Computers around Katmandu are these days infected by a nasty resources eating virus which does nothing but scare people. If your internet explorer address bar shows Sujin.com.np and your home page point you to "sujin.com.np" then your computer is infected by sujin virus. Don't be scared though. Apart from eating your computer's 9mb memory for wscript.exe, changing your ie address bar and home page this virus does not do any harm. I mean no secret is going to be stolen from you.
I advice you not to believe the news report coming out in the paper which claim this virus steals your password and sends it to the virus coders. Being a Computer science student I know a little about codes. I have seen the code of the virus (It does not requires any expertise-believe me) and there is nothing in it which suggest it steals password.
There is no doubt that it's a lie. This guy sujin whoever he is only wants to get some publicity. This virus is written in VBScript so the code can be seen through notepad.
You get to see this messege if you open the file through notepad
('******************************************************************
'********************* Virus Removal VBScript *********************
'************************** Version 1.00 **************************
'******************************************************************
'This antivirus program is intended to repair your computer from
'any sorts of virus attacks.
'This program is exactly like a normal virus but it repairs things
'rather than destroying them.
'******************************************************************
'******************************************************************
'Program developed by
'Sujin Joshi
'http://Sujin.com.np
'sujinjoshi@gmail.com)
He claims that this is an "antivirus program" is intended to repair your computer. Some of his claims are true as it deletes the "ravmon.exe", "winfile.exe","run.wsh","sxs.exe","killvbs.vbs” which are all known viruses. It resets the registry & taskmanager back to normal. But these are not all the viruses in the world. This is no match for aViruses with polymorphic properties. Remember the "New folder.exe" virus which copies itself to every folder with different folder name. Don't fall for it this is no good of a program
This script makes changes in your registry by attaching itself ("Virusremoval.vbs") to userinit.exe which makes his file execute every time we open computer and log on. More over this script scans for removal storage device like floppy and pen drive every 10 seconds to propagate. If you have a floppy drive you can hear it scanning you floppy drive every 10 seconds with annoying sound.
Also it makes an "autorun.inf" file with following lines in these devices if it finds them inserted
("[autorun]"
"open=wscript.exe VirusRemoval.vbs"
"shell\open=Open"
"shell\open\Command=wscript.exe VirusRemoval.vbs")
This virus eats up your memory resources to spread itself. Blood sucking parasite don't you think? Other thing it does is it Changes your Internet explorers address bar with
–sujin.com.np and home page to sujin.com.np which is not working right now.
Now for the getting rid of the virus part (Manual method)Apparently mercantile the company where this guy registered his domain name was providing an antidote for this sujin virus. I went their and downloaded the program it did clean my virus but when I checked at the about section of that program I was horrified to find same name "Sujin joshi" as programmer. आफैं बोक्सी आफैं धामी????? (both witch and the witch hunter are the same person?)
It further strengthened my previous hunch that this guy is no more than a script kiddie looking for instant fame and I suspect that the same guy planted the news story into some of the newspapers of Nepal. To them I have to say plz plz plz verify first what ever you are publishing. No false information please.
Would you trust this persons program??? I would not!!!! You should not. Sorry for deviating from the issue but I am angry with these newspapers
To clean this VBScript from your computer(Manually)
1) Open >task manager> look for process "WScript.exe"> click on it and then click end process. If it says warning and bla bla bla ignore it and click yes. Now make sure there is no more "WScript.exe" running in task manager if yes repeat the process above i.e. hitting the end process button.
2) To Open command prompt type "cmd" without quotes at >start >run
3) Type "cd.." without quotes and press enter
4) Repeat 3) this would bring us to the drive c: or d: or whatever yours is
5) Now type cd windows\system32 and hit enter
6) Type "attrib -s -h -r Virusremoval.vbs" without quotes and hit enter
7) Now Type "del Virusremoval.vbs" without quotes and hit enter
8) Now if you have pen drive or floppy inserted don't double click to open it. Instead double click the "My computer" icon when it opens press F4 button from your keyboard now find your pen drive or what ever you have to open and click it.
9) Click tools option of the My computer menu and then click Folder option theiràlook for view tab and clickàclick show hidden files and folders radio button, also uncheck the boxes which says" Hide extensions for known file type" and " Hide protected operating system files (recommended)" ignore that warning which says bla bla bla and press yes while doing it.
10) Find and delete file named " autorun.inf " and " Virusremoval.vbs " if it exists.
11) If it is not working for you plz check no 1) again if there is wscript.exe running in the task manager you have to repeat everything again. So please be sure that wscript.exe is not running.
Update:
And lastly
in order to fix up the registry alteration done by this sujin virus please download this VBScript file.
Here and double click. This particular Script is also useful if you are infected by other viruses other than sujin
(ask me if you encounter problem) i am always ready to answer.
:Update:goto this link to get anti sujin tool 2.1 Here