Fighting Sowar Virus

I have encountered this sowar.vbs, months ago in a computer cafe, but never really worried about it since I have this "agimat"(talisman) vs autorun viruses, which is a folder named "autorun.inf" on my flash disk. I will just delete the defenseless executables that require a compatible autorun configuration to be dangerous. I just always watch out for accidental double clicks on them.

But tonight I had to fight this virus, since it was brought to my computer by my uncle. And WTF, the effects of this virus was really bad. First of it sets my homepage (lol I don't have internet connection at home yet) to a porn site. What an ***. Well, the most remarkable thing about it is that it removes the folder option on the control panel. I didn't even knew that it was possible. Aside from these it also does the common virus actions like disabling showing hidden file, disabling showing system file(which I discovered to be also called as "Super Hidden Files"), hiding the file extension, disabling the task manager and disabling reg edit.

I disabled the "sowar" program on the start up on msconfig, but as I expected after restart, it reappeared. Apparently as long as this "wscript.exe" runs, it regenerates itself. So after the restart, I enabled my task manager using my taskmanager enabler, then quickly ended the proccess "wscript.exe" which I discovered to be the one running vbs scripts( so don't even think of deleting this innocent executable ). The real criminal is at "C:/WINDOWS/sowar.vbs", I changed the attributes, to make it visible, I did this using cmd "attrib C:/WINDOWS/sowar.vbs -R -H -S" after this I didn't deleted it, I renamed it, then created a new folder, that has the same name, "sowar.vbs". I ran cmd and changed the attributes, "attrib C:/WINDOWS/sowar.vbs" +R +H +S". After this, I restarted the computer, then saw that it still attempts to run sowar.vbs at startup, which of course fails. It is a folder now, not a vbs file, no matter what they try to return the startup directive on msconfig, it wouldn't succeed as long as it is a folder.

Now that the evil proccess is not around, time to clean up the mess it created. I am pretty sure that it will be a satisfying fix to fix the registry first. But how? My registry is disabled, and I dunno how to enable it using "reg add" on cmd(on bat files I prefer). I decided to carefully open the sowar vbs file with programmer's notepad, carefully, to prevent accidental running by double clicking. I discovered it was alil "encrypted" or something.

Special characters infest the file, but very obvious resemblance to registry addresses appear on some part, but they contain invalid special characters, on the bottom of the file, I have found a function declaration(must be a visual basic function declaration) which does multiple replacements. Little by little, I used the find and replace(ctrl + H) tool of the programmer's notepad, looking for obvious replacements. I was seeing an obvious progress and I almost decoded the registry edit's.

Here's an example:

HKEY_CUR�NT_USER\So‡w€e\Mi�o•‡\Intƒn…
where:

� = RE
‡ = ft
€ = ar
� = cr
• = so
ƒ = er
… = et

And it will be:
HKEY_CURRENT_USER\Software\Microsoft\Internet

After some time I have encoded all of the special characters, although I really don't understood "reg add" commands, I found the "cmd help" really useful("REG ADD /?"). I reversed engineered the directives of the virus and used them to create a .bat file that will fix them. I only don't understand the line with "NoDriveTypeAutoRun", but since it uses 128 (ff) *lol* I just set it to 0(Please comment if I did it wrong :P).

So if you got same situation, well that porn site isn't the right home page for you right? *lol* you can download this file: sowar-fix.bat or if you're a techie person, paste the following code on a .bat file.

Note: you have to make sure you have prevented "C:/WINDOWS/sowar.vbs" from running. Or else all the registry fixes will just be trashed

Note: you also have to remove the possibility that sowar will run on windows startup. If you didn't read the early part of this post, please do so, I used the "replace with a folder method" to stop the virus from "regenerating" itself.

Note: The folder option will reappear after restarting your computer, after the .bat fixing was done.

For Techies, here is the code of the bat file I made:

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.google.com/" /f REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Search Page" /d "http://www.google.com/" /f REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /d 1 /t REG_DWORD /f REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /d 0 /t REG_DWORD /f REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /d 1 /t REG_DWORD /f REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun /d 00 /t REG_DWORD /f REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /d 0 /t REG_DWORD /f REG ADD "KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /d 0 /t REG_DWORD /f REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /d 0 /t REG_DWORD /f cmd