Here you go... I know the email word wrap will mess up the code, so hopefully the .txt file I'm attaching will make it through. Paul ----------------script begin------------------------ 'This script removes registry keys that start the different worms on reboot. It then deletes the 'file below worm1, worm2, worm3, etc. Time, Computer Name, worm name, etc are then logged to a file. ' 'Script created 8-18-03 by Paul DeHaan - wppad@xxxxxxxxx '#################### 'Edit this path. The NT "Everyone" group must have write access to the path you set. Const txtLog = "\\SERVER\SHARE\MSblastlog.txt '#################### on error resume next 'Set needed variables and objects Dim WSHShell, WSHFso Dim redel, regdel2, regdel3, strComputer Dim worm1, worm2, worm3, worm4, worm5, worm6 Set WSHShell = WScript.CreateObject("WScript.Shell") Set WSHFso = WScript.CreateObject("Scripting.FileSystemObject") 'remove registry keys that start worms on reboot regdel = WshSHell.RegDelete ("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update") regdel2 = WshSHell.RegDelete ("HKLM\SYSTEM\CurrentControlSet\Services\RPCPatch") regdel3 = WshSHell.RegDelete ("HKLM\SYSTEM\CurrentControlSet\Services\RPCtftpd") 'Set the path to the induvidual worm variant .exe's systemroot = wshShell.ExpandEnvironmentStrings("%systemroot%") worm1 = systemroot & "\system32\msblast.exe" worm2 = systemroot & "\system32\penis32.exe" worm3 = systemroot & "\system32\teekids.exe" worm4 = systemroot & "\system32\wins\dllhost.exe" worm5 = systemroot & "\system32\wins\svchost.exe" worm6 = systemroot & "\system32\mspatch.exe" 'delete the file if it is found, then report it to log file. If WSHFso.FileExists(worm1) Then WSHFso.Deletefile worm1,True logDelete (worm1) End If If WSHFso.FileExists(worm2) Then WSHFso.Deletefile worm2,True logDelete (worm2) End If If WSHFso.FileExists(worm3) Then WSHFso.Deletefile worm3,True logDelete (worm3) End If If WSHFso.FileExists(worm4) Then WSHFso.Deletefile worm4,True logDelete (worm4) End If If WSHFso.FileExists(worm5) Then WSHFso.Deletefile worm5,True logDelete (worm5) End If If WSHFso.FileExists(worm6) Then WSHFso.Deletefile worm6,True logDelete (worm6) End If Set WSHShell = Nothing Set WSHFso = Nothing Sub logDelete(file) 'This procedure logs the time, computer name, user, worm file deleted, etc. Dim WshNetwork, fs Set wshNetwork = CreateObject("WScript.Network") Set fs = CreateObject("Scripting.FileSystemObject") Set logFile = fs.OpenTextFile (txtLog ,8, true) logFile.writeline now & ", Deleted the file: " & file & ", Computer: " & WshNetwork.ComputerName & _ ", User: " & WshNetwork.UserName & vbcrlf logFile.close Set fs = Nothing Set logFile = Nothing Set WshNetwork = Nothing End Sub Wscript.quit --------------script end ----------------------- >>> magnus@xxxxxxxx 08/19/03 04:50PM >>> Would you mind copy and pasting the code in an email. Some of us have .vbs ,.exe ...etc restrictions Thanks
'This script removes registry keys that start the different worms on reboot. It then deletes the 'file below worm1, worm2, worm3, etc. Time, Computer Name, worm name, etc are then logged to a file. ' 'Script created 8-18-03 by Paul DeHaan - wppad@xxxxxxxxx '#################### 'Edit this path. The NT "Everyone" group must have write access to the path you set. Const txtLog = "\\SERVER\SHARE\MSblastlog.txt '#################### on error resume next 'Set needed variables and objects Dim WSHShell, WSHFso Dim redel, regdel2, regdel3, strComputer Dim worm1, worm2, worm3, worm4, worm5, worm6 Set WSHShell = WScript.CreateObject("WScript.Shell") Set WSHFso = WScript.CreateObject("Scripting.FileSystemObject") 'remove registry keys that start worms on reboot regdel = WshSHell.RegDelete ("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update") regdel2 = WshSHell.RegDelete ("HKLM\SYSTEM\CurrentControlSet\Services\RPCPatch") regdel3 = WshSHell.RegDelete ("HKLM\SYSTEM\CurrentControlSet\Services\RPCtftpd") 'Set the path to the induvidual worm variant .exe's systemroot = wshShell.ExpandEnvironmentStrings("%systemroot%") worm1 = systemroot & "\system32\msblast.exe" worm2 = systemroot & "\system32\penis32.exe" worm3 = systemroot & "\system32\teekids.exe" worm4 = systemroot & "\system32\wins\dllhost.exe" worm5 = systemroot & "\system32\wins\svchost.exe" worm6 = systemroot & "\system32\mspatch.exe" 'delete the file if it is found, then report it to log file. If WSHFso.FileExists(worm1) Then WSHFso.Deletefile worm1,True logDelete (worm1) End If If WSHFso.FileExists(worm2) Then WSHFso.Deletefile worm2,True logDelete (worm2) End If If WSHFso.FileExists(worm3) Then WSHFso.Deletefile worm3,True logDelete (worm3) End If If WSHFso.FileExists(worm4) Then WSHFso.Deletefile worm4,True logDelete (worm4) End If If WSHFso.FileExists(worm5) Then WSHFso.Deletefile worm5,True logDelete (worm5) End If If WSHFso.FileExists(worm6) Then WSHFso.Deletefile worm6,True logDelete (worm6) End If Set WSHShell = Nothing Set WSHFso = Nothing Sub logDelete(file) 'This procedure logs the time, computer name, user, worm file deleted, etc. Dim WshNetwork, fs Set wshNetwork = CreateObject("WScript.Network") Set fs = CreateObject("Scripting.FileSystemObject") Set logFile = fs.OpenTextFile (txtLog ,8, true) logFile.writeline now & ", Deleted the file: " & file & ", Computer: " & WshNetwork.ComputerName & _ ", User: " & WshNetwork.UserName & vbcrlf logFile.close Set fs = Nothing Set logFile = Nothing Set WshNetwork = Nothing End Sub Wscript.quit