'Share this page


Latest update:

July 15, 2011

Warning:

This script runs on Windows XP Only!

Description:

This piece of code can effectively remove Worm.BAT.Autorun with a success rate of 99%.
I tested the code on many systems infected with this Worm and the script ran perfectly
without any problems. In certain situation the script might not work if the system is
already infected by another malware/virus which disable the execution of batch files.
In this case you will have to clean the system before using the script or try running
the script in safe mode.

Payload:

Worm Aliases: Trojan.Script.131756
Worm.BAT.Autorun
BAT/Agent.AC


The Worm will create a user "ati" and will also enable a registry key which will activate
the SuperHidden parameter inside the Folder Options so every infected files related to this
Worm will be in SuperHidden mode, which mean they cannot be seen even if you are allowed
to see hidden files. After this step he will proceed to Hijack WinLogon\Shell so the script
can be executed each time the user run "Explorer.exe". Every time the user will attempt to
browse a local/network drive the script will run and will duplicate itself by copying
autorun.inf,ati2.bat,ati2.vbs at the root of the drive, the targeted drives are from C:\ to M:\
The worm will also gather informations about your computer, first of all he will ping ***.mine.nu
then he will create the following text files inside the Windows catalog;

%WinDir%\ati.txt
%WinDir%\sc.txt
%WinDir%\sc2.txt
%WinDir%\sc3.txt


The Worm will use these files to store the catalog browsing commands and the files
downloaded from the remote commands server. At this point it will simply use the
files with the commands to download some *.exe files from the FTP server;

%WinDir%\ras.exe
%WinDir%\zip.exe
%WinDir%\bla.exe
%WinDir%\pro.exe
C:\Windows\upd.exe


After all these steps, it will attemp to download atidrv.exe from the FTP server and
will save it @ the root of C:\Windows then will launch the application with the following parameters;

atidrv.exe -o -sviator


Then it will execute the file "upd.exe" and then it will delete it right away.
After that the Worm will launch the files "ras.exe" & "pro.exe" and will keep a
log for each applications. The files are launched with the following parameters ;

%WinDir%\ras.exe /allusers /stab %WinDir%\ras.log
%WinDir%\pro.exe /stab %WinDir%\pro.log


At this point it can finally gather information about your PC, the following information
will be harvest by the Worm ;

-Full system configuration data.
-The list of every process loaded in your memory.
-Total information on the network parameters.
-All the network connections and waiting ports.
-Routing directory contents.
-Route tracing results to the domain "ya.ru".
-Root DNS server.
-The list of all installed programs which are in %Program File%/


The Worm saves the information inside info.txt @ the root of %WinDir% and then he will zip
the file with "PKZIP" and will set the password "viator" on the archive. The script will then
self-extract bla.exe and then use this extracted console application "blat.exe" to send
info.zip via email @ ***ii2@mail.ru

Finally it will delete everything with this type of extention ; *.mp3, *.avi, *.jpg, *.jpeg, *.vob,
*.doc, *.xls on every infected drive. The Worm will also infect every batch files that it will find,
so make sure to clean them if you see anything written inside "reg.txt" at the end of the cleaning process.

How to:

Before running the script make sure you can see hidden files and make sure you unchecked
SuperHidden in the folder options panel. Fire up the script and simply press any keys to
begin the cleaning process, the script will let you know what's going on. Make sure to
read "reg.txt" at the end of the cleaning process, if there's anything written inside
this text file you will have to clean each batch files manually because they have been
infected by the Worm. You might want to rerun the script a second time and verify
that no other files or users are left intact.

If you have to clean infected batch files please read the following example, in this situation
the Worm Hijacked a good batch file with infected code. Simply remove the code in red to clean your infected files;
example :              

                       @echo off 
                       goto ati
                       :exit 
                       cls
                       @echo on
                       "Good code goes here"


:ati "infected code goes here"


Source code: