adds bat script

landsbankinn · Oct 11, 2018 · 705246d · 705246d
1 parent 07fcd30
commit 705246d
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/RemcosDetector.sln b/RemcosDetector.sln
@@ -14,6 +14,11 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution files", "Solution
 		README.md = README.md
 	EndProjectSection
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "scripts", "scripts", "{4E7D5ABC-B836-40C4-B36C-B4D2B8A6FB8A}"
+	ProjectSection(SolutionItems) = preProject
+		detect.bat = detect.bat
+	EndProjectSection
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -28,6 +33,9 @@ Global
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
 	EndGlobalSection
+	GlobalSection(NestedProjects) = preSolution
+		{4E7D5ABC-B836-40C4-B36C-B4D2B8A6FB8A} = {4E893C86-6EEA-4AD7-8B57-F0887F2389AF}
+	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {3CCE7A2B-AB6E-4B4A-9E30-766806D6D9F8}
 	EndGlobalSection

diff --git a/detect.bat b/detect.bat
@@ -0,0 +1,19 @@
+@echo off
+if exist "%userprofile%\AppData\Local\Temp\Windows 93.exe" (
+    echo "Recoms Decoy file here: This computer is infected by Remcos shadesoul"
+                PAUSE
+                exit
+) 
+if exist "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PrivatacyCleanzer.vbs" (
+    echo "Recoms persistence file here: This computer is infected by Remcos shadesoul"
+                PAUSE
+                exit
+)
+if exist "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UniMP Softwares.vbs" (
+    echo "Recoms persistence file here: This computer is infected by Remcos shadesoul"
+                PAUSE
+                exit
+)
+echo "Computer not infected by Remcos campaign shadesoul"
+PAUSE
+exit