Ist diese Datei gefährlich?

trojano · 24.08.2007, 21:22

Antivir erkennt als einziges Virenprogramm einen HTML-Exploit, ich kann aber keinen gefährlichen Code ausmachen... müsste ja einfach zu sehen sein für jemanden der was davon versteht. Hier ist der Programmcode, es handelt sich um eine .bat Datei.

Code:

ATTFilter

@echo off
::Edited 12:32 AM 1/19/2007
:: s!ri thanks for sharing your script
if [%OS%]==[Windows_NT] set path=%windir%;%SystemRoot%\system32

VER|find "Windows 2000">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows XP">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows 95">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows 98">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows Millennium">NUL
IF NOT ERRORLEVEL 1 GOTO winme

VER|find "Windows 2003">NUL
IF NOT ERRORLEVEL 1 GOTO NT

echo Unsupported Version
goto last

:NT
Echo.
Echo SpyBot and Tea Timer must be closed!! & pause
Echo.
CScript /?>nul 2>&1 && echo/Check OK>log1.txt || echo/Windows Script Host access is disabled on this machine. >log2.txt
if exist log1.txt goto continue

echo Post this in the forum please.>>log2.txt & start notepad log2.txt & exit 

:continue
if exist log1.txt del log1.txt

echo.Option Explicit>GetPaths.vbs
echo.>>GetPaths.vbs
echo Dim Shell>>GetPaths.vbs
echo Dim KeyPath>>GetPaths.vbs
echo Dim ObjFileSystem>>GetPaths.vbs
echo Dim ObjOutputFile>>GetPaths.vbs
echo Dim ObjRegExp>>GetPaths.vbs
echo Dim File>>GetPaths.vbs
echo Dim TmpVar>>GetPaths.vbs
echo Dim Var>>GetPaths.vbs
echo Dim Accent>>GetPaths.vbs

echo.>>GetPaths.vbs
echo KeyPath = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo File = "SetPaths.bat">>GetPaths.vbs
echo.>>GetPaths.vbs
echo Set Shell = WScript.CreateObject("WScript.Shell")>>GetPaths.vbs
echo Set ObjFileSystem = CreateObject("Scripting.fileSystemObject")>>GetPaths.vbs
echo Set ObjOutputFile = ObjFileSystem.CreateTextFile(File, TRUE)>>GetPaths.vbs
echo Set ObjRegExp = New RegExp>>GetPaths.vbs
echo.>>GetPaths.vbs

echo Function ShortFileName(Path)>>GetPaths.vbs
echo Dim f>>GetPaths.vbs
echo Set f = ObjFileSystem.GetFolder(Path)>>GetPaths.vbs
echo ShortFileName = f.ShortPath>>GetPaths.vbs
echo End Function>>GetPaths.vbs

echo Function Accents(Str)>>GetPaths.vbs
echo ObjRegExp.Pattern = "[^a-zA-Z_0-9\\: ]">>GetPaths.vbs
echo ObjRegExp.IgnoreCase = True>>GetPaths.vbs
echo ObjRegExp.Global = True>>GetPaths.vbs
echo Accents = ObjRegExp.Replace(Str, "?")>>GetPaths.vbs
echo End Function>>GetPaths.vbs
echo.>>GetPaths.vbs

echo TmpVar = Shell.RegRead (KeyPath ^& "AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set AppData=" ^& TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo KeyPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo TmpVar = Shell.RegRead (KeyPath ^& "Common AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set CommonAppData=" ^& TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo ObjOutputFile.Close>>GetPaths.vbs
echo Set objFileSystem = Nothing>>GetPaths.vbs
echo Set Shell = Nothing>>GetPaths.vbs
echo Set ObjRegExp = nothing>>GetPaths.vbs
echo.>>GetPaths.vbs


cscript //I //nologo GetPaths.vbs
del GetPaths.vbs
Call SetPaths.bat
del SetPaths.bat


