Hacked by Godzilla?

Posted by ghimau under
You come to your office, open your favourite IE, suddenly, you've been hacked by godzilla?

'Hacked by Godzilla Removal - ghimau
on error resume next
MsgBox("Hacked by Godzilla Removal" & vbcrlf & ".::ghimau::.")
Set wshshell=wscript.CreateObject("WScript.Shell")
wshshell.Run "CMD /c TaskKill/F /im Wscript.exe /T"
wshshell.Run "TaskKill/F /im Wscript.exe /T"

Set fs=CreateObject("scripting.FileSystemObject")
myWinPath=fs.getSpecialFolder(0)

sFilePathAndName=myWinPath & "/ms32dll.dll.vbs"
If fs.FileExists(sFilePathAndName) = True Then
mf=fs.CreateTextFile(sFilePathAndName,true)
mf.attribute = 0
mf.WriteLine("")
mf.Close
fs.DeleteFile sFilePathAndName, True
end if


sFilePathAndName=myWinPath & "/autorun.inf"
If fs.FileExists(sFilePathAndName) = True Then
mf=fs.CreateTextFile(sFilePathAndName,true)
mf.attribute = 0
mf.WriteLine("")
mf.Close
fs.DeleteFile sFilePathAndName, True
MsgBox("tutup" & "ditutup.")
end if

For Each fd in fs.drives
If (fd.DriveType=1 or fd.DriveType=2) and fd.path<>"A:" Then
sFilePathAndName=fd.path & "/ms32dll.dll.vbs"
If fs.FileExists(sFilePathAndName) = True Then
mf=fs.CreateTextFile(sFilePathAndName,true)
mf.attribute = 0
mf.WriteLine("")
mf.Closefs.DeleteFile sFilePathAndName, True
end if
sFilePathAndName=fd.path & "/autorun.inf"

If fs.FileExists(sFilePathAndName) = True Then
mf=fs.CreateTextFile(sFilePathAndName,true)
mf.attribute = 0
mf.WriteLine("")
mf.Closefs.DeleteFile sFilePathAndName, True
end if

end if

NextSet fs=Nothing
oldVal=wshshell.RegRead("HKLM\software\Microsoft\W indows\CurrentVersion\Run\ms32dll","")

If not Err Then
wshshell.RegWrite "HKLM\software\Microsoft\Windows\CurrentVersion\Ru n\ms32dll",""wshshell.RegDelete("HKLM\software\Microsoft\Window s\CurrentVersion\Run\ms32dll")wshshell.RegDelete "HKCU\software\Microsoft\Internet Explorer\Main\Window Title"
End If

'WScript.echo "Hacked by Godzilla telah dibersihkan" &amp;amp;amp;amp; vbCrLf & '".::ghimau::."
Set wshshell=Nothing
pause


Just copy the above red code. Paste in notepad. Save it as "something.vbs". Double click on your new file.. and you're done !

Ok, there might have some other variants such as "Hacked by Pokemon", "Hacked by HackersMalaysia". Basically they are using the same payload ms32dll.dll.vbs. They changed a little to suits their purpose

So you need to identify the payload they are using, for this case it it ms32dll.dll.vbs, they might changed it to something different. Then you need to alter a bit the above script, change the blue color statement to the new payload they are using.

0 comments: