Jump to content
Sign in to follow this  
liquidzyklon

Malicious Autoit Program

Recommended Posts

liquidzyklon

Ok, I am going to start off clean here. This program is NOT mine, but I was stupid enough to run it on my computer. :idiot:

First, I downloaded this program thinking it was something else (a hack for a game). Of course I did the usual anti-virus check for this file, along with UPX extraction and rescanning it. I was too careless and didn't notice it was an Autoit Script. I ran the program, computer shutdown. I started computer again, it booted up until the screen that shows "Windows is Starting up..." and then computer goes to "Windows is Shutting down" screen. There is no time to type in password or have any user intervention to prevent this (at least not to my knowledge). I am running WindowsXP SP2 with NAV.

I know its against the rule to decompile a program, but since this program messed up my computer I really need help from someone who can decompile it. I'm not here to steal his code, but I need to know how to resolve this issue. I need to know what kind of modification this script did to my computer. I have spent 5 hours looking online for help and found a few leads, but none of them can help me resolve this issue.

I will provide the link to the EXE, but a mod should remove it for the safety of others. I just need someone to decompile it and guide me to fixing my computer

The file is located: <link removed>

Edited by Jon

Share this post


Link to post
Share on other sites
Insolence

I think you can start up in safe mode and fix the registry there?

It adds a value to the RunOnce field (I think) inside your registry. You should be thankful all it's doing is shutting it down, thank god it didn't run silently and steal your stuff :idiot:


"I thoroughly disapprove of duels. If a man should challenge me, I would take him kindly and forgivingly by the hand and lead him to a quiet place and kill him." - Mark TwainPatient: "It hurts when I do $var_"Doctor: "Don't do $var_" - Lar.

Share this post


Link to post
Share on other sites
the_lord_mephy

It probably did something like

RegWrite($startupdir, yadda yadda, "myprog.exe")

Shutdown(1)

and then myprog.exe is saved as

Shutdown(1)

=\


My site for HTML Help :)[quote name='Valik' date='Oct 15 2004, 12:29 PM']Maybe nobody is an "elite uber-coder" like me because thinking is a capital offense in today's online-world?[right][snapback]36427[/snapback][/right][/quote]

Share this post


Link to post
Share on other sites
MHz

This nasty executable could be doing almost anything, to do this.

It seems to have passphase protection.

Everyone. Do not run this to find out. Unless isolated in something like Virtual PC.

Reason: It reboots almost instantly and leaves your system as described in intial post.

Share this post


Link to post
Share on other sites
Insolence

That would be horrible.

Safemode doesn't avoid that program from being started?


"I thoroughly disapprove of duels. If a man should challenge me, I would take him kindly and forgivingly by the hand and lead him to a quiet place and kill him." - Mark TwainPatient: "It hurts when I do $var_"Doctor: "Don't do $var_" - Lar.

Share this post


Link to post
Share on other sites
Andre

Hi,

Perhaps useless to say, but if someone post's a new script, alway's include the source to prevent this kind of problems.

Andre


What about Windows without using AutoIt ?It would be the same as driving a car without an steering Wheel!

Share this post


Link to post
Share on other sites
Insolence

What?

It's MEANT to do that.


"I thoroughly disapprove of duels. If a man should challenge me, I would take him kindly and forgivingly by the hand and lead him to a quiet place and kill him." - Mark TwainPatient: "It hurts when I do $var_"Doctor: "Don't do $var_" - Lar.

Share this post


Link to post
Share on other sites
Jon

Here is the script. Pretty standard "evil" stuff. Renames a few files and adds reg Run keys. Looks to be by someone called Chong Yi. Sir, you are a twat.

Hopefully you can reverse most of it, but it looks like it deleted some of the dllcache files so you will need your windows CD to replace them.

I'll remove it in a few hours.

Edit: removed.

Edited by Jon

Share this post


Link to post
Share on other sites
liquidzyklon

Omg, I thank you all. You are great people. I will have to spend sometime to look at the code and see what I can do.

First, I am sorry for those who downloaded this program and ran it by accident. I did try to warn you guys. Very sorry.

Ok, after running the program it shutdown. First of all I remember that the file was about 450 KB, so that means it's not just a few line of code and this thing must have been huge.

My first attempts to fixing it was to boot up in Safe Mode, but like some of you discovered it was futile. Then, I went on the Internet to search and came up with this site: http://www.greatis.com/security/startuporder.htm which at the bottom showed the boot order. This lead me to try and disable "weird" Services and reboot. I tried that for 2 hours and was no good.

My second attempt was to find the EXE that was being called upon at bootup and delete it so Windows Registry can't find it, but it seems that I can't access "Documents and Settings" folder and so on. I will have to try using Windows 2000 CD to bypass stupid WinXP security.