(@echo off
del /q %CommonAppData%\spybot~1\Snapshots\*.*
del /q %CommonAppData%\spybot~1\Snapshots2\*.*
del /q %CommonAppData%\spybot~1\excludes\RegKeyWhite.sbe
del /q %CommonAppData%\spybot~1\excludes\RegKeyblack.sbe
del /q %CommonAppData%\spybot~1\excludes\ProcWhite.sbe
del /q %CommonAppData%\spybot~1\excludes\ProcBlack.sbe
del /q %CommonAppData%\spybot~1\excludes\UpdateDL.sbe
del /q %CommonAppData%\spybot~1\logs\resident.log
)>NUL 2>&1
Echo.
Echo Finished & pause & exit

:win
Echo.
Echo SpyBot and Tea Timer must be closed!! 
pause
echo.Option Explicit>GetPaths.vbs
echo.>>GetPaths.vbs
echo Dim Shell>>GetPaths.vbs
echo Dim KeyPath>>GetPaths.vbs
echo Dim ObjFileSystem>>GetPaths.vbs
echo Dim ObjOutputFile>>GetPaths.vbs
echo Dim ObjRegExp>>GetPaths.vbs
echo Dim File>>GetPaths.vbs
echo Dim TmpVar>>GetPaths.vbs
echo Dim Var>>GetPaths.vbs
echo Dim Accent>>GetPaths.vbs

echo.>>GetPaths.vbs
echo KeyPath = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo File = "SetPaths.bat">>GetPaths.vbs
echo.>>GetPaths.vbs
echo Set Shell = WScript.CreateObject("WScript.Shell")>>GetPaths.vbs
echo Set ObjFileSystem = CreateObject("Scripting.fileSystemObject")>>GetPaths.vbs
echo Set ObjOutputFile = ObjFileSystem.CreateTextFile(File, TRUE)>>GetPaths.vbs
echo Set ObjRegExp = New RegExp>>GetPaths.vbs
echo.>>GetPaths.vbs

echo Function ShortFileName(Path)>>GetPaths.vbs
echo Dim f>>GetPaths.vbs
echo Set f = ObjFileSystem.GetFolder(Path)>>GetPaths.vbs
echo ShortFileName = f.ShortPath>>GetPaths.vbs
echo End Function>>GetPaths.vbs

echo Function Accents(Str)>>GetPaths.vbs
echo ObjRegExp.Pattern = "[^a-zA-Z_0-9\\: ]">>GetPaths.vbs
echo ObjRegExp.IgnoreCase = True>>GetPaths.vbs
echo ObjRegExp.Global = True>>GetPaths.vbs
echo Accents = ObjRegExp.Replace(Str, "?")>>GetPaths.vbs
echo End Function>>GetPaths.vbs
echo.>>GetPaths.vbs

echo TmpVar = Shell.RegRead (KeyPath & "AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set AppData=" & TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo KeyPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo TmpVar = Shell.RegRead (KeyPath & "Common AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set CommonAppData=" & TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo ObjOutputFile.Close>>GetPaths.vbs
echo Set objFileSystem = Nothing>>GetPaths.vbs
echo Set Shell = Nothing>>GetPaths.vbs
echo Set ObjRegExp = nothing>>GetPaths.vbs
echo.>>GetPaths.vbs


cscript //I //nologo GetPaths.vbs
del GetPaths.vbs
Call SetPaths.bat
del SetPaths.bat




deltree /y %AppData%\spybot~1\snapshots\*.*
deltree /y %AppData%\spybot~1\Snapshots2\*.*
del %AppData%\spybot~1\logs\resident.log
del %AppData%\spybot~1\excludes\ProcBlack.sbe
del %AppData%\spybot~1\excludes\ProcWhite.sbe
del %AppData%\spybot~1\excludes\RegKeyWhite.sbe
del %AppData%\spybot~1\excludes\RegKeyBlack.sbe
del %AppData%\spybot~1\excludes\UpdateDL.sbe
cls
Echo.
Echo Finished
exit



