Wednesday, April 25, 2012

M0rPheuS.tpl

M0rPheuS.tpl

We have recently been targeted with a rather nifty .tpl script that uses the mshta executable to change the file attributes to hidden of a users personal folders, along with the files and folders of any mapped drives they have access to. The .tpl script then creates a shortcut with a link to C:\WINDOWS\system32\cmd.exe /c START mshta.exe "%cd%M0rPheuS.tpl in the shortcut path, which will of course execute on a victims machine, spreading the "infection" out further onto their mapped drives. Example compromised shortcut:

C:\WINDOWS\system32\cmd.exe /c START mshta.exe "%cd%M0rPheuS.tpl?reload=1335348216873" & start %windir%\explorer.exe "%cd%FOLDER_NAME_GOES_HERE"   

To clean infected drives, simply remove the M0rPheuS.tpl file, del *.lnk (of course, this will remove all shortcuts... good and bad) and then attrib -h /D /S.

I'm amazed at how quickly and effectively this thing spreads, from what is in effect a simple bit of scripting. 


2 comments:

  1. Hey Gary,

    What are the exact steps you took to remove this virus? we have a handful of users with the same problem and getting rid of it has been a pain in the ass.

    we don't quite understand your removal instructions, though we're General IT staff.

    We'd like your help in generating a concise set of instructions or a script that will help rid us of this problem. Please let me know, Thank you.

    ReplyDelete
  2. Sorry for the delay! The malscript - it's not really a virus - does three things. 1) It hides all files and folders on network drives that the user has write access to, so you need to unhide them, 2) it copies itself to the network drives, so you need to delete it* (see note below), and 3) it creates a shortcut to all of the hidden folders and files, each shortcut containing a link back to the script. So, any shortcut which is clicked will also run the script, copying starting the process afresh with a new victim, and you need to delete the shortcuts. Pretty simple really, if you open the .tpl file in notepad, you can see it's just javascript.

    *We started out by deleting the script files, HOWEVER they kept getting recreated as users clicked compromised shortcuts, and for a while we were playing whack-a-mole across all of our network drives. So, we got a little smarter, and created a read-only blank (empty, null, useless..) copy of the script, so that if a compromised shortcut was clicked on another drive, the script would be unable copy itself over the read-only dummy script, and would fail to replicate.

    ReplyDelete