1. /
  2. Security Response/
  3. VBS.Plan

VBS.Plan - Removal

Risk Level 2: Low

Discovered:
June 6, 2000
Updated:
February 13, 2007 11:56:05 AM
Also Known As:
VBS.President.Worm, VBS/Columbia, VBS.LoveLetter.AS, VBS.LoveLetter.BJ, I-Worm.Plan
Type:
Worm

To remove this worm, perform the following steps in the order presented (detailed instructions follow):
  • Verify that NAV is set to scan all files.
  • Restart the computer in Safe Mode.
  • Scan the computer for infected files.
  • Delete the Us-president-and-fbi-secrets.htm and files with a .vbs extension.
  • Remove worm entries from the registry.
  • (Optional) Restore copies of Logos.sys and Logow.sys
  • (Optional) Recover infected image files.

To verify that NAV is set to scan all files:
  • NAV 4.0/5.0:
    1. Start NAV.
    2. Click Options.
    3. Click the Scanner tab.
    4. Click All files, and then click OK.
  • NAV 2000/2001
    1. Start NAV.
    2. Click Options.
    3. Click Manual Scans.
    4. Under "File types to scan," click All files, and then click OK.
To restart the computer in Safe Mode:
  • Windows 95:
    1. Exit all programs, and then shut down the computer.
    2. Turn off the computer, and wait 30 seconds. You must turn off the computer to remove the virus from memory. Do not use the reset button.
    3. Turn on the computer. When you see the "Starting Windows 95" message, press F8.
    4. Type the number for Safe Mode, and then press Enter.
  • Windows 98 or Windows Me:
    1. Click Start, and click Run.
    2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
    3. Click Advanced on the General tab.
    4. Check Enable Startup Menu, click OK, and then click OK again.
    5. Exit all programs, and then shut down the computer.
    6. Turn off the computer, and wait 30 seconds. You must turn off the computer to remove the virus from memory. Do not use the reset button.
    7. Turn on the computer, and wait for the menu.
    8. Type the number for Safe Mode, and then press Enter.

      NOTE: After you have completed all of the steps in this document, you may repeat steps 1 through 4, and in step 4, uncheck Enable Startup Menu. The next time you restart the computer, you will not see the Startup menu.
To scan the computer for infected files:
Scan your computer with NAV, and delete any files that NAV detects as infected.

To delete the Us-president-and-fbi-secrets.htm file and files with a .vbs extension:
First, configure Windows to show all files, and then find and delete the worm's .htm and .vbs files. Here are the steps:

To show all files:
  1. Start Windows Explorer.
  2. Click the View menu, and click Options or Folder options.
  3. Click the View tab, and uncheck (if it is checked) "Hide file extensions for known file types."
  4. Click Show all files, and then click OK.

To find the worm's files:
  1. Click Start, point to Find, and click Files or Folders.
  2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
  3. In the Named box, type us*.htm and then click Find Now.
  4. If the Us-president-and-fbi-secrets.htm file is found, select it and press the Delete key.
  5. Click New Search, and then click OK to confirm
  6. In the Named box, type *.vbs and click Find Now.
  7. If any files are found, you should in most cases delete them because they probably have been overwritten by the worm. If these are .vbs files that you have created or downloaded for a specific purpose, you should move them to external media, such as a floppy disk.

To remove worm entries from the registry:

CAUTION: We strongly recommend that you back up the Windows registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and click OK. The Registry Editor opens.

    NOTE: For information about how to edit the registry, click Help and then click Help Topics. See the information regarding Changing Keys and Values.
  3. Navigate to the following subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. Look for the following String values in the right pane:

    plan columbia
    linux32
    reload

  5. If any of these exist, select each in turn, press the Delete key, and then click Yes to confirm.
  6. Navigate to the following subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
  7. Look for the following String value in the right pane:

    reload
  8. If this entry exists, select the entry and then press the Delete key.
  9. Exit the Registry Editor.

(Optional) To restore copies of Logos.sys and Logow.sys:
In some cases, VBS.Plan may infect the following files:
  • Logow.sys
  • Logos.sys

These files are used by Windows to display the Windows shutdown messages. If you delete them, then when Windows shuts down you will not see the "Windows is shutting down" or the "It is now safe to turn off your computer" messages. This does not affect the ability of Windows to shut down. If you want to restore these files, you will need to use the Extract command (Windows 95) or the System File Checker (Windows 98). Please see your Windows documentation for information on how to do this.

(Optional) To recover infected image files:
If you have Norton Utilities and the Protected Recycle bin was enabled at the time of the infection, you can recover the deleted originals of many of the infected files. To do so, follow these steps:
  1. Right-click the Protected Recycle bin, and click Norton UnErase.
  2. When the wizard appears, click Next.
  3. At the next panel, hold down the Ctrl key and click each file that you want to restore.
  4. Click Restore.


Writeup By: Brian Ewell

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver