2words4uready Posted July 13, 2008 Share Posted July 13, 2008 (edited) This script will remove the virus Funny UST Scandal.avi.exe UPDATED SCRIPT its a godd thing i made this script earlier because i recieved the virus last night over yahoo messenger VIRUS REMOVER PART1 run("cmd.exe") send("cd\") send("{ENTER}") sleep(5000) send("attrib -h -s smss.exe") send("{ENTER}") sleep(5000) send("attrib -h -s autorun.inf") send("{ENTER}") sleep(5000) FileDelete( "C:\smss.exe") sleep(5000) FileDelete("C:\autorun.inf") sleep(5000) filedelete("C:\Funny UST Scandal.avi.exe.exe") sleep(5000) VIRUS REMOVER PART 2 run("cmd.exe") send("cd windows") send("{ENTER}") sleep(5000) send("attrib -h -s smss.exe) send("{ENTER}") sleep(5000) send("start c:\windows") send("{ENTER}") sleep(5000) filedelete("C:\WINDOWS\smss.exe") sleep(5000) filedelete("C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe") Edited July 14, 2008 by 2words4uready Link to comment Share on other sites More sharing options...
Developers Jos Posted July 13, 2008 Developers Share Posted July 13, 2008 (edited) I am kinda lost what these scripts are supposed to do. They start the CMD prompt, then type some command to just open the explorer and then to tell you to delete files? How did you figure that these files should be deleted anyways? Edited July 13, 2008 by Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past. Link to comment Share on other sites More sharing options...
2words4uready Posted July 13, 2008 Author Share Posted July 13, 2008 I am kinda lost what these scripts are supposed to do.They start the CMD prompt, then type some command to just open the explorer and then to tell you to delete files?How did you figure that these files should be deleted anyways?because of hours of tedious running on the cmd prompt while trying to remove this viruson a friends computer the reason it tells you to delete the files is because i dont have the virus so it prevents me from automating the delteing part Link to comment Share on other sites More sharing options...
gseller Posted July 13, 2008 Share Posted July 13, 2008 I found this on google, just changing the atributes and deleting infected files... http://www.bloggingindia.net/2008/01/09/au...-scandalaviexe/ Link to comment Share on other sites More sharing options...
Developers Jos Posted July 13, 2008 Developers Share Posted July 13, 2008 (edited) This to me is like saying that "Format c:" also removes the virus if you know what I mean. Let me put it this way: When you are not sure about these type of things then just don't tell people to delete files but tell them to get a proper AV package installed. Jos Edited July 13, 2008 by Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past. Link to comment Share on other sites More sharing options...
2words4uready Posted July 13, 2008 Author Share Posted July 13, 2008 This to me is like saying that "Format c:" also removes the virus if you know what I mean.Let me put it this way:When you are not sure about these type of things then just don't tell people to delete files but tell them to get a proper AV package installed.Josa proper av does not detect this virusit was also made with autoit V3 Link to comment Share on other sites More sharing options...
2words4uready Posted July 13, 2008 Author Share Posted July 13, 2008 I found this on google, just changing the atributes and deleting infected files... http://www.bloggingindia.net/2008/01/09/au...-scandalaviexe/gesller i wish i had known that earlier and i would have had to set for hours on the cmd lol Link to comment Share on other sites More sharing options...
nobbe Posted July 14, 2008 Share Posted July 14, 2008 (edited) on a friends computer the reason it tells you to delete the files is because i dont have the virus so it prevents me from automating the delteing part.. so you are basically saying you DONT KNOW why you do this?i am suspicious why to delete the smss.exe?thats part of the OP : "session manager subsystem" ?? it shouldnt be deleted ?next : "LSASS" oder Local Security Authority Subsystem Servicethis shouldnt be deleted either !! or windows wont start againso it can be really harmful if ppl accidently delete the files from the WRONG spot muttley sorry: but for me your "antivirus script" looks like a bad idea i better trust on a decent antivirus program (BTW the virus was already on the freeware avira antivir list somewhere in january..) Edited July 14, 2008 by nobbe Link to comment Share on other sites More sharing options...
2words4uready Posted July 14, 2008 Author Share Posted July 14, 2008 I have UPDATED THE SCRIPT please LOOK at it Link to comment Share on other sites More sharing options...
2words4uready Posted July 14, 2008 Author Share Posted July 14, 2008 This to me is like saying that "Format c:" also removes the virus if you know what I mean.Let me put it this way:When you are not sure about these type of things then just don't tell people to delete files but tell them to get a proper AV package installed.JosThe virus also prevent you from installing anything Link to comment Share on other sites More sharing options...
tpg Posted July 14, 2008 Share Posted July 14, 2008 a proper av does not detect this virusit was also made with autoit V3That is a bummer. It is being referred to as Autoit.BD worm. If it really is a worm we are probably in for more false positiveAV detections muttleyhttp://www.bloggingindia.net/2008/01/09/au...-scandalaviexe/ Link to comment Share on other sites More sharing options...
gseller Posted July 14, 2008 Share Posted July 14, 2008 gesller i wish i had known that earlier and i would have had to set for hours on the cmd lolGoogle Is Your Friend!! LOL muttley Link to comment Share on other sites More sharing options...
