Batch Antivirus from notepad.
Its unbelievable that the company itself promoting viruses.
Let me explain the working of leading antivirus programs
- One License protect one computer , both hardware & software
- All antivirus (AV) programs, not intend to protect External storage devices like CD/DVD , flash drive, external HDD etc.
- The AV program collect all virus codes/ infected files inside it for evaluation
- If anyone connect his drive to a system , The Antivirus copy all virus into that drive, and infect another system
- The Victim buy's another antivirus
- and the story goes on...
Its a fact that no codes, programs, virues can SELF-RUN, viruses are not automatic, something need to trigger them, there are so many loop holes inside windows operating system.
Virus injecting few start up codes into the Explorer.exe or winlogon.exe or svchost, a few bytes may different from unaffected Explorer.exe, These codes are just a link to original virus file, and does not meant that explorer is infected. Worst situation is Every EXE file inside a pc injected with virus link code, only solution is find and delete the original virus file.
I'LL Explain some of them here:
- AUTORUN.INF
- FILE SHARING & SECURITY
- Start up Entries beyond MS-Config
- Autoplay
- Wscript.exe
- Svchost.exe
- wmvcore.dll
One of the most massive viruses spread through misuse of this file. Windows itself promoting this autorun.inf feature. I can say that 99.9% viruses uses autorun feature as a main tool to kill the customer. To Stop the virus activities u need to kill autorun feature.
some funny symptoms, wanna say;-
if u delete autorun, it'll re-appear again.
if u move autorun, it'll came back again.
if u diasable autorun in registry , it'll enable again.
Autorun appear in all drive, you can't do anything.at all.
Victim usually do: following things - start the pc, the startup will surely run, Next the victim surely open any of the drive of get a file, these are enough to trigger virus.
Just write these code on notepad and save it as anty.bat
reg delete "HKCR\*\shell\@=P=r=i=n=t=" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v "NoDriveTypeAutoRun" /d "000000FF"
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v "NoDriveTypeAutoRun" /d "000000FF"
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v "" /d "000000FF"
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v "" /d "000000FF"
reg add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /f /v "" /d "@SYS:DoesNotExist"
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /f /v "" /d "@SYS:DoesNotExist"
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v "NoAutorun" /d "-"
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v "NoAutorun" /t REG_DWORD /d "00000001"
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v "DisableRegistryTools" /t REG_DWORD /d "0"
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v "DisableTaskMgr" /t REG_DWORD /d "0"
ftype fakefile=C:\\iLEAP\\e.exe "%%1"
assoc .inf=fakefile
assoc .pif=fakefile
assoc .scr=fakefile
assoc .com=fakefile
assoc .dll=fakefile
assoc .img=fakefile
assoc .dos=fakefile
assoc .manifest=fakefile
assoc .vba=fakefile
assoc .vbs=vbsfile
assoc .vbe=fakefile
assoc .v=vbsfile
assoc .6=vbsfile
assoc .`=vbsfile
assoc .1=batfile
for %%c in (c d e f g h i j k l m n o p) do (if exist %%c:\nul (title Locking %%c:
pootam\u.o "%%c:\autorun.inf" /S /D
md %%c:\autorun.inf &echo Hi > "\\?\%%c:\autorun.inf\siva." ))
0t\lin.k "%userprofile%\Desktop\Firefox" "F:\a\o\MFF31\FirefoxPortable.exe" "" "" "" "" "f:\a\y\ico\mz.ico"
xcopy "F:\A\Y\0P\PHOTO_PRINT.CMD" "C:\Documents and Settings\Administrator\SENDTO\" /s/c/y
xcopy "F:\A\Y\0P\VLCRC" "C:\Documents and Settings\Administrator\Application Data\vlc\" /s/c/y
:f:\n.o service start winvnc
start f:\a\y\rain\rm.o &exit
exit
What these code do...
rest is your imagiantion... pls post if any doubts.
some funny symptoms, wanna say;-
if u delete autorun, it'll re-appear again.
if u move autorun, it'll came back again.
if u diasable autorun in registry , it'll enable again.
Autorun appear in all drive, you can't do anything.at all.
Victim usually do: following things - start the pc, the startup will surely run, Next the victim surely open any of the drive of get a file, these are enough to trigger virus.
Just write these code on notepad and save it as anty.bat
reg delete "HKCR\*\shell\@=P=r=i=n=t=" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v "NoDriveTypeAutoRun" /d "000000FF"
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v "NoDriveTypeAutoRun" /d "000000FF"
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v "" /d "000000FF"
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v "" /d "000000FF"
reg add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /f /v "" /d "@SYS:DoesNotExist"
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /f /v "" /d "@SYS:DoesNotExist"
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v "NoAutorun" /d "-"
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v "NoAutorun" /t REG_DWORD /d "00000001"
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v "DisableRegistryTools" /t REG_DWORD /d "0"
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v "DisableTaskMgr" /t REG_DWORD /d "0"
ftype fakefile=C:\\iLEAP\\e.exe "%%1"
assoc .inf=fakefile
assoc .pif=fakefile
assoc .scr=fakefile
assoc .com=fakefile
assoc .dll=fakefile
assoc .img=fakefile
assoc .dos=fakefile
assoc .manifest=fakefile
assoc .vba=fakefile
assoc .vbs=vbsfile
assoc .vbe=fakefile
assoc .v=vbsfile
assoc .6=vbsfile
assoc .`=vbsfile
assoc .1=batfile
for %%c in (c d e f g h i j k l m n o p) do (if exist %%c:\nul (title Locking %%c:
pootam\u.o "%%c:\autorun.inf" /S /D
md %%c:\autorun.inf &echo Hi > "\\?\%%c:\autorun.inf\siva." ))
0t\lin.k "%userprofile%\Desktop\Firefox" "F:\a\o\MFF31\FirefoxPortable.exe" "" "" "" "" "f:\a\y\ico\mz.ico"
xcopy "F:\A\Y\0P\PHOTO_PRINT.CMD" "C:\Documents and Settings\Administrator\SENDTO\" /s/c/y
xcopy "F:\A\Y\0P\VLCRC" "C:\Documents and Settings\Administrator\Application Data\vlc\" /s/c/y
:f:\n.o service start winvnc
start f:\a\y\rain\rm.o &exit
exit
What these code do...
- Kill all trails of autorun from registry
- associate suspicious file extension to NIL
- 'pootam\u.o' is my favorite program 'unlocker'. u can use ur favorite force file deleter program or just disable explorer.exe when you run the .bat
- the term \\?\%%c:\ is actually creating an UN-delete-able file, which cannot be modify or delet by user or any program or any codes. its permenant
rest is your imagiantion... pls post if any doubts.
No comments:
Post a Comment