; IF setconsole("hide") ; ENDIF ; ; NT/95 cleaning vbs virus - Kixtart 3.62, 3.63, 4.00 ; ; (c) scripting@wanadoo.nl - 2000, 2001 ; ; vs 2.02 - program (Virus Cleaner - VBS/LoveLetter.worm) ; ; 1.00 (20000504) original version ; 1.01 (20000505) add: extension to possible attacks after changing VBS script ; - use other registry keys. ; - changing VBS script name. ; - add new type of files to infect f.e. DOC, XLS, PPT ; add: additional information for logging infected systems ; to eventlog + file. ; change "disable_vbs" mode set to "yes" ; 1.02 (20000505) add: searching for VBSFile program location + name. ; 1.03 (20000505) add: changing of VBSFile program name. ; change redesign of calculation of found_virus_key. ; 2.00 (20010401) add: kixtart 2001 beta1 compliancy (fix ReadType) ; 2.01 (20010701) add: - introduction of "remove_vbs" option, which will remove ; "cscript.exe" & "wscript.exe" files from your local ; workstation. ; both programs will always be removed when a possible virus ; has been found. ; - introduction of "$debug_file". ; - show actual settings of "system.ini" + "win.ini". ; change using %tmp% value ; 2.02 (20011120) change suppress SetConsole("hide") ; ; future: cleanup system.ini (boot:shell) ; win.ini (windows:load/run) ; ; external programs: deltree ; $prgrm_version="2.02" ; $tmp_directory=ExpandEnvironmentVars("%tmp%") IF (substr($tmp_directory,len($tmp_directory),1) = "\") $tmp_directory=substr($tmp_directory,1,len($tmp_directory)-1) ENDIF ; --------------------------------------------------------------------------- ; - site defined settings - ; --------------------------------------------------------------------------- ; - 1. "$log_file" ; - logging workstations which are infected by parameter"$log_file" ; - 2. "$default_start_page" ; - internet explorer start page can set to your home page ; - 3. "$disable_vbs" ; - by changing this value to "yes" it will stop running VBS scripts. ; - stopping running it means: no other files will be destroyed by overwritten it. ; - possible solution for the short time. later on you can put them back to your system ; - 4. "$remove_vbs" ; - by changing this value to "yes" it will remove the VBS programs ; - "cscript.exe" & "wscript.exe" from your local workstation ; - 5. "$debug_mode" ; - usefull for kixtart program's. ; - 6. "$debug_file" ; - output of "$debug_mode". ; -------------------------------------------------------------------------- $log_file=$tmp_directory+"\virus_clean.log" $default_start_page="http://kixtart.org/" ; - set it to your homepage - ; $disable_vbs="yes" ; - no/yes - $remove_vbs="no" ; - yes/no - $debug_mode="yes" ; - no/yes - for additional information about checking registry keys - $debug_file=$tmp_directory+"\kix-info.log" ; --------------------------------------------------------------------------- ; - - ; --------------------------------------------------------------------------- $cr=CHR(10) $lf=CHR(13) $eol=$cr+$lf ; IF (@inwin = 1) $NT_mode="yes" ELSE $NT_mode="no" ENDIF IF (len(@ipaddress0) = 0) $offline_mode="yes" ELSE $offline_mode="no" ENDIF ; -------------------------------------------------------------------------- ; - - ; -------------------------------------------------------------------------- :script_collect_pc_info $x="" ; - it will contains all kind of information about workstation and server - ; - f.e. 00127_000505_23:23:23 DOMAIN=(NT - vs 1.01 L DOMAIN \\SPLxxxxx) 171.077.077.100 00A02ABABEEE mca SPLzzzzz ('MCA') $domain="" $ldomain="" IF ($NT_mode = "yes") $ikey="HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" IF (ExistKey($ikey) = 0) $domain=ReadValue($ikey, "DefaultDomainName") ENDIF $ikey="HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" IF (ExistKey($ikey) = 0) $ldomain=ReadValue($ikey, "CachePrimaryDomain") ENDIF ELSE $ikey="HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSNP2\NetworkProvider" IF (ExistKey($ikey) = 0) $domain=ReadValue($ikey, "AuthenticatingAgent") ENDIF $ikey="HKEY_LOCAL_MACHINE\Security\Provider" IF (ExistKey($ikey) = 0) $ldomain=ReadValue($ikey, "Container") ENDIF ENDIF IF (len($domain) = 0) IF (len(@ldomain) <> 0) $domain=@ldomain ELSE $domain=@domain ENDIF IF (len($domain) = 0) $domain="~domain" ; - unknown @domain/@ldomain value - ENDIF ENDIF IF (len($ldomain) = 0) $ldomain=$domain ENDIF ; IF ($NT_mode = "yes") $time_start=@time $log_info="Kixtart-VIC "+$prgrm_version+" script started" $log_info=$log_info+" for '"+LCASE(@userid)+"'" $log_info=$log_info+" ("+$time_start+" - '"+@ipaddress0+"')" IF logevent(0, 1, $log_info, "", "Kixtart VIC @kix") ENDIF ENDIF ; -------------------------------------------------------------------------- ; - special variables settings - ; -------------------------------------------------------------------------- $section=substr(@date,1,4) IF (@ydayno < 10) $section=$section+"00"+@ydayno ELSE IF (@ydayno < 100) $section=$section+"0"+@ydayno ELSE $section=$section+@ydayno ENDIF ENDIF $key=$section+"_" $key=$key+substr(@date,3,2)+substr(@date,6,2)+substr(@date,9,2) $key=$key+"_" $key=$key+@time $key=$key+" "+$domain ; - calculation of LSERVER variable - IF (len(@ipaddress0) = 0) $offline_mode="yes" IF ($NT_mode = "yes") $x=$x+"(NT - vs "+$prgrm_version+" - off-line )" ELSE $x=$x+"(95 - vs "+$prgrm_version+" - off-line )" ENDIF ELSE $offline_mode="no" IF (len(@lserver) = 0) $lserver="~lserver " ELSE $lserver=@lserver ; - \\spln99999 - ENDIF IF (LCASE($domain) = LCASE($ldomain)) IF ($NT_mode = "yes") $x=$x+"(NT - vs "+$prgrm_version+" L $domain $lserver)" ELSE $x=$x+"(95 - vs "+$prgrm_version+" L $domain $lserver)" ENDIF ELSE IF ($NT_mode = "yes") $x=$x+"(NT - vs "+$prgrm_version+" - $domain $lserver)" ELSE $x=$x+"(95 - vs "+$prgrm_version+" - $domain $lserver)" ENDIF ENDIF ENDIF ; - calculation of ip/mac-address value - IF (len(@ipaddress0) = 15) $i=1 $ip_old=@ipaddress0 $ip_new="" DO IF (substr($ip_old,$i,1) <> " ") $ip_new=$ip_new+substr($ip_old,$i,1) ELSE $ip_new=$ip_new+"0" ENDIF $i=$i+1 UNTIL ($i > 15) ELSE $ip_new="xxx.xxx.xxx.xxx" ENDIF $x=$x+" "+$ip_new ; IF (len(@address) = 0) $address="xxxxxxxxxxxx" ELSE $address=@address ENDIF $x=$x+" "+$address ; - calculation of USER variable - $user="" IF ($NT_mode = "yes") $ikey="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" IF (ExistKey($ikey) = 0) $user=ReadValue($ikey, "DefaultUserName") ENDIF ELSE $ikey="HKEY_LOCAL_MACHINE\System\CurrentControlSet\control" IF (ExistKey($ikey) = 0) $user=ReadValue($ikey, "Current User") ENDIF ENDIF IF (len($user) = 