China DOS Union

-- Unite DOS · Advance DOS · Grow DOS --

Union site: www.cn-dos.net Forum site: www.cn-dos.net/forum
DOS stands for freedom, openness and progress. Let us work hard, learn from the openness and GNU spirit of FreeDOS and Linux, and together build and grow a free GNU GPL world!

中国DOS联盟论坛
The time now is 2026-07-15 00:25
中国DOS联盟论坛 » DOS批处理 & 脚本技术(批处理室) » [Original] Handling P for Immunity of a logo1_.exe (Viking Virus) View 2,613 Replies 9
Original Poster Posted 2006-12-04 02:40 ·  中国 四川 成都 电信
初级用户
Credits 105
Posts 44
Joined 2006-10-05 13:57
19-year member
UID 64618
Status Offline
The code is very simple, and I don't know much.
I still need to learn from everyone a lot

@Echo Off
color 0a
title logo1_.exe Virus Immunity Tool (Biner)
TASKKILL /F /IM logo1_.exe
TASKKILL /F /IM rundl132.exe
:0
cls
@echo off
color 0a
echo.
echo.
echo logo1_exe Virus Immunity logo1_exe Virus Trivia
echo.
echo.
echo. logo1_exe Virus Immunity Removal Clear All _desktop.ini Files
echo (DOS Empire Community: 2097500)
Set /P Choice= Please enter your choice:
Echo.
If '%Choice%'=='' goto 0
If /I '%Choice%'=='1' GOTO 1
If /I '%Choice%'=='2' GOTO 2
If /I '%Choice%'=='3' GOTO 3
If /I '%Choice%'=='4' GOTO cb
Goto 0
:1
cls
color 05
If Exist %windir%\logo1_.exe Del /F /S /Q %windir%\logo1_.exe>nul 2>nul
md %windir%\logo1_.exe\>nul 2>nul
md %windir%\logo1_.exe\Forbidding logo1 to Create Virus..\>nul 2>nul
attrib +s +h +r %windir%\logo1_.exe>nul 2>nul

