Trojan-Downloader.Win32.VB.bbl


  1. Posts : 72
    Windows 7 build 7600 64 bit
       #1

    Trojan-Downloader.Win32.VB.bbl


    I found this awesome virus "Trojan-Downloader.Win32.VB.bbl" and analyzed its behaviour in a VirtualBox and quickly found a weaknes
    It is very hard to remove, it closes antivirus setups and then deletes them, closes all windows containg anything about antivirus tools (even if you google anything about it, it closes your browser)... AND it starts up in safemode too!
    This post is only to ask for your opinion, a little bat file i created to remove it (and it works!).

    Code:
    @echo off
    setlocal enabledelayedexpansion
    set counter=1
    cd %windir%\system32
    if not exist "%windir%\system32\wins.exe" goto nothing:
    :y
    :yes
    
    goto start
    :counter
    
    set /a counter=!counter!+1
    
    :start
    cls
    echo Try %counter%
    echo Killing processes...
    start /MIN cmd.exe /c taskkill /im wins.exe /f
    echo STOP!! please wait 5 seconds atleast before pressing any key && pause
    taskkill /im lechuck.exe /f /t
    
    echo Deleting files...
    start /MIN cmd.exe /c del %windir%\system32\wins.exe /f /a
    start /MIN cmd.exe /c del %windir%\system32\lechuck.exe /f /a
    start /MIN cmd.exe /c del %windir%\system32\lechuck.hta /f /a
    start /MIN cmd.exe /c del %windir%\system32\cmd.com /f /a
    start /MIN cmd.exe /c del %windir%\regedit.com /f /a
    start /MIN cmd.exe /c del %windir%\spolis.exe /f /a
    start /MIN cmd.exe /c del %systemdrive%\p2p.exe /f /a
    start /MIN cmd.exe /c del %systemdrive%\autorun.inf /a /f 
    
    echo Fixing registry...
    start /MIN cmd.exe /c reg add HKCR\exefile\shell\open\command /ve /t REG_SZ /d """"%%1""" %%*" /f
    start /MIN cmd.exe /c reg add HKEY_CLASSES_ROOT\exefile\shell\open\command /ve /t REG_SZ /d """"%%1""" %%*" /f
    start /MIN cmd.exe /c reg add HKEY_CLASSES_ROOT\batfile\shell\open\command /ve /t REG_SZ /d """"%%1""" %%*" /f
    start /MIN cmd.exe /c reg add HKEY_CLASSES_ROOT\comfile\shell\open\command /ve /t REG_SZ /d """"%%1""" %%*" /f
    start /MIN cmd.exe /c reg add HKEY_CLASSES_ROOT\cmdfile\shell\open\command /ve /t REG_SZ /d """"%%1""" %%*" /f
    start /MIN cmd.exe /c reg add HKEY_CLASSES_ROOT\piffile\shell\open\command /ve /t REG_SZ /d """"%%1""" %%*" /f
    start /MIN cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    
    echo Enabling Task Manager and Regedit again...
    start /MIN cmd.exe /c Reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /f
    start /MIN cmd.exe /c Reg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f
    start /MIN cmd.exe /c Reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /f
    
    if %counter%==5 goto fail
    if exist %windir%\system32\wins.exe goto counter
    if not exist %windir%\system32\wins.exe goto done
    
    :done
    echo Done!
    pause
    exit
    
    :nothing
    echo You are not infected by LeChucK.exe
    set /p choice=Would you like to clean the system anyways (Y/N)?
    goto %choice%
    
    :fail
    echo Failed to remove LeChucK.exe 5 times, contact tech support :[
    pause
    
    :n
    :no
    exit
    Edit:
    I have the virus if anyone is interested in testing, but im not sure how...upload it or sumthing?
    Last edited by Hakon; 30 Sep 2009 at 18:16.
      My Computer


  2. Posts : 23
    Windows XP
       #2

    upload it in an encrypted archive in an encrypted archive in an encrypted archive that each have different 31 character hex-decimal passwords that you provide

    that should provide the rest of us enough protection
    btw, what malicious activities does this virus conduct?
      My Computer


  3. Posts : 72
    Windows 7 build 7600 64 bit
    Thread Starter
       #3

    Its supposed to download more malware! but i havent seen any of that yet...
      My Computer


  4. Posts : 23
    Windows XP
       #4

    can you upload it? I'm interested in testing
      My Computer


  5. Posts : 18,404
    Windows 7 Ultimate x64 SP1
       #5

       Warning
    No uploading or posting any malicious content on this site, period. And don't ask for it to be uploaded either. Failure to listen to this warning will result in a ban.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 02:54.
Find Us