Hi Paul, That'll work. But one small correction. Don't use the .bat extension on your scripts. .CMD batch files use the 32-bit command interpreter (cmd.exe). .BAT batch files invoke the 16-bit command interpreter (command.com) so that an NTVDM etc has to start up to run the batch file. Simply by changing the file extension, you make execution of the script much more efficient. Mind you, command.com is useful for a few things. Like when CMD.exe is locked down by a GPO, but command.com and ntvdm.exe still work fine. By changing to .CMD, it also gives you the luxury of disabling 16-bit apps and closing that little loophole. Regards, Rick Ulrich Mack rmack@xxxxxxxxxxxxxx Volante Systems 18 Heussler Terrace, Milton 4064 Queensland Australia tel +61 7 32467704 -----Original Message----- From: Paul DeHaan [mailto:wppad@xxxxxxxxx] Sent: Wednesday, 27 August 2003 12:03 AM To: John.Twilley@xxxxxxxxxxxxxxxxxxxxx; thin@xxxxxxxxxxxxx Subject: [THIN] Re: Internet Worm/Lovsan.A Put the for loop in a batch file (add % for vars) msblast.bat: For /f %%i in ('net view') do pslist %%i You should be able to redirect the batch when you run it: msblast.bat | find /i "msblast" I'd just redirect the bat file to a log.txt and once it is done, run a find / "msblast" log.txt Regards, Paul >>> John.Twilley@xxxxxxxxxxxxxxxxxxxxx 08/26/03 07:39AM >>> Wow. Very nice. Thank You! I tried to "pipe it" to text... but it does nothing... Do you know the correct syntax? Does not work: For /f %i in ('net view') do pslist %i | find /i "msblast" > c:\msblast John _____ From: Mack, Rick [mailto:RMack@xxxxxxxxxxxxxx] Sent: Tuesday, August 12, 2003 7:34 PM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: Internet Worm/Lovsan.A Hi, We had a few sites hit fairly badly, and of course many of the systems weren't patched up to date. However it luckily turned out to be fairly easy to control. So I thought it might be worth letting you know what we did. Pstools from sysinternals turned out to be a godsend. I used: For /f %i in ('net view') do pslist %i | find /i "msblast" To find the infected systems, Then did a generic network msblast kill with For /f %i in ('net view') do pskill %i msblast.exe That settled things down, and gave me time to delete the windowsupdat=msblast.exe entry under HKLM\software\microsoft\windows\currentversion\run with quick kix script (was quicker than vbscript which I now have ;-)). This kept things under control until we could update virus signatures and take care of the RPC/DCOM security patching. Regards, Rick Ulrich Mack rmack@xxxxxxxxxxxxxx Volante Systems 18 Heussler Terrace, Milton 4064 Queensland Australia tel +61 7 32467704 -----Original Message----- From: Adam.Baum@xxxxxxxxxxxxxx [mailto:Adam.Baum@xxxxxxxxxxxxxx <mailto:Adam.Baum@xxxxxxxxxxxxxx> ] Sent: Tuesday, 12 August 2003 10:14 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Internet Worm/Lovsan.A This is also being called W32.blaster.worm We got hit with it and I just spent the last 12hrs rebuilding an MF server..... "Jim Kenzig http://thethin.ne <http://thethin.ne> To: <windows2000@xxxxxxxxxxxxx>, <thin@xxxxxxxxxxxxx> t" cc: <jimkenz@concentr Subject: [THIN] Internet Worm/Lovsan.A ic.net> Sent by: thin-bounce@freel ists.org 08/12/2003 05:09 AM Please respond to thin And more on this... And if the last one wasn't enough. JK VIRUS WARNING The Central Command(r) Emergency Virus Response Team? (EVRT?) has received virus infection reports for the new Internet Worm/Lovsan.A . Due to increased customer inquires and infection reports the EVRT is issuing a VIRUS WARNING. You are receiving this news letter because you are a subscriber to the Central Command Virus News mailing list. [ EVRT? Virus Warning issued for Worm/Lovsan.A ] Name: Worm/Lovsan.A Alias: W32/Lovsan.A Type: Internet Worm Discovered: August 11, 2003 Platform: Windows NT/2000/XP Size: 6.176KB Worm/Lovsan.A is an Internet worm that exploits a known security vulnerability in Microsoft's Windows Distributed Companent Object Model (DCOM) Remote Procedure Call (RPC) interface. This security breach allows someone with malicious intent to run code of their choice. TCP port directly affected by this exploit include: 135. If executed, Worm/Lovsan.A will download and run the file msblast.exe using Tftp The following are components of Worm/Lovsan.A: - msblast.exe (the main component) So that it gets run each time a user restart their computer the following registry key gets added: - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto update"="msblast.exe" Microsoft has issued a patch to protect against the exploit used by Worm/Lovsan.A. This patch is available from Microsoft Security Bulletin MS03-026 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /> bulletin/MS03-026.asp ** This worm is still under analysis ******************************************************** This Week's Sponsor: RES PowerFuse, The Management Framework for Windows Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs Manage, Control, and Secure an Entire Windows environment with Ease, including Real-time Reporting and Documenting Components Validate a Meaningful ROI on All of your IT Investments with RES PowerFuse. http://www.respowerfuse.com/ <http://www.respowerfuse.com/> ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm <http://thethin.net/links.cfm> For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm <http://thethin.net/citrixlist.cfm> ******************************************************** This Week's Sponsor: RES PowerFuse, The Management Framework for Windows Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs Manage, Control, and Secure an Entire Windows environment with Ease, including Real-time Reporting and Documenting Components Validate a Meaningful ROI on All of your IT Investments with RES PowerFuse. http://www.respowerfuse.com/ <http://www.respowerfuse.com/> ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm <http://thethin.net/links.cfm> For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm <http://thethin.net/citrixlist.cfm> ---------------------------------------------------------------------------- ---------------------------------------- The information contained in this e-mail is confidential and may be subject to legal professional privilege. It is intended solely for the addressee. If you receive this e-mail by mistake please promptly inform us by reply e-mail and then delete the e-mail and destroy any printed copy. You must not disclose or use in any way the information in the e-mail. There is no warranty that this email or any attachment or message is error or virus free. It may be a private communication, and if so, does not represent the views of Volante group Limited. ******************************************************** This Week's Sponsor: RES PowerFuse, The Management Framework for Windows Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs Manage, Control, and Secure an Entire Windows environment with Ease, including Real-time Reporting and Documenting Components Validate a Meaningful ROI on All of your IT Investments with RES PowerFuse. http://www.respowerfuse.com/ ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm -------------------------------------------------------------------------------------------------------------------- The information contained in this e-mail is confidential and may be subject to legal professional privilege. It is intended solely for the addressee. If you receive this e-mail by mistake please promptly inform us by reply e-mail and then delete the e-mail and destroy any printed copy. You must not disclose or use in any way the information in the e-mail. There is no warranty that this email or any attachment or message is error or virus free. It may be a private communication, and if so, does not represent the views of Volante group Limited.