If Exist %windir%\rundl132.exe Del /F /S /Q %windir%\rundl132.exe>nul 2>nul
md %windir%\rundl132.exe\>nul 2>nul
md %windir%\rundl132.exe\Forbidding rundl132 to Create Virus..\>nul 2>nul
attrib +s +h +r %windir%\rundl132.exe>nul 2>nul
cls
Echo.
echo Congratulations! logo1_.exe virus immunity is successful!
echo.
echo.
echo.
echo You will see folders named logo1_.exe and rundl132.exe under window
echo Please do not delete, actually you can't delete them!
ping 127.1 -n 5 >nul
del /f /s /q "%Temp%\*.bat"
goto 0
:2
cls
echo This virus is a compound virus integrated with executable file infection, network infection, downloading trojans, backdoor programs or other viruses under the Windows platform. After the virus runs, it disguises itself as a normal system file to confuse users. It modifies the registry items so that the virus can run automatically when the computer starts. At the same time, the virus bypasses the monitoring of the firewall through thread injection technology, connects to the website specified by the virus author to download specific trojans or other viruses. At the same time, after the virus runs, it enumerates all available shares in the internal network and tries to attack other machines through weak passwords, thereby infecting the target computer.>>logo.txt
echo During the running process, it infects the executable files on the user's machine, causing the user's machine to run slowly, destroying the executable files on the user's machine, and posing a threat to the user's security.>>logo.txt
echo The virus is mainly spread through shared directories, file bundling, running infected virus programs, virus-carrying email attachments and other methods.>>logo.txt
echo 1. After the virus runs, it copies itself to the Windows folder, and the file name is:>>logo.txt
echo   %Windir%\rundl132.exe>>logo.txt
echo 2. After running the infected file, the virus copies the virus body to the following file:>>logo.txt
echo %Windir%\logo_1.exe>>logo.txt
echo 3. At the same time, the virus will generate in the virus folder:>>logo.txt
echo %Current Virus Directory%\vidll.dll>>logo.txt
echo 4. The virus searches for all exe files in all available partitions starting from drive Z, and then infects all executable files with a size of 27kb-10mb. After infection, it generates in the infected folder:>>logo.txt
echo _desktop.ini (file attributes: system, hidden.)>>logo.txt
echo 5. The virus will try to modify the %SysRoot%\system32\drivers\etc\hosts file.>>logo.txt
echo 6. The virus realizes that the virus starts automatically when the computer starts by adding the following registry items:>>logo.txt
echo >>logo.txt
echo "load"="%Windir%\rundl132.exe">>logo.txt
echo >>logo.txt
echo "load"="%Windir%\rundl132.exe">>logo.txt
echo 7. When the virus runs, it tries to find the program with the form name "RavMonClass", and sends a message to close the program after finding the form.>>logo.txt
echo 8. Enumerate the following anti-virus software process names, and terminate their processes after finding them:>>logo.txt
echo Ravmon.exe>>logo.txt
echo Eghost.exe>>logo.txt
echo Mailmon.exe>>logo.txt
echo KAVPFW.EXE>>logo.txt
echo IPARMOR.EXE>>logo.txt
echo Ravmond.exe>>logo.txt
echo regsvc.exe>>logo.txt
echo RavMon.exe>>logo.txt
echo mcshield.exe>>logo.txt
echo 9. At the same time, the virus tries to terminate the relevant anti-virus software using the following commands:>>logo.txt
echo net stop "Kingsoft AntiVirus Service">>logo.txt
echo 10. Send ICMP probe data "Hello, World", judge the network status, when the network is available,>>logo.txt
echo Enumerate all shared hosts in the internal network, and try to connect to shared directories such as \\IPC$ and \admin$ with weak passwords. After successful connection, perform network infection.>>logo.txt
echo 11. Infect the exe files on the user's machine, but do not infect the files in the following folders:>>logo.txt
echo system>>logo.txt
echo system32>>logo.txt
echo windows>>logo.txt
echo Documents and settings>>logo.txt
echo system Volume Information>>logo.txt
echo Recycled>>logo.txt
echo winnt>>logo.txt
echo Program Files>>logo.txt
echo Windows NT>>logo.txt
echo WindowsUpdate>>logo.txt
echo Windows Media Player>>logo.txt
echo Outlook Express>>logo.txt
echo Internet Explorer>>logo.txt
echo ComPlus Applications>>logo.txt
echo NetMeeting>>logo.txt
echo Common Files>>logo.txt
echo Messenger>>logo.txt
echo Microsoft Office>>logo.txt
echo InstallShield Installation Information>>logo.txt
echo MSN>>logo.txt
echo Microsoft Frontpage>>logo.txt
echo Movie Maker>>logo.txt
echo MSN Gaming Zone>>logo.txt
echo 12. Enumerate system processes, and try to selectively inject the virus dll (vidll.dll) into the processes corresponding to the following process names:>>logo.txt
echo Explorer >>logo.txt
echo Iexplore>>logo.txt
echo After finding the process that meets the conditions, randomly inject one of the above two processes.>>logo.txt
echo 13. When the external network is available, the injected dll file tries to connect to the following websites to download and run relevant programs:>>logo.txt
echo http://www.flysky168.com/han/xz/11.exe>>logo.txt
echo http://www.flysky168.com/han/xz/22.exe>>logo.txt
echo http://www.flysky168.com/han/xz/33.exe>>logo.txt
echo http://www.flysky168.com/han/xz/44.exe>>logo.txt
echo http://www.flysky168.com/han/xz/55.exe>>logo.txt
echo http://www.flysky168.com/han/xz/66.exe>>logo.txt
echo 14. After the virus is downloaded successfully, write the following registry items:>>logo.txt
echo >>logo.txt
echo "auto"="1">>logo.txt
notepad logo.txt
del logo.txt
goto 0
:3
cls
color 04
echo.
echo.
echo.
echo There will be a risk of infecting the logo1_.exe virus if you remove it!!!!!
echo.
echo.
Set /P Choice= If you want to continue the operation, please choose:
If /I '%Choice%'=='Y' GOTO Y
If /I '%Choice%'=='N' GOTO 0
PAUSE >NUL
:Y
If Exist %windir%\logo1_.exe Del /F /S /Q %windir%\logo1_.exe>nul 2>nul
rd %windir%\logo1_.exe\>nul 2>nul
rd %windir%\logo1_.exe\Forbidding logo1 to Create Virus..\>nul 2>nul
attrib -s -h -r %windir%\logo1_.exe>nul 2>nul
rd %windir%\logo1_.exe
If Exist %windir%\rundl132.exe Del /F /S /Q %windir%\rundl132.exe>nul 2>nul
rd %windir%\rundl132.exe\>nul 2>nul
rd %windir%\rundl132.exe\Forbidding rundl132 to Create Virus..\>nul 2>nul
attrib -s -h -r %windir%\rundl132.exe>nul 2>nul
rd %windir%\rundl132.exe
cls
Echo.
echo.
echo.
echo.
echo Congratulations! logo1_.exe virus immunity removal is successful!
ping 127.1 -n 3 >nul
goto 0
:cb
cls
@echo off
color 06
echo.
echo.
echo.
echo.
echo Scanning _desktop.ini files……
if exist "%tmp%\note.txt" del /a "%tmp%\note.txt" >nul 2>nul
set num=0
setlocal enabledelayedexpansion
for %%i in (c d e f g h i j k l m n o p q r s t u v w x y z) do (
if exist %%i: (
cd\
for /f "tokens=*" %%a in ('dir /s /a-d /b %%i:\_desktop.ini') do (
echo %%a>>"%tmp%\note.txt"
set /a num=!num!+1
del /q /a /f "%%a"
)
)
)
cls
echo Total files deleted: %num%

