
Script detects infected files
In May of 2000 I was consulting for the McGowan Consulting Group (a.k.a. Strategic Business Systems) as one of two network administrators for Sikorsky Aircraft – Comanche Project. I was still recovering from the work involved with preparring for Y2K and looking forward to see the movie “Gladiator” when I was forced to deal with the LoveLetter virus (a.k.a. ILOVEYOU or LoveBug), which was running rampant, infecting millions of computers globally. To this day it is still considered one of the most damaging viruses of all time. At the time, antivirus manufacturers were scrambling to detect and defend against it’s infections. Instead of waiting, I decided to write a script to locate infected files and then to delete them. I later published an article about this script with Win32 Scripting Journal a.k.a. Windows 2000 Magazine a.k.a. Windows IT Pro.
Article Source:
http://windowsitpro.com/articles/print.cfm?articleid=8986
In response to the Love Letter virus, I wrote a script, LLClean.vbs, that scans Windows 2000 and Windows NT systems’ drives, parses all .vbs files, and deletes those files with the virus. The script scans all hard disks and attached drives. However, the script doesn’t scan Win2K’s hidden system folder System Volume Information because any search of this folder generates an error.Watch Full Movie Online Streaming Online and Download
When the script scans a file, it reads the file’s first line and compares that line with a specified search phrase. If the script finds a match, it immediately deletes the file. The script records all file scans, deletions, and errors in a log file. In the script, this file’s path is C:llscan.log, but you can change it to whatever you want.Watch movie online The Transporter Refueled (2015)
In its current form, the script scans files that have the .vbs extension and searches for the Love Letter virus phrase rem barok -loveletter(vbe) <i hate go to school>. You can customize this script to scan other types of files and to delete other viruses. You can also modify the script to scan the entire document instead of the first line. (For information about how to scan the entire document, see Dino Esposito, “Understanding VBScript: The TextStream Object,” May 2000.) You can even adapt this script to remove unwanted files (e.g., .tmp files).
Listing 1, page 16, contains an excerpt from LLClean.vbs that shows the script’s subroutine that finds and deletes the targeted files. You can find the entire script in the Code Library on the Win32 Scripting Journal Web site (http://www.win32scripting.com).
To use LLClean.vbs, you need to have Windows Script Host (WSH) installed on the system from which you’ll run this script. Before running the script, you must disable any program that might prevent the script from accessing infected files (e.g., virus scanners). This script deletes only infected files and doesn’t address any Registry changes that the Love Letter infection might have caused. This script isn’t meant as a replacement for an up-to-date virus scanner but rather an interim measure until you get one.
Listing 1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
' Listing 1. Excerpt from LLClean.vbs Sub SeekAndDestroy(objDirectory) Dim DirFiles, FoundFile, FileName, FileExt, FirstLine If objDirectory <> objDirectory & "System Volume Information" Then Set DirFiles = objDirectory.Files For Each objFile in DirFiles FileName = objFile FileExt = FSO.GetExtensionName(objFile.Path) If LCase(FileExt) = LCase(SearchEXT) Then Set FoundFile = FSO.GetFile(objFile) Set FoundFile = FSO.OpenTextFile(objFile, 1) FirstLine = FoundFile.ReadLine If LCase(FirstLine) = LCase(SearchPhrase) Then FoundFile.close FSO.DeleteFile objFile, True If Err.Number = 0 Then Write2Log "DELETED TARGET FILE: " & FileName Else Write2Log "ERROR DELETING TARGET FILE: " & FileName End If Else FoundFile.close Write2Log "SCANNED: " & FileName End If End If Next End If End Sub |
Complete Script
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 |
' Love Letter Infected VBS Cleaner ' ' ------------------------------------------------------------------------ ' Copyright (C) 2000 Strategic Business Systems, LLC (SBS) ' A full service information technology consulting firm ' "Better By Design" ' www.sbs-llc.com ' Seymour, CT ' ' You have a royalty-free right to use, modify, reproduce and distribute ' this application file (and/or any modified version) in any way ' you find useful, provided that you agree that SBS has no warranty, ' obligations, or liability. ' ' This header and copyright must remain with all derivations of this script. ' All Rights Reserved ' ------------------------------------------------------------------------ ' Script Version: 1.2 ' Release