Friday, November 27, 2009

熊猫烧香 Panda Burning Incense virus - the new version is a variant, called Worm_Piloyd.B

Li Jun, aka “Virus King,” designed the 熊猫烧香 / Panda Burning Incense / joss-sticks virus that wreaked havoc in China in 2006 - 2007.  He spent 2 1/2 years in prison and was/is supposed to be released in the end of this year. Maybe he already was because a new version of this virus is now making rounds in China


Here is a Chinese language article (Google translated) about the author of the virus


The script below (from someone by name 'bobo') is supposed to remove the original version of the virus:





xiongmaosaoxiangshaduchengxu
Panda virus "remover" for research purposes
/*  autorun virus killing programme   */
#include "stdio.h"
#include "stdlib.h"
#define a "pause"
#define b "cls"
void timedelay(void);
void taskkill(void);
void viruskill(void);
void autosetupkill(void);
void desktopkill(void);
void autodefense(void);
void timedelay(void)          //ʱ¼äÑÓ³Ù
{
for(int i=0;i<90000;i++)
  for(int j=0;j<9000;j++)
   ;
}
void taskkill(void)             //½áÊø²¡¶¾½ø³Ì
{
printf("killing virus task...\n");
timedelay();
system("taskkill /f /t /im spcolsv.exe"); //Ö÷ÒªµÄ½ø³Ì£¬¿ÉÄÜ»¹ÓÐÆäËûµÄ
system("taskkill /f /t /im FuckJacks.exe");//Ö÷ÒªµÄ½ø³Ì£¬¿ÉÄÜ»¹ÓÐÆäËûµÄ
system("taskkill /f /t /im nvscv32.exe");//Ö÷ÒªµÄ½ø³Ì£¬¿ÉÄÜ»¹ÓÐÆäËûµÄ
system("taskkill /f /t /im sxs.exe ");
system("taskkill /f /t /im iexpl0re.exe");
system("taskkill /f /t /im svohost.exe");
system("taskkill /f /t /im svcshare.exe");
system("taskkill /f /t /im heixia.exe");
system("taskkill /f /t /im msmsgs.exe");
printf("virus task has been killed!\n");
system(a);
system(b);
}
void viruskill(void)             //ɾ³ý²¡¶¾Îļþ
{
printf("killing virus files...\n");
timedelay();
system("attrib -s -h -r C:\\WINDOWS\\System32\\Drivers\\spoclsv.exe");
system("del /f /s /q /a C:\\WINDOWS\\System32\\Drivers\\spoclsv.exe");
system("attrib -s -h -r C:\\WINDOWS\\system32\\drivers\\nvscv32.exe");
    system("del /f /s /q /a C:\\WINDOWS\\system32\\drivers\\nvscv32.exe");
system("attrib -s -h -r C:\\Windows\\System32\\FuckJacks.exe");
system("del /f /s /q /a C:\\Windows\\System32\\FuckJacks.exe");
printf("virus files have been killed!\n");
system(a);
system(b);
}
void autosetupkill(void)           //ɾ³ýsetupºÍautorun
{
printf("killing autorun and setup...\n");
timedelay();
system("attrib -s -h -r c:\\setup.exe");
system("del /f /q /a c:\\setup.exe");
system("attrib -s -h -r c:\\autorun.exe");
system("del /f /q /s /a c:\\autorun.exe");
system("attrib -s -h -r d:\\setup.exe");
system("del /f /q /a d:\\setup.exe");
system("attrib -s -h -r d:\\autorun.exe");
system("del /f /q /s /a d:\\autorun.exe");
system("attrib -s -h -r e:\\setup.exe");
system("del /f /q /a e:\\setup.exe");
system("attrib -s -h -r e:\\autorun.exe");
system("del /f /q /s /a e:\\autorun.exe");
system("attrib -s -h -r f:\\setup.exe");
system("del /f /q /a f:\\setup.exe");
system("attrib -s -h -r f:\\autorun.exe");
system("del /f /q /s /a f:\\autorun.exe");
system("attrib -s -h -r g:\\setup.exe");
system("del /f /q /a g:\\setup.exe");
system("attrib -s -h -r g:\\autorun.exe");
system("del /f /q /s /a g:\\autorun.exe");
printf("autorun and setup files have been killed!\n");
system(a);
system(b);
}
void desktopkill(void)             //ɾ³ýdesktop
{
printf("killing desktop files...\n");
timedelay();
system("attrib -s -h -r c:\\desktop.ini /s");
system("del /f /s /q /a c:\\desktop.ini");
system("attrib -s -h -r d:\\desktop.ini /s");
system("del /f /s /q /a d:\\desktop.ini");
system("attrib -s -h -r e:\\desktop.ini /s");
system("del /f /s /q /a e:\\desktop.ini");
system("attrib -s -h -r f:\\desktop.ini /s");
system("del /f /s /q /a f:\\desktop.ini");
system("attrib -s -h -r g:\\desktop.ini /s");
system("del /f /s /q /a g:\\desktop.ini");
printf("desktop has benen killed!\n");
system(a);
system(b);
}
void autodefense(void)             //autorunÃâÒß
{
printf("now beginning create files...\n");
timedelay();
system("md c:\\autorun.inf");
system("md c:\\autorun.inf\\a..\\");
system("md d:\\autorun.inf");
system("md d:\\autorun.inf\\a..\\");
system("md e:\\autorun.inf");
system("md e:\\autorun.inf\\a..\\");
system("md f:\\autorun.inf");
system("md f:\\autorun.inf\\a..\\");
system("md g:\\autorun.inf");
system("md g:\\autorun.inf\\a..\\");
printf("virus defense has been finished!\n");
}
int main(void)            //Ö÷º¯Êý
{
printf("this is a autorun virus killing programme!\n");
timedelay();
taskkill();
viruskill();
autosetupkill();
desktopkill();
autodefense();
printf("congratulations to you that you kill all the autorun virus!\n");
system(a);
system(b);
return 0;
}



Download the original virus source code of 'panda burning incense' (password protected, you need to contact me for the password) . The three files are the same thing, posted all three in case you see any difference, I didn't.



1 comment: