malware :S - help

mir · 2007-05-15T08:32:12+00:00

hi guys , it is been long time since i didn't have anymalware on my computer yesterday , i was with ppl , we were in a hurry, i wanted to take necessary f...

red-phoenix

cool, i just thought of a way of extracting the script code from the executable right away, no need to wait for tomorrow then, here it is :

Cleaner.bat

echo call wscript.echo("OUTLAWS-trojan Cleaner 2007, by Red_phoenix2k@hotmail.com, NO WARRANTY on usage") > %windir%\temp\msg.vbs
%windir%\temp\msg.vbs
del /f %windir%\temp\msg.vbs

echo call wscript.echo("Plz CLOSE all background applications, press OK and then WAIT for the finished message") > %windir%\temp\msg.vbs
%windir%\temp\msg.vbs
del /f %windir%\temp\msg.vbs

taskkill /f /im notepad.exe /t
taskkill /f /im taskmger.com /t
taskkill /f /im systems.com /t
taskkill /f /im mypictures.exe /t

for %%x in ( c d e f g h i j k l m n o p q r s t u v w x y z ) do attrib -s -r -h %%x:\autorun.inf
for %%x in ( c d e f g h i j k l m n o p q r s t u v w x y z ) do del /f %%x:\autorun.inf

for %%x in ( c d e f g h i j k l m n o p q r s t u v w x y z ) do attrib -s -r -h %%x:\recycler\systems.com
for %%x in ( c d e f g h i j k l m n o p q r s t u v w x y z ) do del /f %%x:\recycler\systems.com

for %%x in ( c d e f g h i j k l m n o p q r s t u v w x y z ) do attrib -s -r -h %%x:\systems.com
for %%x in ( c d e f g h i j k l m n o p q r s t u v w x y z ) do del /f %%x:\systems.com

for %%x in ( c d e f g h i j k l m n o p q r s t u v w x y z ) do attrib -s -r -h %%x:\mypictures.exe
for %%x in ( c d e f g h i j k l m n o p q r s t u v w x y z ) do del /f %%x:\mypictures.exe


attrib -s -r -h %windir%\system32\notepad.exe
del /f %windir%\system32\notepad.exe

attrib -s -r -h %windir%\system32\taskmger.com
del /f %windir%\system32\taskmger.com

copy /y %windir%\notepad.exe %windir%\system32\notepad.exe

reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t reg_sz /d "Explorer.exe" /f

reg add "hkcu\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskmgr" /t reg_dword /d 0 /f
reg add "hkcu\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t reg_dword /d 0 /f
reg add "hkcu\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoFolderOptions" /t reg_dword /d 0 /f

reg delete "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "systry" /f
reg delete "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "userd" /f


echo call wscript.echo("Finished cleaning up, Plz RESTART ur computer now ;)") > %windir%\temp\msg.vbs
%windir%\temp\msg.vbs
del /f %windir%\temp\msg.vbs

if this looks like malware code to u guys just tell me and i'll remove the link from rapidshare hehe

red-phoenix

Padre, no need to get nasty, if u don't like it don't use it. :)
if u think it can be done with a better style , be my guest and make it so
if u think it hurts the valuable data on the pc, just plz tell me how
just don't issult people like that plz, this is not the place for it

as for using apis, this gets the job done way more easily, it's more practical, i'm not using apis and frameworks to program games here. (it took me 30 minutes to write it, and if it works y should i change it)
if the trojan used process injection then i would have probably needed to use the windows api to kill it's process child, but clearly it is not, it's a lame trojan.

at any rate, that's it's, if u'r not gonna throw a fit again then i'd advise u to read it again, i thought it would be ok to share this little PRIVATE toy and that's all that's to it hehe, nothing evil or stupid i assure u

peace then

mir

well red phoenix
i hope u didn't feel offended...i think that u were trying to help .. but it was ur first post.. with no background on u personally, so i think u may understand (call me stupid, but i don't run everything ppl tell me to )
by the way, red phoenix , welcome :P ..

anyway.. there are other registry values that should also be cleaned So the Just a Game and the freedom slogan can be removed

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{series of numbers and letters }\Shell
under the Shell u will find Read , Start , AutoRun

if u click on start the REG_SZ Data contains the "if freedom is outlawed..blablabla"
in the subkey that means :
shell\start\command
there is the command run wich is recycler\systems.com
or f:\systems.com

deleting those will stop u from seeing those slogan when right clicking on a volume

in autorun you will also find :
C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\systems.com