Developers Jos Posted July 14, 2008 Developers Share Posted July 14, 2008 The virus also prevent you from installing anythingWhen you have a virus you shouldn't try to install software nor keep running from the infected partition.I use a WinPE CD to boot and run AV from there. Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past. Link to comment Share on other sites More sharing options...
GEOSoft Posted July 14, 2008 Share Posted July 14, 2008 .. so you are basically saying you DONT KNOW why you do this?i am suspicious why to delete the smss.exe?thats part of the OP : "session manager subsystem" ?? it shouldnt be deleted ?next : "LSASS" oder Local Security Authority Subsystem Servicethis shouldnt be deleted either !! or windows wont start againso it can be really harmful if ppl accidently delete the files from the WRONG spot muttley sorry: but for me your "antivirus script" looks like a bad idea i better trust on a decent antivirus program (BTW the virus was already on the freeware avira antivir list somewhere in january..)However those files should not be in the root of the drive. And if they are then you have a problem. Same thing with virues that create a file named explorer.exe in the root of the home drive. Files found in the root will execute before files of the same name in the rest of the path. George Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.*** The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number. Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else. "Old age and treachery will always overcome youth and skill!" Link to comment Share on other sites More sharing options...
Developers Jos Posted July 14, 2008 Developers Share Posted July 14, 2008 However those files should not be in the root of the drive. And if they are then you have a problem. Same thing with virues that create a file named explorer.exe in the root of the home drive. Files found in the root will execute before files of the same name in the rest of the path.All true but remember that the worst virus is the user self. Their ignorance causes much more data/time lost than anything else thus it is important to know what you are doing before doing it and even more important tell other to start deleting files! muttley SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past. Link to comment Share on other sites More sharing options...
GEOSoft Posted July 14, 2008 Share Posted July 14, 2008 All true but remember that the worst virus is the user self. Their ignorance causes much more data/time lost than anything else thus it is important to know what you are doing before doing it and even more important tell other to start deleting files! muttleyWhat a change this is !!! We agree right across the board. The one thing that causes the most damage to a computer is the user and their total absence of fore-thought. I'm not too sure why th OP was using all those send()s anyway. The simple way would be to write the commands to a .cmd file then shellexecute() the file. George Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.*** The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number. Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else. "Old age and treachery will always overcome youth and skill!" Link to comment Share on other sites More sharing options...
GEOSoft Posted July 14, 2008 Share Posted July 14, 2008 Does anyone happen to have a copy of the autorun.inf file that this virus creates? George Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.*** The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number. Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else. "Old age and treachery will always overcome youth and skill!" Link to comment Share on other sites More sharing options...
Confuzzled Posted July 20, 2008 Share Posted July 20, 2008 (edited) Does anyone happen to have a copy of the autorun.inf file that this virus creates?Refer http://www.avira.com/en/threats/section/fu...torun.fy.1.html for a sample. Funny how this seems to have struck in Pakistan/India mainly, the source of the first well documented malware all those decades ago. Most reliable functional anti-malware programs should be able to detect and neutralise this worm by now.Warning: The script originally given in this thread (and the updated version) will not completely remove this malware. As already mentioned, a little knowledge can be dangerous. Edited July 20, 2008 by Confuzzled Link to comment Share on other sites More sharing options...
d4rk Posted July 20, 2008 Share Posted July 20, 2008 Fine, i've seen many of this kind, they aren't too dangerous, just write somethings to Registry , etc... and it's easier to remove them , but at least having a knowledge about it, this guy just tried to share somethings but at first he didn't know about it very well [quote]Don't expect for a perfect life ... Expect a least troubles ones[/quote]Contact me : ass@kiss.toWhat I Have Done :Favorites Manager Mangage your favorite's folder, that's coolPC Waker For those who want to save stickersWebScipts Supporter For those who've just started with Web and WebScriptsTemporary Looker Simple but powerful to manage your Temporary folder, you know what you downloaded[UDF] _NumberFormat() Better performance on number display[UDF] _DirGet() What a folder contain [how many (hidden,normal,...) files], with one line of code[UDF] _IsPressEs() Just like _IsPress() but for a group of keys Link to comment Share on other sites More sharing options...
GEOSoft Posted July 20, 2008 Share Posted July 20, 2008 (edited) Refer http://www.avira.com/en/threats/section/fu...torun.fy.1.html for a sample. Funny how this seems to have struck in Pakistan/India mainly, the source of the first well documented malware all those decades ago. Most reliable functional anti-malware programs should be able to detect and neutralise this worm by now.Warning: The script originally given in this thread (and the updated version) will not completely remove this malware. As already mentioned, a little knowledge can be dangerous.I'm just working on a version that will remove it network-wide as a separate tool. I've done several AV scripts in the past that targeted a particular virus. From what I have discovered about this particular virus, some of the available tools do not work and others require that you run a separate app to remove it from USB devices. Since I also want it to remove the virus from USB drives/sticks which may have a legitimate autorun.inf file, I wanted to check the contents of the file that should be targeted. Better safe than sorry. Thanks all.EDIT:One thing that I forgot to mention is that this particular virus appears to be experiencing a resurgence and most tools check only C:\ drive while the virus actually propigates to all of your drives. Edited July 20, 2008 by GEOSoft George Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.*** The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number. Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else. "Old age and treachery will always overcome youth and skill!" Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now