Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Trojan-Downloader.Win32.VB.bbl

30 Sep 2009   #1

Windows 7 build 7600 64 bit

I found this awesome virus "Trojan-Downloader.Win32.VB.bbl" and analyzed its behaviour in a VirtualBox and quickly found a weaknes
It is very hard to remove, it closes antivirus setups and then deletes them, closes all windows containg anything about antivirus tools (even if you google anything about it, it closes your browser)... AND it starts up in safemode too!
This post is only to ask for your opinion, a little bat file i created to remove it (and it works!).

@echo off
setlocal enabledelayedexpansion
set counter=1
cd %windir%\system32
if not exist "%windir%\system32\wins.exe" goto nothing:

goto start

set /a counter=!counter!+1

echo Try %counter%
echo Killing processes...
start /MIN cmd.exe /c taskkill /im wins.exe /f
echo STOP!! please wait 5 seconds atleast before pressing any key && pause
taskkill /im lechuck.exe /f /t

echo Deleting files...
start /MIN cmd.exe /c del %windir%\system32\wins.exe /f /a
start /MIN cmd.exe /c del %windir%\system32\lechuck.exe /f /a
start /MIN cmd.exe /c del %windir%\system32\lechuck.hta /f /a
start /MIN cmd.exe /c del %windir%\system32\ /f /a
start /MIN cmd.exe /c del %windir%\ /f /a
start /MIN cmd.exe /c del %windir%\spolis.exe /f /a
start /MIN cmd.exe /c del %systemdrive%\p2p.exe /f /a
start /MIN cmd.exe /c del %systemdrive%\autorun.inf /a /f 

echo Fixing registry...
start /MIN cmd.exe /c reg add HKCR\exefile\shell\open\command /ve /t REG_SZ /d """"%%1""" %%*" /f
start /MIN cmd.exe /c reg add HKEY_CLASSES_ROOT\exefile\shell\open\command /ve /t REG_SZ /d """"%%1""" %%*" /f
start /MIN cmd.exe /c reg add HKEY_CLASSES_ROOT\batfile\shell\open\command /ve /t REG_SZ /d """"%%1""" %%*" /f
start /MIN cmd.exe /c reg add HKEY_CLASSES_ROOT\comfile\shell\open\command /ve /t REG_SZ /d """"%%1""" %%*" /f
start /MIN cmd.exe /c reg add HKEY_CLASSES_ROOT\cmdfile\shell\open\command /ve /t REG_SZ /d """"%%1""" %%*" /f
start /MIN cmd.exe /c reg add HKEY_CLASSES_ROOT\piffile\shell\open\command /ve /t REG_SZ /d """"%%1""" %%*" /f
start /MIN cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f

echo Enabling Task Manager and Regedit again...
start /MIN cmd.exe /c Reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /f
start /MIN cmd.exe /c Reg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f
start /MIN cmd.exe /c Reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /f

if %counter%==5 goto fail
if exist %windir%\system32\wins.exe goto counter
if not exist %windir%\system32\wins.exe goto done

echo Done!

echo You are not infected by LeChucK.exe
set /p choice=Would you like to clean the system anyways (Y/N)?
goto %choice%

echo Failed to remove LeChucK.exe 5 times, contact tech support :[

I have the virus if anyone is interested in testing, but im not sure how...upload it or sumthing?

My System SpecsSystem Spec
30 Sep 2009   #2

Windows XP

upload it in an encrypted archive in an encrypted archive in an encrypted archive that each have different 31 character hex-decimal passwords that you provide

that should provide the rest of us enough protection
btw, what malicious activities does this virus conduct?
My System SpecsSystem Spec
01 Oct 2009   #3

Windows 7 build 7600 64 bit

Its supposed to download more malware! but i havent seen any of that yet...
My System SpecsSystem Spec

01 Oct 2009   #4

Windows XP

can you upload it? I'm interested in testing
My System SpecsSystem Spec
01 Oct 2009   #5

Windows 7 Ultimate x64 SP1

warning   Warning
No uploading or posting any malicious content on this site, period. And don't ask for it to be uploaded either. Failure to listen to this warning will result in a ban.
My System SpecsSystem Spec


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar help and support threads
Thread Forum
This computer again: Here is some of what I know about the box build. I was asked to cleanup the aftermath of this: Encyclopedia entry: Trojan:Win32/FakeSysdef - Learn more about malware -...
System Security
Downloaded and ran the Microsoft Safety Scanner and it found this. Trojan:Win32/Comroki!rts Safety Scanner removed so it says. All I found with Google besides sales pitches to buy things is this at MS. Encyclopedia entry: Trojan:Win32/Comroki - Learn more about malware - Microsoft Malware...
System Security
trojan downloader:win32/ HELP!
Microsoft Security Essentials discovered this trojan virus today and three times it said I needed to restart to clean computer yet, it never leaves and is caught again on returning to Desktop. I've looked this up on Microsoft KB and that document says to keep MSSE up to date however, the problem...
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 10:05.

Twitter Facebook Google+

Windows 7 Forums

Seven Forums Android App Seven Forums IOS App