:winme
Echo.
Echo SpyBot and Tea Timer must be closed!! 
pause
echo.Option Explicit>GetPaths.vbs
echo.>>GetPaths.vbs
echo Dim Shell>>GetPaths.vbs
echo Dim KeyPath>>GetPaths.vbs
echo Dim ObjFileSystem>>GetPaths.vbs
echo Dim ObjOutputFile>>GetPaths.vbs
echo Dim ObjRegExp>>GetPaths.vbs
echo Dim File>>GetPaths.vbs
echo Dim TmpVar>>GetPaths.vbs
echo Dim Var>>GetPaths.vbs
echo Dim Accent>>GetPaths.vbs

echo.>>GetPaths.vbs
echo KeyPath = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo File = "SetPaths.bat">>GetPaths.vbs
echo.>>GetPaths.vbs
echo Set Shell = WScript.CreateObject("WScript.Shell")>>GetPaths.vbs
echo Set ObjFileSystem = CreateObject("Scripting.fileSystemObject")>>GetPaths.vbs
echo Set ObjOutputFile = ObjFileSystem.CreateTextFile(File, TRUE)>>GetPaths.vbs
echo Set ObjRegExp = New RegExp>>GetPaths.vbs
echo.>>GetPaths.vbs

echo Function ShortFileName(Path)>>GetPaths.vbs
echo Dim f>>GetPaths.vbs
echo Set f = ObjFileSystem.GetFolder(Path)>>GetPaths.vbs
echo ShortFileName = f.ShortPath>>GetPaths.vbs
echo End Function>>GetPaths.vbs

echo Function Accents(Str)>>GetPaths.vbs
echo ObjRegExp.Pattern = "[^a-zA-Z_0-9\\: ]">>GetPaths.vbs
echo ObjRegExp.IgnoreCase = True>>GetPaths.vbs
echo ObjRegExp.Global = True>>GetPaths.vbs
echo Accents = ObjRegExp.Replace(Str, "?")>>GetPaths.vbs
echo End Function>>GetPaths.vbs
echo.>>GetPaths.vbs

echo TmpVar = Shell.RegRead (KeyPath & "AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set AppData=" & TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo KeyPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo TmpVar = Shell.RegRead (KeyPath & "Common AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set CommonAppData=" & TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo ObjOutputFile.Close>>GetPaths.vbs
echo Set objFileSystem = Nothing>>GetPaths.vbs
echo Set Shell = Nothing>>GetPaths.vbs
echo Set ObjRegExp = nothing>>GetPaths.vbs
echo.>>GetPaths.vbs


cscript //I //nologo GetPaths.vbs
del GetPaths.vbs
Call SetPaths.bat
del SetPaths.bat


del /y %CommonAppData%\spybot~1\snapshots\*.*
del /y %CommonAppData%\spybot~1\snapshots2\*.*
del %CommonAppData%\spybot~1\excludes\UpdateDL.sbe
del %CommonAppData%\spybot~1\excludes\RegKeyWhite.sbe
del %CommonAppData%\spybot~1\excludes\RegKeyblack.sbe
del %CommonAppData%\spybot~1\excludes\ProcWhite.sbe
del %CommonAppData%\spybot~1\excludes\ProcBlack.sbe
del %CommonAppData%\spybot~1\logs\resident.log
cls
Echo.
Echo Finished
exit

:last
echo Press any key to terminate,..
pause
exit

cosinus · 25.08.2007, 16:42

Hallo.

Bevor wir jetzt umfangreich den Code analysieren, wo hast du die Datei her?

.::|||::. · 25.08.2007, 17:45

Wenn man den Anfang bei Google eingibt, kommt man irgendwann nach:
hxxp://downloads.subratam.org/ResetTeaTimer.bat
Ein Programm um den TeaTimer zu resetten?
Mfg

trojano · 26.08.2007, 01:29

Genau. Bin mir aber mittlerweile sehr sicher, dass es ein Fehlalarm war. AntiVir ist auch bei Jotti das einzige Programm, das da anschlägt und im Code stehen auch keine IPs oder ähnliches.

25.08.2007, 16:42	#2
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Ist diese Datei gefährlich? Hallo. Bevor wir jetzt umfangreich den Code analysieren, wo hast du die Datei her? __________________ __________________

Ist diese Datei gefährlich?

Plagegeister aller Art und deren Bekämpfung: Ist diese Datei gefährlich?