VBS.Sojax
Document programs that have obsolete version of security are the primary target of VBS.Sojax. The result of infection could be devastating because it will give an attacker to control the PC from a remote place.
VBS.Sojax is a Visual Basic Script Trojan that opens a backdoor on compromised computer, which will allow a remote attacker to take full control of it. The Trojan may also monitor system activities and steal sensitive information and other significant data. Using malicious documents, VBS.Sojax will enter the computer by exploiting several security breaches in Adobe Flash, Adobe Reader and MS Office.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
Once VBS.Sojax is executed, it will drop malicious files under Temporary folder. Next, it will gather the following information and store it in a folder under C:\Windows\NtUninstallKB\:
- Running processes on the infected computer
- Critical network information such as IP Address, DNS and relevant configuration
- Computer information like user name, Operating System version, hardware profiles and many more
- Files including attributes on all drives found on the compromised system
Lastly, Trojan VBS.Sojax will configure Windows to open a backdoor that will allow a remote attacker to initiate the following:
- Upload and download files to and from a specified server
- Run .CMD commands
Distribution
The Trojan will arrive as an attached document file such as .PDF and .DOC to spam email messages. To launch an attack, this Trojan will exploit security breaches and will take advantage of vulnerabilities in Adobe Flash Player, Microsoft Office RTF File, Adobe Acrobat and Adobe Reader. T
%Temp%\WINWORD.EXE %Temp%\~temp.vbs
How to Remove VBS.Sojax
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of VBS.Sojax, open your antivirus application and update the virus definition file.
3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.
4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.
Scan with Norton Power Eraser:
Additional virus removal tool like Norton Power Eraser provides deep scanning technology to eliminate other threats not detected by a normal virus scan. Use this tool with extra caution.
5. Go to this link and download Norton Power Eraser.
6. Once the download completes, double click on the file NPE.exe to run the program.
7. It will prompt for End User License Agreement, click on Accept to continue.
8. On NPE main window, click on Scan. Then select Exclude Rootkit Scan. Click on Continue to proceed.
9. Virus scanning may take some time. After running the scan, NPE will display the scan result.
Important! If there are any detected threats under Suspicious, remove the check mark. Only threats in Detected category are necessary to remove at this point. Make sure that you mark the Create System Restore Point before proceeding with the fix.
10. Now click on Fix to start removing the threats including VBS.Sojax remnants if there are any.
11. When done, Norton Power Eraser will restart the computer. Then after a reboot, it will initialize and display the eliminated threats.
12. You may now close Norton Power Eraser.