I will try to reverse this with the code provide, but if I have any trouble I will post back. Thank you all, and have a Happy New Years.

Share this post


Link to post
Share on other sites
ezzetabi

This is double bad:

- This mean compiled files with 'No compile' tag are not sure at all.

- People want giving to AutoIt a bad name.

Share this post


Link to post
Share on other sites
killaz219

Here is the script.  Pretty standard "evil" stuff.  Renames a few files and adds reg Run keys.  Looks to be by someone called Chong Yi.  Sir, you are a twat.

Hopefully you can reverse most of it, but it looks like it deleted some of the dllcache files so you will need your windows CD to replace them.

<{POST_SNAPBACK}>

Ha, Jon you're the only one that can crack AutoIt compiled exe's

Share this post


Link to post
Share on other sites
liquidzyklon

Alright, I managed to fix my computer and would like to share with you all. It's been a learning experience for me :idiot:

First, I rebooted into Recovery Console. Went to all the directories where new files were being copied.

1) C:\WINDOWS\system32\dllcache

2) C:\WINDOWS\system32\

3) C:\WINDOWS\

Then I deleted every file that was copied by this script, including the ones in dllcache. Rebooted and I was able to logon. That was a big relief.

After logon, nothing came up because explorer.exe wasn't running, but I was able to get Task Manager up with Ctrl + Alt + Del. From there I accessed regedit and did my fixing of all the added/modified registry entries. After that reboot and everything is okay. I just did a repeat check for any foreign files and foreign entries in the registry and it looks like I am all clean. I am lucky the script author didn't delete any files or that would require a little more work in restoring file from the WinXP CD. Now I can have a great New Years.

[Aside]Autoit has been a powerful scripting language that I use to check my mail, and all my other lazy stuff. It's because this language is powerful, there are bound to be people who will abuse it. I am very lucky that Jon decompiled it and that helped me a lot.

Regards,

Derrick Shum

PS: I forgot to ask one more question, the first 3 lines called to install hohoho.exe and hohoho.jpg. I am wondering was those files actually embedded into the EXE?

Edited by liquidzyklon

Share this post


Link to post
Share on other sites
Einzeinbleth

Stupid lamers are making destroying code and normal peoples have more work :D Try to install something like ad-aware or such as, and make a copy of registry .. no one know when noob will atack... :idiot:

EDIT: liquidzyklon, maybe that idiot who make the code named it hohoho ? And then forgot about it :lol:

Edited by Einzeinbleth

Share this post


Link to post
Share on other sites
Jon

This is double bad:

- This mean compiled files with 'No compile' tag are not sure at all.

This is always the weakness, AutoIt must be able to run it's own script so the algorithm has to be two-way. The only way to avoid would be if the script asked for a password everytime it was run (then I wouldn't be able to decompile it apart from by brute force or memory sniffing).

What I _did_ want to do was the make the script just stored as tokens so that decompiling would be a nightmare (i.e. the text file for the script no longer exists) - but because lots of people wanted a decompiler, and one that gets back all the comments and formatting that isn't possible. Well, not without creating multiple modes for Aut2Exe.

Share this post


Link to post
Share on other sites
ezzetabi

I see your point Jon. But still it is sad.

It is maybe better removing the passphase or the decomplier... :idiot:

Share this post


Link to post
Share on other sites
liquidzyklon

I'm not sure what else you can do to make AutoIt safer. Considering AutoIt is suppose to be a powerful script language, there are bound to be people who will abuse it. Compiling the scripts allow people to use the scripts without AutoIt installed, but the passphrase is suppose to help provide the author's code. The question here is, what's the difference between a script code VS a program? For example, VBS and JaveScript, both are scripting language which are powerful as well but the code are usually seen by the user so they can use it at their own discretion. Plus those two types of script running off Windows Script so it's already universal. So maybe removing the passphrase can make AutoIt equivalent (in the sense that the code can be decompiled and perused for dangers).

Share this post


Link to post
Share on other sites
killaz219

Well, not without creating multiple modes for Aut2Exe.

<{POST_SNAPBACK}>

I think that is a great idea :idiot:. Or maybe just the no decompile will use that mode? Edited by killaz219

Share this post


Link to post
Share on other sites
sugi

What I _did_ want to do was the make the script just stored as tokens so that decompiling would be a nightmare

The only difference would be that all of the comments would be removed. But remember: The C64 stored only tokens for it's Basic V2 language in it's 64k memory but when you entered "list" it would translate them into the readable commands everytime. So translating the scripts into tokens alone does not help at all.

Share this post


Link to post
Share on other sites
this-is-me

Ha, Jon you're the only one that can crack AutoIt compiled exe's

@killaz... not so... :idiot: Edited by this-is-me

Who else would I be?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.