Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Mabraze" or "Travail" malware


  • Please log in to reply
9 replies to this topic

#1 rm_-rf_windows

rm_-rf_windows

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 18 December 2008 - 11:25 AM

Hello!

My computer has been infected with some sort of malware, known as the "Mabraze" or "au travail" / "travaillez" (French for "get to work!").

A message appears from time to time:

"Il est maintenant XX:XX:XX (the present time)
il est temps de se mettre au travail, au lieu de rester à ne rien faire d'important!!
Ce n'est pas un mabraze ici !!"

Translation: "It is now XX:XX:XX (the present time)
It is time to get to work, instead of doing nothing important!!
This is not a Mabraze !!"


I found a site that had some useful information on the malware and am in the process of trying to get rid of it. I have made progress, but have encountered some difficulties.

Here's what I have done:

Followed the following instructions based on the following post (http://www.commentcamarche.net/forum/affich-9140211-suppression-de-antinul-vbe?page=2, in French):

"Cause : antinul.vbe its autorun.inf

This little 'joke' is transmitted via usb flash drive. So if you've used a usb flash drive, be sure to follow steps one and two saving the corresponding files on the root of your usb flash drive. Do this before disinfecting your PC.


Procedure:

1. Open a text editor and write "kill vbscript travailplus". Save as "antinul.vbe" on your Desktop.
2. Open a text editor and write "kill vbscript travailplus". Save as "autorun.inf" on your Desktop.
3. Copy the two files in the following location: C:\windows\system32\. If you are asked to overwrite the files, do so.
4. Download HiJackThis, execute it, tick lines RO - R1 - F2 - O7 and click on fixchecked (to delete)
5. Return to system32 et delete antinul.vbe et autorun.inf (not necessary, leaving them could prevent a new infection)
6. Set the registry back to normal so that you can access Folder Options in the Control Panel (Google it!)."


Most of this has worked, but there is one problem. The antinul.vbe file does not execute properly. When rebooting, I get a message saying that the "antinul.vbe" file was not compiled properly because it did not terminate properly (or something like that... syntax error?), and therefore did not execute. There is a carriage return at the end of the two files.

I did execute a .reg script to restore the "Folder Options" in the Control Panel, and that worked, no problem there.

Other problem, and I don't know if this is related to any of the above. I wrote a short batch script to save files and folders onto an external hard drive. Some of the folders do not appear in Explorer. They are there, and I can access them by adding "\FolderName", but cannot see them nor access them from the command line or using Explorer.

I have some HiJackThis logs, and can post them if need be.

So my primary questions are:

1) Have I followed the right procedure?
2) If the "antinul.vbe" script doesn't execute, it means that I haven't followed the procedure from beginning to end. Is there something wrong with my syntax? Do I need to add something to the script?
3) What else do I need to do to finish the procedure?

Many thanks.

rm_-rf_windows

Edited by Pandy, 18 December 2008 - 12:57 PM.
Moved From HijackThis Logs and Virus/Trojan/Spyware/Malware Removal


BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 18 December 2008 - 01:47 PM

Hi,

It is very dangerous to delete anything with HijackThis without the advice given by a HJT Team member (or an other qualified person)!!

Open HijackThis, and click "View the list of backups". Select everything and click "Restore" on the right.

Then, do this:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

#3 rm_-rf_windows

rm_-rf_windows
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  

Posted 18 December 2008 - 06:30 PM

superbird,

Thanks for your reply.

I am a third year computer science student.

For starters, could you simply tell me, if you know, why the "antinul.vbe" script doesn't execute/compile properly?

All that's written in the script is "kill vbscript travailplus" followed by a carriage return.

Perhaps you could suggest some more commands/code in order to generate a message giving more information about the error.

I couldn't find a good vbe tutorial...

Many thanks.

rm_-rf_windows

Edited by rm_-rf_windows, 18 December 2008 - 06:46 PM.


#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 19 December 2008 - 05:03 AM

Hi,

Maybe it's related to malware. That's why I would suggest you'll run MBAM, and post the requested logfile. :thumbsup:

#5 rm_-rf_windows

rm_-rf_windows
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 19 December 2008 - 07:11 AM

superbird,

Thanks. Will do.

However, I will not have access to the computer until after the holidays. I'm leaving tomorrow and don't have much time today.

Many thanks.

rm_-rf_windows

P.S. - It is indeed malware. I couldn't find any information on it in English, it seems to affect people who consult French websites. Lots of information on Mabraze / TravailPlus in French, virtually none in English.

#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 19 December 2008 - 07:20 AM

Hi,

Okay I'll wait for your response after the holidays. :thumbsup:

#7 rm_-rf_windows

rm_-rf_windows
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  

Posted 30 December 2008 - 09:35 AM

Superbird,

Did the installation and scan. No findings. Would it be possible to do another scan, a more in depth search?

Here are the results:

Malwarebytes' Anti-Malware 1.31
Version de la base de données: 1577
Windows 5.1.2600 Service Pack 2

30/12/2008 15:27:28
mbam-log-2008-12-30 (15-27-28).txt

Type de recherche: Examen rapide
Eléments examinés: 65921
Temps écoulé: 6 minute(s), 57 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 0

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
(Aucun élément nuisible détecté)



Cheers,

rm_-rf_windows

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 30 December 2008 - 09:45 AM

Hi,

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

#9 rm_-rf_windows

rm_-rf_windows
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 01 January 2009 - 02:17 PM

Superbird,

The computer I was working on was a friend's computer and we are fairly certain that a solution has been found. I would have interested ME to dig a little further to make sure, but the malware that was installed wasn't all that nasty and my friend says that he doesn't want to pursue it any further. The malware seems to only exists in French (and so it seems that only francophones seem to get it, it must come from sites in French or something) and therefore there is very little on it in English on the Net.

Many thanks for your response nevertheless, and if problems arise in the weeks that follow, I will post back.

Best wishes for 2009!

rm_-rf_windows

#10 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 01 January 2009 - 02:50 PM

Hi,

That's all right. :thumbsup:
I hope your problems are solved. And yes, you can always post back and will help you.

You the best wishes too. :flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users