Unfortunately, because my internet access is through machines not my own, I don't have control over them and, as a result, I ended up getting a virus on the removable hardrive I used for collecting some files that were too large for fitting on my usual ZIP drive.

It's the gedza.a VBS e-mailer worm.

Now, the problem isn't the virus itself, as it just wants to e-mail all my friends, of which I have none, so that's not the issue.

What IS the issue is that, to perpetuate itself, it installs a copy of itself into every .html and .zip file on the infected drive.

Sooo...with over 8,000 infected .html files and hundreds more of the .zips, I've got a lot of copies of it. :(

My anti-virus does a wonderful job of detecting it, but the only option is deletion, and fuck-all if I'm deleting all 8,000+ files!

I can manually remove it from the files, but 8,000....nah...not happening.

I've attached a copy of the virus text.

Is there some way to mass-edit .html texts to remove the virus text, automatically, without damaging the stored files?

None of the DVD text is at risk, as that's all stored in PGP encrypted volumes (triple-reduntantly archived) that I'm only opening as Read-Only till this problem is resolved.

Is it this bugger http://securityresponse.symantec.com/avcenter/venc/data/vbs.gaggle.e@mm.html

cause according to Symantec it Overwrites the .vbs, .vbe, .js, .jse, .hta, .htm, .html, .php, .shtm, .shtml, .phtm, .phtml, .mht, .mhtml, .plg, and .htx files with itself.

Then there is nothing to recover..

Ah thats horrible! It supposedly displays Avril Lavigne while destroying the files... Thats just cruel.

Anyways, as it is a Visual Basic Script there should be a way to write yet another script in order to delete the specified parts of the files. Alas, its been years since I coded, but Ill see what I can do. Hopefully someone else with more experiance can step foreward.

Also, have you tried another Anti-virus?
For more information as it seems there is quite alot to do in removing all aspects of said virus(its a busy one): VBS.Gaggle.D Info (http://www.sarc.com/avcenter/venc/data/vbs.gaggle.d.html)

Sir,
What AV do you use? I believe Norton is better in removing the virus (it even did not allow me to view the text of the virus). Since it's a VB script (i.e. quite a text) then, it should be easy to remove by any AV software. BTW, the description of the virus says it overwrites certain files, which IMHO those files are already Kaput. If I do not understand it wrong it does not inoculate or append its strings to the file so infected but it overwrites the file then that means that file is already unusable. HTH.

...It supposedly displays Avril Lavigne while destroying the files...

What is the computer world coming too? :P

I just installed Norton Systemworks 2005 a few days ago and I have begun using the antivirus that comes with it. It detected a keylogger program on my PC as well as the same program in a backup rar archive on another drive. It detected several other bad files in a few zips and rars as well. Norton can selectively delete a single file from a compressed archive, even an exe file when it is of the compressed archive type. It does not delete the original zipped or rar'd file, just the nasty component it finds within.

As for the HTML files you can run a batch find-and-replace of which there are tons of freeware apps out there for that (I use the one in Hotdog). If your nasty of choice is tricky and uses some sort of unique code per file I have an advanced replacer that can handle that around here somewhere... If you need it I will provide it.

PowerGREP can do find and replace across multiple files on a system. Work out the right regular expression to rip out the virus bit, and just leave the HTML behind, if it is there to leave.

This is one of the joys of CD/DVD burns - the archive is safe from any nasty virus/trojan/spyware.

For clean-up, I would suggest booting into Knoppix and working from there until you are sure that the files cannot spread from the external disk to the main machine.

Thats terrible Megla : ( - Curse those script kiddies.

I think that people here should look into using OpenBSD or at least Linux - a keylogger on NBKs or many other high ranking members here would be a very bad thing indeed. It makes sense to protect our computers just as carefully as we guard our homes, cars, and property.

As I previously thought, I am useless as it comes to coding. I spent the day formulating ideas, and in each test run I deleted more and more of my HDD.... I guess my teacher was right when he said I should actually code instead of watching strongbad. Sorry NBK.

The keylogger on my system was not something inserted without my knowledge, it was something I specificially downloaded for keylogging... Still, it is nice to know my variety of anti-virus and anti-adware is working.

Mega, if you have that find&replace, I could use it.


I can manually remove it from the files


The variant I have (and specified) doesn't destroy the original text, just appends itself to the end of the file, so the original data is still there. :) It's just the sheer number of files that need fixing that's the problem.

Those people who made suggestions or comments based on the incorrect variant...tsk, tsk, tsk...

I'm using the freeware AV by grisoft...don't remember the name at the moment.

Keyloggers wouldn't be a threat on my machine because it's never hooked up directly to the net. :p I just use removable drives to move data from my computer to a 'net-connected one and back.

That would be AVG Antivirus. Another free one is A-squared. Try Major Geek (www.majorgeeks.com). Under the AntiVirus they have quite a few options. And it will state as to which is freeware and which shareware.