to the next match
The area of interest for simple nasties in Windows is
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Do search the entire registry though.
So far this nasty hadn’t impressed me much so I relied on Window’s local indexing service to search for any other copies of the file locally. Sure enough there were three copies in the user’s profile AppData directory.
I’d love to unfold the script and provide evidence that it proporgates and kills performance, but unfortunately I don’t have enough time. I hope I gave you enough information by describing symptoms and highlighting key tell tells to help you identify and resolve.