The evil batch
I ran into an interesting piece of malware. It basically comes in an .exe wrapper and drops a .bat file that’s about 25kb large. It’s really heavily obfuscated and it can be considered destructive since it deletes document files and does other evil things.
Here’s a screenshot from the begining of the file:
Luckily since this is a batch file it’s easy, yet a bit timeconsuming, to deobfuscate it with a series of find/replace commands.
So, here’s a few things it does:
- Disables SystemRestore
- Modifies registry settings to disallow the running of following files:
- notepad.exe
- HijackThis.exe
- wordpad.exe
- rstrui.exe
- taskmgr.exe
- msconfig.exe
- regedit.exe
- HiJackThis_v2.exe
- cmd.exe
- ibprocman.exe
- explorer.exe
- integrator.exe.exe
- Overwrites .exe files that are being shared through following programs:
- eMule
- Kazaa
- Kazaa Lite
- Grokster
- Morpheus
- EDonkey
- Gnucleus
- BearShare
- KMD
- Xolox
- Ares
- Shareaza
- ICQ
- LimeWire
- Filetopia3
- appleJuice
- Overnet
- Swaptor
- WinMX
- Tesla
- Rapigator
- Direct Connect
- Warez P2P Client
- Tries to delete the following folders from the Program Files folder:
- adware
- adware~1
- aio
- aioano~1
- aiotop~1
- ashampoo
- Avg
- AVGant~1
- avgant~2
- bitdef~1
- blackice
- clamwi~1
- counterspy
- dr.web
- etrust
- etrust~1
- evonsoft
- evonso~1
- Ewidoa~1
- f-port~1
- f-secure
- f-secu~1
- hideip~1
- hideip~2
- kasper~1
- kerio
- keriow~1
- keriow~2
- keriop~1
- Mcafee~1
- Microt~1
- noadware
- NOD32a~1
- norton
- norton~1
- outpost
- Panda
- pandaa~1
- pandat~1
- portab~1
- spyemergency
- spyremover
- spystopper
- spywar~1
- spywar~2
- steganos
- sygate
- sygate~1
- symantec
- systemworks
- thespy~1
- titani~1
- trendm~1
- trendm~2
- trojankiller
- virusd~1
- Viruss~1
- virussafe
- virusscan
- webroot
- webroo~1
- winpatrol
- xoftspy
- zonealarm
- Checks the presence of following drives: D,E,F,G,H,I,J,K,L,M
- If present, tries to overwrite any .exe with itself.
- Disables registry tools
- Disables TaskManager
- Disables the properties sheet of “My Computer”
- Disables file recycling
- Modifies filetype settings on these filetypes: bat,cmd,html,inf,ini,JS,msc,pif,reg,txt,vbe,vbs
- Trying to open these files through explorer will end up showing the authors html page with nasty loop showing the following message:
- “La fuente de voltaje no es suficiente para el correcto funcionamiento , QUEMATE EN EL INFIERNO UN RATO e intentelo mas tarde.”
- Deletes files with the following suffixes:
- doc
- mp3
- wma
- ppt
- pps
- pot
- xls
- rtf
- mdb
- mpeg
- mpg
- avi
- m4a
- 3gp
That’s about the main functionality. As you can see it’s pretty destructive and will leave the computer really crippled. Seems like the author has some major issues, to nicely put it.