Latest update:July 15, 2011
Warning:This script runs on Windows XP Only!
Description:This piece of code can effectively remove Worm.BAT.Autorun with a success rate of 99%. I tested the code on many systems infected with this Worm and the script ran perfectly without any problems. In certain situation the script might not work if the system is already infected by another malware/virus which disable the execution of batch files. In this case you will have to clean the system before using the script or try running the script in safe mode.
Payload:Worm Aliases: Trojan.Script.131756 Worm.BAT.Autorun BAT/Agent.AC
The Worm will create a user "ati" and will also enable a registry key which will activate the SuperHidden parameter inside the Folder Options so every infected files related to this Worm will be in SuperHidden mode, which mean they cannot be seen even if you are allowed to see hidden files. After this step he will proceed to Hijack WinLogon\Shell so the script can be executed each time the user run "Explorer.exe". Every time the user will attempt to browse a local/network drive the script will run and will duplicate itself by copying autorun.inf,ati2.bat,ati2.vbs at the root of the drive, the targeted drives are from C:\ to M:\ The worm will also gather informations about your computer, first of all he will ping ***.mine.nu then he will create the following text files inside the Windows catalog;
The Worm will use these files to store the catalog browsing commands and the files downloaded from the remote commands server. At this point it will simply use the files with the commands to download some *.exe files from the FTP server;
After all these steps, it will attemp to download atidrv.exe from the FTP server and will save it @ the root of C:\Windows then will launch the application with the following parameters;
Then it will execute the file "upd.exe" and then it will delete it right away. After that the Worm will launch the files "ras.exe" & "pro.exe" and will keep a log for each applications. The files are launched with the following parameters ;
At this point it can finally gather information about your PC, the following information will be harvest by the Worm ;
The Worm saves the information inside info.txt @ the root of %WinDir% and then he will zip the file with "PKZIP" and will set the password "viator" on the archive. The script will then self-extract bla.exe and then use this extracted console application "blat.exe" to send info.zip via email @ ***email@example.com
Finally it will delete everything with this type of extention ; *.mp3, *.avi, *.jpg, *.jpeg, *.vob, *.doc, *.xls on every infected drive. The Worm will also infect every batch files that it will find, so make sure to clean them if you see anything written inside "reg.txt" at the end of the cleaning process.
How to:Before running the script make sure you can see hidden files and make sure you unchecked SuperHidden in the folder options panel. Fire up the script and simply press any keys to begin the cleaning process, the script will let you know what's going on. Make sure to read "reg.txt" at the end of the cleaning process, if there's anything written inside this text file you will have to clean each batch files manually because they have been infected by the Worm. You might want to rerun the script a second time and verify that no other files or users are left intact.
If you have to clean infected batch files please read the following example, in this situation the Worm Hijacked a good batch file with infected code. Simply remove the code in red to clean your infected files;
example : @echo off goto ati :exit cls @echo on "Good code goes here"
:ati "infected code goes here"