VBS.Generic.544

1. Creates its copies in the root folder of logical drive and in Windows folder which is called MS32DLL.dll.vbs and has "Hidden" attribute.

2. Creates autorun.inf file, where MS32DLL.dll.vbs performance is indicated during transition to another logical drive in file manager. Thus, "Autorun" will become the main point in context menu.

3. Copies MS32DLL.dll.vbs and autorun.inf files on flash-drives if they are attached to computer at the moment of infection.

4. Modifies system registry in order to provide autoload for its copy:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS32DLL
C:\WINDOWS\MS32DLL.dll.vbs

The second modification of VBS.Generic.544 modifies system registry as follows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fucker
C:\WINDOWS\fucker.vbs

5. Inserts "Hacked by Godzilla" line into all active windows of Internet Explorer.
The second modification of VBS.Generic.544 supposes the following line "Malaysian Hackers".

1. Download from uninfected computer free cure utility Dr.Web CureIt!.
2. Scan all logical drives and hooked flash-discs with Dr.Web CureIt!. Apply action "Cure" to all detected subjects.
3. Recover registry by the following script:
--8<------------------------------------------------------------------
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="about:blank"
"Window Title"=-

--8<------------------------------------------------------------------

It’s required to create .reg-file, which contains given script. Then you should start it. At this, all necessary changes will be put on the registry.