iexplore.vbs

iexplore.vbs is a nasty little virus (actually, not so little, the executable is over 5 megabytes) that infects USB devices.

How do I know this? The kid’s memstick was acting funny and while checking it out the virus jumped onto my home machine, from there onto my memstick, and I spotted it before it could jump to my work machine.

It moves all your files into a hidden directory, then makes a link to itself in the root of your memstick, with the same name as the memstick volume name.

So basically, if you see a link to your memstick inside your memstick, stop, don’t click on it.

If you’re not using Windows Commander, you’re on your own. Otherwise, navigate to your memstick and in the DOS prompt line at the bottom, type cd “ALT255” (hold down ALT, type 255 on the keypad, release ALT). This should put you in the hidden directory (unless your flavour of the virus called it something else, in which case, open CMD, dir/ah > file.txt, open file.txt in a hex editor, check what the directory is called).

Once Windows Commander is displaying the hidden directory, open CMD, dir/ah, attrib -h -s *.*, and erase those three files. Then use Windows Commander to copy your files back down. And don’t forget to delete the link and the hidden directory as well.

As far as I can tell, BICBW, if you remove all USB devices and reboot your PC, the virus does not stay resident on your PC — it’s USB only. But that could also just be the settings on my machine.