0) $user=@userid IF (len($user) = 0) $user="~user" ENDIF ENDIF $x=$x+" "+$user ; - calculation of WORKSTATION value - IF (len(@wksta) = 0) $x=$x+" ~wksta" ELSE $x=$x+" "+@wksta ENDIF IF (len(@fullname) = 0) IF (len(@comment) = 0) $x=$x+" ('~fullname')" ELSE $x=$x+" ('~fullname'+'"+@comment+"')" ENDIF ELSE IF (len(@comment) = 0) $x=$x+" ('@fullname')" ELSE $x=$x+" ('"+@fullname+"'+'"+@comment+"')" ENDIF ENDIF $tmp=$x IF ($debug_mode = "yes") ; cls IF ($NT_mode = "yes") IF (len(@ipaddress0) = 0) ? "Kixtart "+@kix+" - NT debug mode (vs "+$prgrm_version+")"+" "+@time+" (off-line)" ELSE ? "Kixtart "+@kix+" - NT debug mode (vs "+$prgrm_version+")"+" "+@time+" (on-line)" ENDIF ELSE IF (len(@ipaddress0) = 0) ? "Kixtart "+@kix+" - 95 debug mode (vs "+$prgrm_version+")"+" "+@time+" (off-line)" ELSE ? "Kixtart "+@kix+" - 95 debug mode (vs "+$prgrm_version+")"+" "+@time+" (on-line)" ENDIF ENDIF ? ? "file "+$log_file ? "section "+$section ? "key "+$key IF (len(@fullname) = 0) ? "user "+$user ELSE IF (len(@comment) = 0) ? "user "+$user+" ('"+@fullname+"')" ELSE ? "user "+$user+" ('"+@fullname+"'+'"+@comment+"')" ENDIF ENDIF ? ? "workstation "+@wksta+" ("+LCASE(@lanroot)+") C="+GetDiskSpace("c:\")+" KBytes" ? "domain "+@domain ? "ldomain "+@ldomain ? " -> = "+$domain ? " "+$ldomain+" (L)" ? "ip_adress "+$ip_new+" "+$address ? ? "debug_mode "+$debug_mode ? "offline_mode "+$offline_mode ? ? ENDIF ; -------------------------------------------------------------------------- ; - - ; -------------------------------------------------------------------------- IF ($debug_mode = "yes") IF (RedirectOutput($debug_file,1) = 0) ENDIF ELSE IF (RedirectOutput("nul",1) = 0) ENDIF ENDIF ; IF ($NT_mode = "yes") ? "Kixtart "+@kix+" - NT debug mode (vs "+$prgrm_version+")"+" "+@time ELSE ? "Kixtart "+@kix+" - 95 debug mode (vs "+$prgrm_version+")"+" "+@time ENDIF ; -------------------------------------------------------------------------- ; - Registry cleanup - ; -------------------------------------------------------------------------- :script_registry_clean IF ($debug_mode = "yes") ? ? "-REGISTRY PART- virus_clean" ? ENDIF $found_virus_key="no" $max_ikeys=8 DIM $ikeys[$max_ikeys+1] $ikeys[1]="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" $ikeys[2]="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" $ikeys[3]="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" $ikeys[4]="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" $ikeys[5]="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx" $ikeys[6]="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices" $ikeys[7]="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" $ikeys[8]="HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run" ; $log_info_virus="virus=(" $first="" $i=1 WHILE ($i <= $max_ikeys) $ikey=$ikeys[$i] $i=$i+1 IF (ExistKey($ikey) = 0) IF ($debug_mode = "yes") ? "input -> ["+$ikey+"]" ENDIF $index=0 DO $icode=ENUMVALUE($ikey, $index) IF (len($icode) <> 0) IF ($debug_mode = "yes") ? " "+$icode+"="+ReadValue($ikey, $icode) ENDIF $ivalue=ReadValue($ikey, $icode) IF (INSTR(LCASE($ivalue), "vbs") <> 0) $log_info_virus=$log_info_virus+$first+"DELETE='"+$ikey+"\"+$icode+"="+$ivalue+"'" IF (DelValue($ikey, $icode) <> 