Malicious Autoit Program

[liquidzyklon]

Ok, I am going to start off clean here. This program is NOT mine, but I was stupid enough to run it on my computer.

First, I downloaded this program thinking it was something else (a hack for a game). Of course I did the usual anti-virus check for this file, along with UPX extraction and rescanning it. I was too careless and didn't notice it was an Autoit Script. I ran the program, computer shutdown. I started computer again, it booted up until the screen that shows "Windows is Starting up..." and then computer goes to "Windows is Shutting down" screen. There is no time to type in password or have any user intervention to prevent this (at least not to my knowledge). I am running WindowsXP SP2 with NAV.

I know its against the rule to decompile a program, but since this program messed up my computer I really need help from someone who can decompile it. I'm not here to steal his code, but I need to know how to resolve this issue. I need to know what kind of modification this script did to my computer. I have spent 5 hours looking online for help and found a few leads, but none of them can help me resolve this issue.

I will provide the link to the EXE, but a mod should remove it for the safety of others. I just need someone to decompile it and guide me to fixing my computer

The file is located: <link removed>

Edited December 31, 2004 by Jon

[Insolence]

I think you can start up in safe mode and fix the registry there?

It adds a value to the RunOnce field (I think) inside your registry. You should be thankful all it's doing is shutting it down, thank god it didn't run silently and steal your stuff

[the_lord_mephy]

It probably did something like

RegWrite($startupdir, yadda yadda, "myprog.exe")

Shutdown(1)

and then myprog.exe is saved as

Shutdown(1)

=\

[MHz]

This nasty executable could be doing almost anything, to do this.

It seems to have passphase protection.

Everyone. Do not run this to find out. Unless isolated in something like Virtual PC.

Reason: It reboots almost instantly and leaves your system as described in intial post.

[Insolence]

That would be horrible.

Safemode doesn't avoid that program from being started?

[Andre]

Hi,

Perhaps useless to say, but if someone post's a new script, alway's include the source to prevent this kind of problems.

Andre

[Insolence]

What?

It's MEANT to do that.

[Jon]

Here is the script. Pretty standard "evil" stuff. Renames a few files and adds reg Run keys. Looks to be by someone called Chong Yi. Sir, you are a twat.

Hopefully you can reverse most of it, but it looks like it deleted some of the dllcache files so you will need your windows CD to replace them.

I'll remove it in a few hours.

Edit: removed.

Edited January 1, 2005 by Jon

[SlimShady]

Omg that's horrible.

[liquidzyklon]

Omg, I thank you all. You are great people. I will have to spend sometime to look at the code and see what I can do.

First, I am sorry for those who downloaded this program and ran it by accident. I did try to warn you guys. Very sorry.

Ok, after running the program it shutdown. First of all I remember that the file was about 450 KB, so that means it's not just a few line of code and this thing must have been huge.

My first attempts to fixing it was to boot up in Safe Mode, but like some of you discovered it was futile. Then, I went on the Internet to search and came up with this site: http://www.greatis.com/security/startuporder.htm which at the bottom showed the boot order. This lead me to try and disable "weird" Services and reboot. I tried that for 2 hours and was no good.

My second attempt was to find the EXE that was being called upon at bootup and delete it so Windows Registry can't find it, but it seems that I can't access "Documents and Settings" folder and so on. I will have to try using Windows 2000 CD to bypass stupid WinXP security.

I will try to reverse this with the code provide, but if I have any trouble I will post back. Thank you all, and have a Happy New Years.

[ezzetabi]

This is double bad:

- This mean compiled files with 'No compile' tag are not sure at all.

- People want giving to AutoIt a bad name.

[killaz219]

Here is the script.  Pretty standard "evil" stuff.  Renames a few files and adds reg Run keys.  Looks to be by someone called Chong Yi.  Sir, you are a twat.

Hopefully you can reverse most of it, but it looks like it deleted some of the dllcache files so you will need your windows CD to replace them.

<{POST_SNAPBACK}>

Ha, Jon you're the only one that can crack AutoIt compiled exe's

[liquidzyklon]

Alright, I managed to fix my computer and would like to share with you all. It's been a learning experience for me

First, I rebooted into Recovery Console. Went to all the directories where new files were being copied.

1) C:\WINDOWS\system32\dllcache

2) C:\WINDOWS\system32\

3) C:\WINDOWS\

Then I deleted every file that was copied by this script, including the ones in dllcache. Rebooted and I was able to logon. That was a big relief.

After logon, nothing came up because explorer.exe wasn't running, but I was able to get Task Manager up with Ctrl + Alt + Del. From there I accessed regedit and did my fixing of all the added/modified registry entries. After that reboot and everything is okay. I just did a repeat check for any foreign files and foreign entries in the registry and it looks like I am all clean. I am lucky the script author didn't delete any files or that would require a little more work in restoring file from the WinXP CD. Now I can have a great New Years.

[Aside]Autoit has been a powerful scripting language that I use to check my mail, and all my other lazy stuff. It's because this language is powerful, there are bound to be people who will abuse it. I am very lucky that Jon decompiled it and that helped me a lot.

Regards,

Derrick Shum

PS: I forgot to ask one more question, the first 3 lines called to install hohoho.exe and hohoho.jpg. I am wondering was those files actually embedded into the EXE?

Edited December 31, 2004 by liquidzyklon

[Einzeinbleth]

Stupid lamers are making destroying code and normal peoples have more work Try to install something like ad-aware or such as, and make a copy of registry .. no one know when noob will atack...

EDIT: liquidzyklon, maybe that idiot who make the code named it hohoho ? And then forgot about it

Edited December 31, 2004 by Einzeinbleth

[Jon]

This is double bad:

- This mean compiled files with 'No compile' tag are not sure at all.

This is always the weakness, AutoIt must be able to run it's own script so the algorithm has to be two-way. The only way to avoid would be if the script asked for a password everytime it was run (then I wouldn't be able to decompile it apart from by brute force or memory sniffing).

What I _did_ want to do was the make the script just stored as tokens so that decompiling would be a nightmare (i.e. the text file for the script no longer exists) - but because lots of people wanted a decompiler, and one that gets back all the comments and formatting that isn't possible. Well, not without creating multiple modes for Aut2Exe.

[ezzetabi]

I see your point Jon. But still it is sad.

It is maybe better removing the passphase or the decomplier...

[liquidzyklon]

I'm not sure what else you can do to make AutoIt safer. Considering AutoIt is suppose to be a powerful script language, there are bound to be people who will abuse it. Compiling the scripts allow people to use the scripts without AutoIt installed, but the passphrase is suppose to help provide the author's code. The question here is, what's the difference between a script code VS a program? For example, VBS and JaveScript, both are scripting language which are powerful as well but the code are usually seen by the user so they can use it at their own discretion. Plus those two types of script running off Windows Script so it's already universal. So maybe removing the passphrase can make AutoIt equivalent (in the sense that the code can be decompiled and perused for dangers).

[killaz219]

Well, not without creating multiple modes for Aut2Exe.

<{POST_SNAPBACK}>

I think that is a great idea . Or maybe just the no decompile will use that mode? Edited January 1, 2005 by killaz219

[sugi]

What I _did_ want to do was the make the script just stored as tokens so that decompiling would be a nightmare

The only difference would be that all of the comments would be removed. But remember: The C64 stored only tokens for it's Basic V2 language in it's 64k memory but when you entered "list" it would translate them into the readable commands everytime. So translating the scripts into tokens alone does not help at all.

[this-is-me]

Ha, Jon you're the only one that can crack AutoIt compiled exe's

@killaz... not so... Edited January 4, 2005 by this-is-me