'WBAR
'Project Name : Worm.Bat.Autorun Remover
Latest update : July 15, 2011
Version : 1.0
Warning:
This script runs on Windows XP Only!'Description :
This piece of code can effectively remove Worm.BAT.Autorun with a success rate of 99%. I tested the code on many systems infected with this Worm and the script ran perfectly without any problems. In certain situation the script might not work if the system is already infected by another malware/virus which disable the execution of batch files. In this case you will have to clean the system before using the script or try running the script in safe mode.'Payload :
Worm Aliases:Trojan.Script.131756Worm.BAT.AutorunBAT/Agent.ACThe Worm will create a user "ati" and will also enable a registry key which will activate the SuperHidden parameter inside the Folder Options so every infected files related to this Worm will be in SuperHidden mode, which mean they cannot be seen even if you are allowed to see hidden files. After this step he will proceed to Hijack WinLogon\Shell so the script can be executed each time the user run "Explorer.exe". Every time the user will attempt to browse a local/network drive the script will run and will duplicate itself by copying
autorun.inf, ati2.bat, ati2.vbs at the root of the drive, the targeted drives are from C:\ to M:\
The worm will also gather informations about your computer, first of all he will ping ***.mine.nu
then he will create the following text files inside the Windows directory;
%WinDir%\ati.txt%WinDir%\sc.txt%WinDir%\sc2.txt%WinDir%\sc3.txtThe Worm will use these files to store the catalog browsing commands and the files downloaded from the remote commands server. At this point it will simply use the files with the commands to download some *.exe files from the FTP server;
%WinDir%\ras.exe%WinDir%\zip.exe%WinDir%\bla.exe%WinDir%\pro.exeC:\Windows\upd.exeAfter all these steps, it will attemp to download atidrv.exe from the FTP server and will save it @ the root of C:\Windows then will launch the application with the following parameters;
atidrv.exe -o -sviatorThen it will execute the file "upd.exe" and then it will delete it right away. After that the Worm will launch the files "ras.exe" & "pro.exe" and will keep a log for each applications. The files are launched with the following parameters;
%WinDir%\ras.exe /allusers /stab %WinDir%\ras.log%WinDir%\pro.exe /stab %WinDir%\pro.logAt this point it can finally gather information about your PC, the following information will be harvested by the Worm;
*Full system configuration data*The list of every process loaded in your memory*Total information on the network parameters*All the network connections and waiting ports*Routing directory contents*Route tracing results to the domain "ya.ru"*Root DNS server*The list of all installed programs which are in %Program File%/The Worm saves the information inside info.txt @ the root of %WinDir% and then he will zip the file with "PKZIP" and will set the password "viator" on the archive. The script will then self-extract bla.exe and then use this extracted console application "blat.exe" to send info.zip via email @ ***ii2@mail.ru
Finally it will delete everything with this type of extention ; *.mp3, *.avi, *.jpg, *.jpeg, *.vob,
*.doc, *.xls on every infected drive. The Worm will also infect every batch files that it will find,
so make sure to clean them if you see anything written inside "reg.txt" at the end of the cleaning process.
'Cleaning phase :
Before running the script make sure you can see hidden files and make sure you unchecked SuperHidden in the folder options panel. Fire up the script and simply press any keys to begin the cleaning process, the script will let you know what's going on. Make sure to read "reg.txt" at the end of the cleaning process, if there's anything written inside this text file you will have to clean each batch files manually because they have been infected by the Worm. You might want to rerun the script a second time and verify that no other files or users are left intact.
If you have to clean infected batch files please read the following example, in this situation the Worm Hijacked a good batch file with infected code. Simply remove the code in red to clean your infected files;
batch file example...
@echo off
goto ati
:exit
cls
@echo on
"Good code goes here"
:ati
"infected code goes here"
'Source code :
@echo off echo================================================= echo ###################### echo # coded by Globz echo # last modification; echo # July 15, 2011 echo ###################### echo !Warning! READ BEFORE PROCEEDING echo Please make sure you can see hidden files echo and make sure you unchecked SuperHidden echo before running this script! echo Works for Windows XP ONLY! echo================================================= Pause cls echo================================================== echo Deleting infected files ranging from C:\ to M:\ echo================================================== Pause cls for %%f in ( d e f g h i j k l m c) do attrib -h -s -r %%f:\autorun.inf for %%f in ( d e f g h i j k l m c) do attrib -h -s -r %%f:\ati2.bat for %%f in ( d e f g h i j k l m c) do attrib -h -s -r %%f:\ati.bat for %%f in ( d e f g h i j k l m c) do attrib -h -s -r %%f:\ati2.vbs for %%f in ( d e f g h i j k l m c) do attrib -h -s -r %%f:\ati.vbs for %%f in ( d e f g h i j k l m c) do del %%f:\autorun.inf /f for %%f in ( d e f g h i j k l m c) do del %%f:\ati2.bat /f for %%f in ( d e f g h i j k l m c) do del %%f:\ati.bat /f for %%f in ( d e f g h i j k l m c) do del %%f:\ati2.vbs /f for %%f in ( d e f g h i j k l m c) do del %%f:\ati.vbs /f echo========================================= echo Erasing infected files inside c:\Windows echo========================================= Pause cls attrib -h -s -r %Windir%\atidrv.exe del %WinDir%\atidrv.exe /f attrib -h -s -r %Windir%\info.zip del %WinDir%\info.zip /f attrib -h -s -r %Windir%\autorun.inf del %WinDir%\autorun.inf /f attrib -h -s -r %Windir%\ati2.bat del %WinDir%\ati2.bat /f attrib -h -s -r %Windir%\ati.bat del %WinDir%\ati.bat /f attrib -h -s -r %Windir%\ati2.vbs del %WinDir%\ati2.vbs /f attrib -h -s -r %Windir%\ati.vbs del %WinDir%\ati.bat /f attrib -h -s -r %Windir%\ati.txt del %WinDir%\ati.txt /f attrib -h -s -r %Windir%\sc.txt del %WinDir%\sc.txt /f attrib -h -s -r %Windir%\sc2.txt del %WinDir%\sc2.txt /f attrib -h -s -r %Windir%\sc3.txt del %WinDir%\sc3.txt /f attrib -h -s -r %Windir%\ras.exe del %WinDir%\ras.exe /f attrib -h -s -r %Windir%\zip.exe del %WinDir%\zip.exe /f attrib -h -s -r %Windir%\bla.exe del %WinDir%\bla.exe /f attrib -h -s -r %Windir%\pro.exe del %WinDir%\pro.exe /f attrib -h -s -r %Windir%\upd.exe del %WinDir%\upd.exe /f attrib -h -s -r %Windir%\blat.exe del %WinDir%\blat.exe /f attrib -h -s -r %Windir%\reg2.txt del %Windir%\reg2.txt /f echo================================================== echo Deleting cycle #2 on every drives echo================================================== Pause cls for %%f in ( d e f g h i j k l m c) do attrib -h -s -r %%f:\autorun.inf for %%f in ( d e f g h i j k l m c) do attrib -h -s -r %%f:\ati2.bat for %%f in ( d e f g h i j k l m c) do attrib -h -s -r %%f:\ati.bat for %%f in ( d e f g h i j k l m c) do attrib -h -s -r %%f:\ati2.vbs for %%f in ( d e f g h i j k l m c) do attrib -h -s -r %%f:\ati.vbs for %%f in ( d e f g h i j k l m c) do del %%f:\autorun.inf /f for %%f in ( d e f g h i j k l m c) do del %%f:\ati2.bat /f for %%f in ( d e f g h i j k l m c) do del %%f:\ati.bat /f for %%f in ( d e f g h i j k l m c) do del %%f:\ati2.vbs /f for %%f in ( d e f g h i j k l m c) do del %%f:\ati.vbs /f attrib -h -s -r %Windir%\atidrv.exe del %WinDir%\atidrv.exe /f attrib -h -s -r %Windir%\info.zip del %WinDir%\info.zip /f attrib -h -s -r %Windir%\autorun.inf del %WinDir%\autorun.inf /f attrib -h -s -r %Windir%\ati2.bat del %WinDir%\ati2.bat /f attrib -h -s -r %Windir%\ati.bat del %WinDir%\ati.bat /f attrib -h -s -r %Windir%\ati2.vbs del %WinDir%\ati2.vbs /f attrib -h -s -r %Windir%\ati.vbs del %WinDir%\ati.bat /f attrib -h -s -r %Windir%\ati.txt del %WinDir%\ati.txt /f attrib -h -s -r %Windir%\sc.txt del %WinDir%\sc.txt /f attrib -h -s -r %Windir%\sc2.txt del %WinDir%\sc2.txt /f attrib -h -s -r %Windir%\sc3.txt del %WinDir%\sc3.txt /f attrib -h -s -r %Windir%\ras.exe del %WinDir%\ras.exe /f attrib -h -s -r %Windir%\zip.exe del %WinDir%\zip.exe /f attrib -h -s -r %Windir%\bla.exe del %WinDir%\bla.exe /f attrib -h -s -r %Windir%\pro.exe del %WinDir%\pro.exe /f attrib -h -s -r %Windir%\upd.exe del %WinDir%\upd.exe /f attrib -h -s -r %Windir%\blat.exe del %WinDir%\blat.exe /f attrib -h -s -r %Windir%\reg2.txt del %Windir%\reg2.txt /f echo==================================== echo now deleting the user ati & ati696 echo==================================== Pause cls net user ati /del net user ati696 /del echo============================================================================== echo Now cleaning the following registry key... echo HKEY_Local_Machine\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\Shell echo============================================================================== Pause cls cd %temp% echo Windows Registry Editor Version 5.00 > atiregfix.txt echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >> atiregfix.txt echo "Shell"="Explorer.exe" >> atiregfix.txt ren atiregfix.txt atiregfix.reg regedit atiregfix.reg echo=============================================================== echo Now stopping tlntSvr (Telnet) and disabling the service... echo=============================================================== Pause cls sc stop TlntSvr sc config TlntSvr start= disabled echo============================================================== echo Script status : DONE echo Opening reg.txt, this will display every infected batch files echo Please clean them all !!! if you need to know how to clean a echo batch file visit : kittybomber.com/WBAR echo============================================================== Pause cls start notepad %Windir%\reg.txt cd %temp% del atiregfix.reg