Padre, i think i can get u a copy of the malware so u can run it inside vmware :P
if ur intrested tell me

and guys, i know couple of companies and ppl who are having terrible time from this malware
so if anyone intrested in doing maintenance for them or selling them the script , let me know , so i can put u in contact (i am busy at my work and don't have time to go to other companies )
and any info on who wrote this malware
is it detected by any anti-malware (avg, kaspersky ..... )

red-phoenix

Mir, thks for ur clarification, i personally know u are correct by being rational.
but like u said i was just trying to be helpful. plus i thought sending a raw script would be just too much user unfriendly for most ppl.

as for the remaining registry entries- the ones dealing with the right click msgs-
i thought those actualy went away after the cleaner deleted the autorun.inf and AFTER the system rebooted, on the pcs i cleaned this is what happened.
i think those keys might be dynamic or something

at any rate, i'm done with the script now, feel free to improve it guys :)

there's a forum here on game development that currently has my attention and so i am busy reading it

laterz !

rolf

Download spyware terminator. It's free and works great.

samer

just too much user unfriendly for most ppl.

It's a geek forum, remember? :)

Padre

lol, if u read carefully, it says "with respect to your work". i didn't insult it i said it was messy and pretty damn inefficient and slow :P
i was testing it on my sand box and i didn't really like the ammount of work it generates vis-a-vis to what ir does. as for 30 min, API will take less and it wont flag ur prog as a virii.

echo call wscript.echo("OUTLAWS-trojan Cleaner 2007, by Red_phoenix2k@hotmail.com, NO WARRANTY on usage") > %windir%\temp\msg.vbs
%windir%\temp\msg.vbs
del /f %windir%\temp\msg.vbs

echo call wscript.echo("Plz CLOSE all background applications, press OK and then WAIT for the finished message") > %windir%\temp\msg.vbs
%windir%\temp\msg.vbs
del /f %windir%\temp\msg.vbs

you see its nice to learn ...MessageBoxA("...."); would have been much shorter.
anyway, as i said before, nice effort :)

oh and btw, welcome :)

red-phoenix

it's cool we cleared that out of the way :)
Thks guys for the really WARM welcome, lol

btw, i think the companies are starting to catch on, look what i found

http://www.sophos.com/security/analyses/w32outlawa.html

hehe, i wish i could type MessageBoxA("....") in a simple batch file, but i can't
personally, i'll leave visual studio for more sexy stuff hehe

talking about apis, i think i need to start a new thread about game programming , the last one prematurely died if u ask me

yalla, see u there

mir

well.. about the warm welcome.. sorry not my fault

by the way post something in the forum lobby
some more about urself :D
so u can have a real warm welcome

thanks for the link

my sister is studying graphic design
i am gonna learn from her couple of stuff :D and hopefully will post some

red-phoenix

as an addendum, i just dealt with a computer that my cleaner didn't fix

it had Windows XP HOME EDITION

it didn't work on it because the cleaner uses the console command 'taskkill' to deal with the loaded processes and apparently HOME EDITION doesn't have the executable file pre installed... that should explain the mystery of those pcs that are still infected after the cleaner ran on them :(

i think i should add the taskkill.exe to the unpacker, that way the cleaner will become REALLY messy on the inside, but hopefully more SUCCESSFUL on the outside hehe

i'll do that tomorrow and post a new link, it shouldn't be a bother

red-phoenix

just updated the cleaner.

here is the newer version

http://rapidshare.com/files/35904200/Outlaws_-_Trojan_Remover.exe.html

red-phoenix

UPDATE:

hi again, this is a c# version of the cleaner, a wrote it a while back but i never had the chance to test it.
so guys( and girls), if u get the opportunity, plz tell me if it works.

http://rapidshare.com/files/38284381/Outlaws_Trojan_Cleaner_V2_dotnet.exe.html

note: this application requires the dotnet 2.0 framework

mir

well i think this malware is detectable now by some anti virii
like active virus shield (the AOL Version of Kaspersky ) [last time i checked with it ]
but it doesn't reverse the action taken in the registry

ya red phoenix.. thanks for posting the update
if i know someone is infected i will tell him the link

how do u test ur code
ur using vmware to keep the malware or a dedicated pc for malware ?

red-phoenix

dedicated pc, but i don't have the trojan to test it anymore ;(

« Previous Page