New
#1
Trojan-Downloader.Win32.VB.bbl
I found this awesome virus "Trojan-Downloader.Win32.VB.bbl" and analyzed its behaviour in a VirtualBox and quickly found a weaknes
It is very hard to remove, it closes antivirus setups and then deletes them, closes all windows containg anything about antivirus tools (even if you google anything about it, it closes your browser)... AND it starts up in safemode too!
This post is only to ask for your opinion, a little bat file i created to remove it (and it works!).
Edit:Code:@echo off setlocal enabledelayedexpansion set counter=1 cd %windir%\system32 if not exist "%windir%\system32\wins.exe" goto nothing: :y :yes goto start :counter set /a counter=!counter!+1 :start cls echo Try %counter% echo Killing processes... start /MIN cmd.exe /c taskkill /im wins.exe /f echo STOP!! please wait 5 seconds atleast before pressing any key && pause taskkill /im lechuck.exe /f /t echo Deleting files... start /MIN cmd.exe /c del %windir%\system32\wins.exe /f /a start /MIN cmd.exe /c del %windir%\system32\lechuck.exe /f /a start /MIN cmd.exe /c del %windir%\system32\lechuck.hta /f /a start /MIN cmd.exe /c del %windir%\system32\cmd.com /f /a start /MIN cmd.exe /c del %windir%\regedit.com /f /a start /MIN cmd.exe /c del %windir%\spolis.exe /f /a start /MIN cmd.exe /c del %systemdrive%\p2p.exe /f /a start /MIN cmd.exe /c del %systemdrive%\autorun.inf /a /f echo Fixing registry... start /MIN cmd.exe /c reg add HKCR\exefile\shell\open\command /ve /t REG_SZ /d """"%%1""" %%*" /f start /MIN cmd.exe /c reg add HKEY_CLASSES_ROOT\exefile\shell\open\command /ve /t REG_SZ /d """"%%1""" %%*" /f start /MIN cmd.exe /c reg add HKEY_CLASSES_ROOT\batfile\shell\open\command /ve /t REG_SZ /d """"%%1""" %%*" /f start /MIN cmd.exe /c reg add HKEY_CLASSES_ROOT\comfile\shell\open\command /ve /t REG_SZ /d """"%%1""" %%*" /f start /MIN cmd.exe /c reg add HKEY_CLASSES_ROOT\cmdfile\shell\open\command /ve /t REG_SZ /d """"%%1""" %%*" /f start /MIN cmd.exe /c reg add HKEY_CLASSES_ROOT\piffile\shell\open\command /ve /t REG_SZ /d """"%%1""" %%*" /f start /MIN cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f echo Enabling Task Manager and Regedit again... start /MIN cmd.exe /c Reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /f start /MIN cmd.exe /c Reg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f start /MIN cmd.exe /c Reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /f if %counter%==5 goto fail if exist %windir%\system32\wins.exe goto counter if not exist %windir%\system32\wins.exe goto done :done echo Done! pause exit :nothing echo You are not infected by LeChucK.exe set /p choice=Would you like to clean the system anyways (Y/N)? goto %choice% :fail echo Failed to remove LeChucK.exe 5 times, contact tech support :[ pause :n :no exit
I have the virus if anyone is interested in testing, but im not sure how...upload it or sumthing?
Last edited by Hakon; 30 Sep 2009 at 18:16.