Talk:Daprosy Worm

Latest comment: 13 years ago by 112.198.78.92 in topic D-Prot: The Original and Naked Daproy Worm

Daprosy Trojan Worm would infect system folders with executable files that bear system folder icons. This is a widely used social engineering technique by worms like Brontok where a victim is being tricked to open a file that looks like a folder. Special script is needed to remove the worm since it blocks almost all popular antivirus utilities.

Although known to send stolen information, Daprosy Worm is more likely designed to introduce deliberate errors on Windows computer systems with possible little or no sinister motives rather than programming exhibitionism.

Eight months of statistics show that Daprosy Trojan Worm can now be considered a very minor or insignificant worm with no impact on overall computing environment. It's most likely that it was indeed written by amateurish IT students. Most anti-virus utilities are now able to remove it.

A popular and probably the first and original independent script to remove known strains of Daprosy worm is available as password-protected Winrar SFX at http://www.filefront.com/14560747/class-x.exe/. The password for the said SFX file is subatomica. Download it for free. Said script is not covered by any copyright law.

Unknown and new variants of Daprosy worm still circulate and pose threats especially those that are infected by SALITY viruses. The e-mail-sending capability of the worm could have been blocked long ago but said worm is known to leave encrypted keystrokes to infected computers which, in some way, cannot be ignored.

Originally, Daprosy worm could be removed using the TaskKill command supplemented with registry manipulation commands. However, recent virus infected strains appear which render manual removal difficult. It is a very fast local infector and could spread to strategic locations on all drives in a matter of seconds. Network drives also gets infected by this trojan worm.

As of June, 2010 Daprosy worms are still rampant in internet cafes. Special or dedicated scripts are required to isolate this worm.

It is a very good sign that we no longer receive e-mails from this worm. Possibly, its e-mail account has been blocked long time ago thus preventing it to send mails via SMTP automatically. It can no longer spread via spammed e-mail but is reduced to a USB device noob worm. Happily, we have lots of utilities that protect computers from viruses coming from USB devices so infection from Daprosy worm is greatly reduced.

We appeal to major antivirus makers to consider creating special script to remove this worm. It is observed that a computer infected by Daprosy worm is almost unusable.

Class-X.Bat Script

edit

Below is a DOS batch script for removing known strains of Daprosy trojan worm from SubAtomica.


@echo off

title Daprosy Exterminator v1(a) by SubAtomica

color 0a

cls

echo Daprosy Exterminator v1(a)

echo Copyleft 2009 by SubAtomica

echo Emergency Release

echo NOT FOR SALE!

echo.

echo A batch script to remove known strains of Daprosy worm including

echo Autorun-AMS/AMW/APL from memory and disk drives.

echo.

echo This utility is provided "AS IS"

echo without warranty of any kind --

echo use at your own risk!!

echo.

echo Please make a backup of ALL your important data before running

echo this script. We do not want you to lose them when system goes

echo very unstable which is not unlikely to happen when you have

echo acquired multiple infections in your system.

echo.

echo IMPORTANT: Do not use browser, e.g. Windows Explorer, while

echo scanning is in progress!

echo.

echo.

pause

cls

echo Terminating processes...

echo.

for /l %%i in (1,1,5) do call :k0

cls

echo Cleaning registry...

echo.

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /f

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WinSys /f

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v LSAgent /f

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v LSAShell /f

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Dirlock /f

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Dirlocker /f

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /d Explorer.exe /f

cls

echo Deleting files...

echo.

echo This part could take at least half an hour to complete.

echo Please be patient while Daprosy clones are being deleted

echo and "infected" folders are revived one by one.

echo.

for /f %%v in (drives.txt) do call :k3 %%v:\

color 0e

cls

echo Done cleaning system from Daprosy worm!

echo Rerun this script whenever necessary.

echo.

pause

goto :eof

:k0

taskkill /im lsass.exe /fi "username ne nt authority\system" /f

taskkill /im winnthlp1.exe /im winnthlp2.exe /im nthlpsvc1.exe /im nthlpsvc2.exe /f

taskkill /im dirlock.exe /im winzip.exe /f

goto eof:

:k1

if not exist "%~f1.exe" goto :1

if not %~a1==d--hs---- goto :1

attrib -r -h -s "%~f1"

attrib -r -h -s "%~f1.exe"

echo Recovered %~f1

del "%~f1.exe"

:1

call :k2 "%~f1\autorun.inf"

call :k2 "%~f1\kbdsys.exe"

call :k2 "%~f1\classified.exe"

call :k2 "%~f1\do not open - secrets!.exe"

call :k2 "%~f1\read1st!.exe"

call :k2 "%~f1\read1st.exe"

call :k2 "%~f1\1.exe"

call :k2 "%~f1\2.exe"

call :k2 "%~f1\dirlock.exe"

call :k2 "%~f1\winnthlp1.exe"

call :k2 "%~f1\winnthlp2.exe"

call :k2 "%~f1\nthlpsvc1.exe"

call :k2 "%~f1\nthlpsvc2.exe"

call :k2 "%~f1\mp3-hot-collections.exe"

call :k2 "%~f1\mp4-hot-collections.exe"

goto :eof

:k2

if not exist "%~f1" goto :2

attrib -r -h -s "%~f1"

del "%~f1"

echo Deleted %~f1

:2

goto :eof

:k3

if not exist %1con goto :3

echo Processing Drive %1

for /r %1 %%v in (.) do call :k1 "%%v"

:3

goto :eof

D-Prot: The Original and Naked Daproy Worm

edit

Daprosy worm is the adulterated D-Prot worm detected by Kaspersky as Worm.Win32.AutoRun.ausp. D-Prot does not create Goats.Exe file. D-Prot worm is the naked or original strain of Daprosy worm which later has different strains due to viral infection. Naked strains of Daprosy are not virulent.

D-Prot worm consists only of these modules and classes:

 dprot_main
 dprot_common
 RegClass
 ResClass
 BugClass
 MailClass

Using VB Decompiler Lite v8.2, we are able to “see” the Visual Basic modules and classes used by the worm. Based on the module names and API classes used by the worm, it manipulates the registry, taps keyboard strokes and sends mails! Also, using SystemInternalsSuite’s process explorer, we could see four processes with folder –like icons running in the memory. It is observed that these processes revive each other when one of them is terminated. Use taskill.exe or tskill.exe in command prompt to simultaneously kill these processes.

Use class-x.bat by SubAtomica to wipe out Daprosy from infected system. — Preceding unsigned comment added by 112.198.78.92 (talk) 15:19, 25 June 2011 (UTC)Reply