Jump to content


writing BFU scripts


  • Please log in to reply
3 replies to this topic

#1 Guest_DadsPeeCee_*

Guest_DadsPeeCee_*
  • Guests

Posted 30 May 2006 - 08:24 AM

How do you write BFU scripts? For instance, Swandog46 had Classy Lady download qoofix.bat in http://forums.spywar...abetterinternet, to get rid of a nasty malware similar to one I've found one of my client's computers. It resisted all methods including Ad-Aware, Spybot, manually erasing registry entries using Regedit, all of the above in normal mode, safe mode, with System Restore turned off, etc.

Where did the checksum entries come from in the script? Are they particular to the spyware? If I could learn how to write these scripts, I could do my little part in ridding the world of spyware one computer at a time.

Thanks.

p.s. Let me clarify my questions because the above looks a little vague.

Is each BFU script unique to a given computer's problem? If so, how can I identify the offending files and where they hide? I read the BFU manual and I understand the commands, however, in my client's case, there were a couple executables that showed up when running in Task Manager's process window and as files on the hard drive, but in Safe mode they disappeared. Presumably there is some master file somewhere (a Mother .dll?) that takes control of the computer and rewrites the executables on start up then deletes them at shutdown.

Are the checksums in qoofix.bat universal or specific do Classy Lady's problem? If specific, how did Swandog46 come up with them?

I don't have the HJT logfile, but the entries in it were exactly the same as the F2s in Classy Lady's. Help! I feel like we're losing the war here.

Edited by DadsPeeCee, 30 May 2006 - 12:21 PM.


#2 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 07 June 2006 - 10:12 PM

Hi DadsPeeCee :)

Welcome to SWI! I hope you are still reading this.

The best (in fact, the ONLY) reference on how to write BFU scripts is the RTF file documentation Merijn includes with the BFU.exe download (which I see you say you have read). If you are familiar with shell or batch scripting, it is similar sort of syntax, though with more commands obviously. You sound like you have programming experience.

Where did the checksum entries come from in the script? Are they particular to the spyware?

Yes they are. They just happen to be checksums that match the files of this infection. We know this because we harvest infectors and infected files from users, infect ourselves with them on isolated test systems, and analyze the files for identifying features (filenames, checksums, hex patterns, printable strings, registry behavior, etc.), to use to identify infected files. I didn't write the fix you saw me using, it was by one of our experts LonnyRJones, but that is how in general we come up with these.

Is each BFU script unique to a given computer's problem?

This particular BFU script (the Qoologic one) is unique to the newest Qoologic infection, but it should work on any Windows 2000/XP system.

there were a couple executables that showed up when running in Task Manager's process window and as files on the hard drive, but in Safe mode they disappeared.

That's not really unexpected though is it? The point of Safe Mode is that normal programs listed under normal Run keys in the registry do not execute on boot. I happen to know that one component of the Qoologic infection runs itself via this method, so it would not be active in Safe Mode. (other components, those F2s you saw in your HijackThis log, do not fall prey to this weakness.) Or you might have been seeing other infections that were not running in Safe Mode for the same reason. It is rare for a user to have one infection alone nowadays unfortunately! --- since everything comes in downloader bundles.

Help! I feel like we're losing the war here.

I know what you mean ---- unfortunately you're right. We are losing. And we need all the man- and woman-power we can get. If you are interested in joining the team, we would love to have you; please see The Boot Camp Here. We train helpers, and if you have development/programming experience there is always use for that too.

Did you want specific help with the infected machines? If so you can post a HijackThis log here and I'd be happy to take a look at it. :)

#3 hornet777

hornet777

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 607 posts

Posted 08 June 2006 - 05:17 PM

I know what you mean ---- unfortunately you're right. We are losing.



thanks for the refreshing honesty, Swandog

they have numbers, money, and organisation, and we have had none of these from the beginning... completely frustrating :( if for no other reason that thinking on this always reaches the same intractable impasse
After all is invested in correctness, then how does it stand with truth?

#4 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 10 June 2006 - 04:10 PM

Quite right, hornet777...




Member of UNITE
Support SpywareInfo Forum - click the button