Date: May 4, 2000 ' Author: Jesse M. Torres, Senior NT Systems Engineer ' Credentials: MCSE, CLS ' Contact: Jesse.Torres@SBS-LLC.com ' ------------------------------------------------------------------------ ' Description: ' - Performs a complete system scan of all attached drives, parses all ' VBS files, and deletes them if the Love Letter virus is detected. ' ' ------------------------------------------------------------------------ ' Usage: ' - Run this script on any infected machine or implement it to run via a ' logon script. ' ' ------------------------------------------------------------------------ ' Requirements: ' - Windows Scripting Host ' - Rights to delete infected files ' ' ------------------------------------------------------------------------ ' Known Issues: ' - None ' ' ------------------------------------------------------------------------ ' Notes: ' - While this script only parses the first line of a vbs file, you can ' modify the script to .readall, combined with a DO/WHILE loop and a ' .AtEndOfStream check. ' - This script has only been tested on Windows NT/2000 operating systems. ' Using this script on other operating systems may produce unpredictable ' results ' - The directory "System Volume Information" is a hidden system folder ' for Windows 2000. This directory cannot be searched or it will generate ' an error. A check and skip has been implemented in this script to bypass ' this folder. ' - Before a file is deleted, the file name and path is recorded in a log ' file. This file is set to C:LLSCAN.LOG, but you can set it to whatever ' you wish. ' - You can modify the search phrase and file type to detect and delete ' other virus or file types (e.g., MP3, TMP). ' ' ------------------------------------------------------------------------ On Error Resume Next Dim AllDrives, FSO, Log, objDirectory, objFile Const LogFile = "C:LLSCAN.LOG" Const SearchEXT = "VBS" Const SearchPhrase = "rem barok -loveletter(vbe) <i hate go to school>" Set FSO = CreateObject("Scripting.FileSystemObject") Set Log = Nothing Set AllDrives = FSO.Drives ' ------------------------------------------------------------------------ ' Main Loop ' ------------------------------------------------------------------------ Write2Log "BEGINNING SCAN:" For Each SingleDrive in AllDrives Set objDirectory = FSO.GetFolder(SingleDrive & "") 'Clean Infected files WorkWithSubFolders objDirectory, SingleDrive Next Write2Log "SCAN COMPLETE" Wscript.Echo "SCAN COMPLETE" 'Notify user scan is complete 'Quit WScript.Quit ' ------------------------------------------------------------------------ ' SUB SeekAndDestroy(objDirectory) ' ------------------------------------------------------------------------ Sub SeekAndDestroy(objDirectory) Dim DirFiles, FoundFile, FileName, FileExt, FirstLine If objDirectory <> objDirectory & "System Volume Information" Then Set DirFiles = objDirectory.Files For Each objFile in DirFiles FileName = objFile FileExt = FSO.GetExtensionName(objFile.Path) If LCase(FileExt) = LCase(SearchEXT) Then Set FoundFile = FSO.GetFile(objFile) Set FoundFile = FSO.OpenTextFile(objFile, 1) FirstLine = FoundFile.ReadLine If LCase(FirstLine) = LCase(SearchPhrase) Then FoundFile.close FSO.DeleteFile objFile, True If Err.Number = 0 Then Write2Log "DELETED TARGET FILE: " & FileName Else Write2Log "ERROR DELETING TARGET FILE: " & FileName End If Else FoundFile.close Write2Log "SCANNED: " & FileName End If End If Next End If End Sub ' ------------------------------------------------------------------------ ' SUB WorkWithSubFolders(objDirectory, SingleDrive) - Moves between subfolders ' ------------------------------------------------------------------------ Sub WorkWithSubFolders(objDirectory, SingleDrive) Dim MoreFolders, CurrentFolder SeekAndDestroy objDirectory If objDirectory <> SingleDrive & "System Volume Information" Then Set MoreFolders = objDirectory.SubFolders For Each CurrentFolder In MoreFolders If CurrentFolder <> SingleDrive & "System Volume Information" Then WorkWithSubFolders CurrentFolder, SingleDrive End If Next End If End Sub ' ------------------------------------------------------------------------ ' SUB Write2Log - Writes messages to a log file ' ------------------------------------------------------------------------ Sub Write2Log(Message) On Error Resume Next If Log Is Nothing Then If FSO.FileExists(LogFile) Then FSO.DeleteFile LogFile, True 'Delete the old log file End If Set Log = FSO.CreateTextFile(LogFile, True) 'Create the log file If Err.Number <> 0 Then Wscript.Echo "Error: Unable to create or delete the log file. The script may still be running." Wscript.Echo " (" & Err.Number & ") " & Err.Description Wscript.Quit Err.Number End If End If Log.WriteLine Message End Sub |