[THIN] Re: MSBLAST remove - AD Group Policy startup script.

  • From: "Paul DeHaan" <wppad@xxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Tue, 19 Aug 2003 23:04:26 -0400

Here you go... I know the email word wrap will mess up the code, so
hopefully the .txt file I'm attaching will make it through.

Paul

----------------script begin------------------------

'This script removes registry keys that start the different worms on
reboot. It then deletes the 
'file below worm1, worm2, worm3, etc.  Time, Computer Name, worm name,
etc are then logged to a file.  
'
'Script created 8-18-03 by Paul DeHaan - wppad@xxxxxxxxx

'####################
'Edit this path. The NT "Everyone" group must have write access to the
path you set.
Const txtLog = "\\SERVER\SHARE\MSblastlog.txt
'####################

on error resume next

'Set needed variables and objects
Dim WSHShell, WSHFso
Dim redel, regdel2, regdel3, strComputer 
Dim worm1, worm2, worm3, worm4, worm5, worm6
Set WSHShell = WScript.CreateObject("WScript.Shell")
Set WSHFso = WScript.CreateObject("Scripting.FileSystemObject")

'remove registry keys that start worms on reboot
regdel = WshSHell.RegDelete
("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto
update")
regdel2 = WshSHell.RegDelete
("HKLM\SYSTEM\CurrentControlSet\Services\RPCPatch")
regdel3 = WshSHell.RegDelete
("HKLM\SYSTEM\CurrentControlSet\Services\RPCtftpd")

'Set the path to the induvidual worm variant .exe's
systemroot = wshShell.ExpandEnvironmentStrings("%systemroot%")
worm1 = systemroot & "\system32\msblast.exe"
worm2 = systemroot & "\system32\penis32.exe"
worm3 = systemroot & "\system32\teekids.exe"
worm4 = systemroot & "\system32\wins\dllhost.exe"
worm5 = systemroot & "\system32\wins\svchost.exe"
worm6 = systemroot & "\system32\mspatch.exe"

'delete the file if it is found, then report it to log file.
If WSHFso.FileExists(worm1) Then
  WSHFso.Deletefile worm1,True
  logDelete (worm1)
End If
If WSHFso.FileExists(worm2) Then
  WSHFso.Deletefile worm2,True
  logDelete (worm2)
End If
If WSHFso.FileExists(worm3) Then
  WSHFso.Deletefile worm3,True
  logDelete (worm3)
End If
If WSHFso.FileExists(worm4) Then
  WSHFso.Deletefile worm4,True
  logDelete (worm4)
End If
If WSHFso.FileExists(worm5) Then
  WSHFso.Deletefile worm5,True
  logDelete (worm5)
End If
If WSHFso.FileExists(worm6) Then
  WSHFso.Deletefile worm6,True
  logDelete (worm6)
End If

Set WSHShell = Nothing
Set WSHFso = Nothing

Sub logDelete(file)

 'This procedure logs the time, computer name, user, worm file deleted,
etc.
 Dim WshNetwork, fs
 Set wshNetwork = CreateObject("WScript.Network")

 Set fs = CreateObject("Scripting.FileSystemObject")
 Set logFile = fs.OpenTextFile (txtLog ,8, true)
 logFile.writeline now & ", Deleted the file: " & file & ", Computer: "
& WshNetwork.ComputerName & _
                   ", User: " & WshNetwork.UserName & vbcrlf
 logFile.close
 Set fs = Nothing
 Set logFile = Nothing
 Set WshNetwork = Nothing

End Sub

Wscript.quit

--------------script end -----------------------

>>> magnus@xxxxxxxx 08/19/03 04:50PM >>>
Would you mind copy and pasting the code in an email.

Some of us have .vbs ,.exe ...etc restrictions

Thanks


'This script removes registry keys that start the different worms on reboot. It 
then deletes the 
'file below worm1, worm2, worm3, etc.  Time, Computer Name, worm name, etc are 
then logged to a file.  
'
'Script created 8-18-03 by Paul DeHaan - wppad@xxxxxxxxx

'####################
'Edit this path. The NT "Everyone" group must have write access to the path you 
set.
Const txtLog = "\\SERVER\SHARE\MSblastlog.txt
'####################

on error resume next

'Set needed variables and objects
Dim WSHShell, WSHFso
Dim redel, regdel2, regdel3, strComputer 
Dim worm1, worm2, worm3, worm4, worm5, worm6
Set WSHShell = WScript.CreateObject("WScript.Shell")
Set WSHFso = WScript.CreateObject("Scripting.FileSystemObject")

'remove registry keys that start worms on reboot
regdel = WshSHell.RegDelete 
("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update")
regdel2 = WshSHell.RegDelete ("HKLM\SYSTEM\CurrentControlSet\Services\RPCPatch")
regdel3 = WshSHell.RegDelete ("HKLM\SYSTEM\CurrentControlSet\Services\RPCtftpd")

'Set the path to the induvidual worm variant .exe's
systemroot = wshShell.ExpandEnvironmentStrings("%systemroot%")
worm1 = systemroot & "\system32\msblast.exe"
worm2 = systemroot & "\system32\penis32.exe"
worm3 = systemroot & "\system32\teekids.exe"
worm4 = systemroot & "\system32\wins\dllhost.exe"
worm5 = systemroot & "\system32\wins\svchost.exe"
worm6 = systemroot & "\system32\mspatch.exe"

'delete the file if it is found, then report it to log file.
If WSHFso.FileExists(worm1) Then
  WSHFso.Deletefile worm1,True
  logDelete (worm1)
End If
If WSHFso.FileExists(worm2) Then
  WSHFso.Deletefile worm2,True
  logDelete (worm2)
End If
If WSHFso.FileExists(worm3) Then
  WSHFso.Deletefile worm3,True
  logDelete (worm3)
End If
If WSHFso.FileExists(worm4) Then
  WSHFso.Deletefile worm4,True
  logDelete (worm4)
End If
If WSHFso.FileExists(worm5) Then
  WSHFso.Deletefile worm5,True
  logDelete (worm5)
End If
If WSHFso.FileExists(worm6) Then
  WSHFso.Deletefile worm6,True
  logDelete (worm6)
End If

Set WSHShell = Nothing
Set WSHFso = Nothing

Sub logDelete(file)

 'This procedure logs the time, computer name, user, worm file deleted, etc.
 Dim WshNetwork, fs
 Set wshNetwork = CreateObject("WScript.Network")

 Set fs = CreateObject("Scripting.FileSystemObject")
 Set logFile = fs.OpenTextFile (txtLog ,8, true)
 logFile.writeline now & ", Deleted the file: " & file & ", Computer: " & 
WshNetwork.ComputerName & _
                   ", User: " & WshNetwork.UserName & vbcrlf
 logFile.close
 Set fs = Nothing
 Set logFile = Nothing
 Set WshNetwork = Nothing

End Sub

Wscript.quit

Other related posts:

  1. Home
  2. thin
  3. Archive
  4. 08-2003