How to identify and remove the VBKlip malware?

Date of publication: 31/10/2013, CERT Polska

malware-icon

In our previous article we described a new VB malware, named VBKlip by us, that was replacing a Bank Account Number that was copied to the Windows clipboard. In order to check whether your computer is infected you have to just simply copy a correct Bank Account Number (e.g.

<span class="text">12 1234 1234 1234 1234 1234 1234</span>

) and paste it into the text editor (e.g. Microsoft Word or Notepad) and compare the pasted number with the copied one. If they are different then your machine is most probably infected with the described malware strain.

How to remove malware?

In order to remove this malware we will use the previously described technique. Firstly, we will need to download and unpack SysInternals Autoruns (available at http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx). This archive should contain four files:

1
2
3
4
Autoruns.chm
Autoruns.exe
Autorunsc.exe
Eula.txt

Upon running the

<span class="text">Autoruns.exe</span>

we should see the main autoruns window, as pictured below:

 


As we can see, this application is quite complex. It lists all the autorun entries it could find on our machine. We will be only interested in two tabs, on which we can find places in which malware usually resides, namely:

<span class="text">Logon</span>

and

<span class="text">Scheduled Tasks</span>

.

Identification and deactivation of the malicious software

In order to narrow down the list of suspicious entries, we should turn off all entries associated with Windows or Microsoft software in general. In order to do so, we must click on the

<span class="text">Options</span>

menu and choose

<span class="text">Hide Microsoft and Windows Entries</span>

(you can see it on a picture on the right).

One of the telltale signs of the malware is its location (presented in the column called

<span class="text">Image path</span>

). If the entry begins with

<span class="text">C:\Documents and settings\...</span>

then most probably this entry corresponds to the malicious software. In the sample that we obtained, it always pointed to a file called

<span class="text">AcroRd.exe</span>

. It is important to note that this malware can add multiple entries – two of them are presented in the image below. In order to turn them off, we have to click a checkbox next to the entry.

After we turn off all of the suspicious entries and restart the computer we have to check again if the Bank Account Numbers are replaced in the Windows clipboard. If not then we successfully got rid of the infection.