if not "%num%"=="0" start "" "%tmp%\note.txt"
echo Congratulations! All _desktop.ini files have been deleted!
ping 127.1 -n 3 >nul
goto 0


Welcome to join DOS Empire Community: 2097500

[ Last edited by chengbiner on 2006-12-4 at 02:43 AM ]
Floor 2 Posted 2006-12-04 06:06 ·  中国 广东 肇庆 四会市 电信
中级用户
★★
Credits 384
Posts 189
Joined 2005-10-19 13:12
20-year member
UID 43709
Gender Male
Status Offline
Originally posted by chengbiner at 2006-12-4 02:40:
Welcome to join the DOS Empire Community: 2097500


Thank you on behalf of the majority of users, but it's not decent to do advertising.
Floor 3 Posted 2006-12-05 02:15 ·  IANA 局域网IP(Private-Use)
初级用户
★★
Credits 136
Posts 59
Joined 2006-06-02 16:05
20-year member
UID 56438
Status Offline
Thanks
Floor 4 Posted 2006-12-06 01:36 ·  中国 广东 广州 天河区 电信
初级用户
千浪小子
Credits 52
Posts 22
Joined 2006-10-19 01:02
19-year member
UID 66621
Status Offline
Thanks..
Added to my toolkit
Floor 5 Posted 2006-12-06 01:40 ·  中国 湖北 武汉 电信
版主
★★★★★
Credits 11,386
Posts 4,938
Joined 2006-07-23 17:10
19-year member
UID 59080
Status Offline

  Not bad, relatively comprehensive, I can't write it~ Learn...
Floor 6 Posted 2006-12-06 04:59 ·  中国 四川 成都 电信
初级用户
Credits 105
Posts 44
Joined 2006-10-05 13:57
19-year member
UID 64618
Status Offline
Originally posted by voiL at 2006-12-4 06:06:


Thank you on behalf of the majority of users, but it's not nice to do advertising.


Oh my god
Where is the advertising?
It's just a group, right?
I'm a student, I don't have a group, I just want to find some people to learn with!
Floor 7 Posted 2006-12-06 08:30 ·  中国 广东 东莞 电信
银牌会员
★★★
Credits 1,179
Posts 442
Joined 2006-09-09 22:47
19-year member
UID 62249
Status Offline
Thank you, the landlord. I just got this virus a few days ago, but I didn't use the landlord's this one to kill the virus. It would be great if it came out a few days earlier. I could do the test there.
Floor 8 Posted 2006-12-07 22:59 ·  中国 湖南 郴州 电信
初级用户
Credits 66
Posts 28
Joined 2006-11-01 04:54
19-year member
UID 69099
Gender Male
Status Offline
Personally, I don't think this method is very feasible. This principle is the same as the original anti-ARP. But what if the virus author changes the file name of the virus? So I think it still doesn't solve the problem fundamentally. Personal opinion.
Floor 9 Posted 2006-12-08 11:03 ·  中国 广东 广州 电信
中级用户
★★
Credits 259
Posts 112
Joined 2006-09-18 04:55
19-year member
UID 62928
Gender Male
Status Offline
This code is not bad. Who has the Worm.Viking virus? Upload it and try it~~ Kaka
Floor 10 Posted 2007-10-19 19:13 ·  中国 江苏 南京 电信
初级用户
★★
Batchs上議院參議長
Credits 199
Posts 105
Joined 2007-06-05 12:00
19-year member
UID 90300
Gender Male
From 江苏
Status Offline
Welcome back, nice script!
『生如夏花之绚烂
死若秋叶之静美』 dos做到了
Forum Jump: