Cybercriminals can do just as much damage deleting users’ data as stealing it because file deletion can result in both data or monetary loss. One example would be CryptoLocker, which became notorious for combining the two—demanding money with the threat of data destruction. We recently came across a malware, detected as VBS_SOYSOS, that deletes important image files including .DWG files.
As far as malware techniques go, VBS_SOYSOS is not the first malware to delete files. However, it is rare for VBScript malware to delete files. The deletion of DWG files, which is a known output of computer-aided design (CAD) software, poses risks to certain industries, including the automotive, engineering, manufacturing and architectural design industries, which are known to use these software.
Based on feedback from the Smart Protection Network, this malware is currently spreading in Mexico. The number spiked on November 10, with a single variant accounting for 3,331 infections. VBS_SOYSOS was found to spread in systems via removable drives.
Further analysis of the obfuscated code reveals that the malware contains a simple script. Once executed, it creates copies of itself using file names of files with .MP3, .JPG and .DWG extensions found in all removable drives. But rather than hiding the original files, VBS_SOYSOS deletes these.
Figure 1. Screenshot of VBS_SOYSOS script
Users can check if if their system is infected with the malware by looking for its copy, which is named D&D.vbe. It also adds a marker 4U Denia & Dania to the registry.
Figure 2. VBS_SOYSOS Autostart Registry
This VBScript malware disables the Task Manager and the Registry Editor so manual cleanup will require third-party tools with similar functions terminated applications. It is important for users to install security solutions like those from Trend Micro to avoid malware infection. To prevent data loss, users are encouraged to back up their important data by using the 3-2-1 rule.