0) $log_info_virus=$log_info_virus+"=DelValue.ERROR" ENDIF $first="," $found_virus_key="yes" ELSE IF ($debug_mode = "yes") $log_info_virus=$log_info_virus+$first+"SKIP='"+$ikey+"\"+$icode+"="+$ivalue+"'" $first="," ENDIF ENDIF IF (INSTR(LCASE($ivalue), "win-bugsfix.exe") <> 0) del "$ivalue" ENDIF IF (INSTR(LCASE($ivalue), "winfat32.exe") <> 0) del "$ivalue" ENDIF ENDIF $index=$index+1 UNTIL (len($icode) = 0) ENDIF LOOP $log_info_virus=$log_info_virus+")" ; IF ($remove_vbs = "yes") shell "%comspec% /c echo -dummy file- >c:\cscript.exe" shell "%comspec% /c deltree /y c:\cscript.exe" shell "%comspec% /c echo -dummy file- >c:\wscript.exe" shell "%comspec% /c deltree /y c:\wscript.exe" $log_info_virus=$log_info_virus+" delete.script.programs" ENDIF ; $ikey="HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command" IF (ExistKey($ikey) = 0) IF ($debug_mode = "yes") ? "input -> ["+$ikey+"]" ENDIF $ikey_ex=ENUMVALUE($ikey,0) $ivalue=ReadValue($ikey, $ikey_ex) IF ($debug_mode = "yes") ? " "+"?="+ReadValue($ikey, $ikey_ex) ENDIF IF (INSTR(LCASE($ivalue),"exe") <> 0) $file_del=substr($ivalue,1,INSTR(LCASE($ivalue),"exe")+2) IF (len($file_del) > 3) IF (exist($file_del) = 1) del "$file_del" IF (@error) ENDIF $log_info_virus=$log_info_virus+" VBSFile.removed=("+$file_del+")" ENDIF ENDIF ENDIF IF ($ivalue <> "") $result_data_type=ReadType($ikey, $ikey_ex) IF (@error <> 0) OR (len($result_data_type) = 0) $result_data_type="REG_SZ" ENDIF IF (WriteValue($ikey, $ikey_ex, "", $result_data_type) = 0) $log_info_virus=$log_info_virus+" VBSFile.key.deleted=("+$ivalue+")" ENDIF ENDIF ENDIF ; $ikey="HKEY_CLASSES_ROOT\VBSFile\Shell\Open2\Command" IF (ExistKey($ikey) = 0) IF ($debug_mode = "yes") ? "input -> ["+$ikey+"]" ENDIF $ikey_ex=ENUMVALUE($ikey,0) $ivalue=ReadValue($ikey, $ikey_ex) IF ($debug_mode = "yes") ? " "+"?="+ReadValue($ikey, $ikey_ex) ENDIF IF (INSTR(LCASE($ivalue),"exe") <> 0) $file_del=substr($ivalue,1,INSTR(LCASE($ivalue),"exe")+2) IF (len($file_del) > 3) IF (exist($file_del) = 1) del "$file_del" IF (@error) ENDIF $log_info_virus=$log_info_virus+" VBSFile2.removed=("+$file_del+")" ENDIF ENDIF ENDIF IF ($ivalue <> "") $result_data_type=ReadType($ikey, $ikey_ex) IF (@error <> 0) OR (len($result_data_type) = 0) $result_data_type="REG_SZ" ENDIF IF (WriteValue($ikey, $ikey_ex, "", $result_data_type) = 0) $log_info_virus=$log_info_virus+" VBSFile.key2.deleted=("+$ivalue+")" ENDIF ENDIF ENDIF ; IF ($found_virus_key = "yes") del "c:\*.vbs" del "c:\windows\*.vbs" del "c:\windows\system\*.vbs" del "c:\windows\system32\*.vbs" del "c:\winnt\*.vbs" del "c:\winnt\system32\*.vbs" IF ($disable_vbs = "yes") OR ($remove_vbs = "yes") shell "%comspec% /c echo -dummy file- >c:\wscript.exe" shell "%comspec% /c deltree /y c:\wscript.exe" shell "%comspec% /c echo -dummy file- >c:\cscript.exe" shell "%comspec% /c deltree /y c:\cscript.exe" ENDIF shell "%comspec% /c deltree /y c:\win-bugs.exe" shell "%comspec% /c deltree /y c:\winfat32.exe" shell "%comspec% /c echo -dummy file- >c:\dummy_file.vbs" shell "%comspec% /c deltree /y c:\*.vbs" shell "%comspec% /c deltree /y c:\love-letter-for-you*.*" shell "%comspec% /c deltree /y c:\windows\______love-letter-for-you*.*" shell "%comspec% /c deltree /y c:\winnt\______love-letter-for-you*.*" $log_info_virus=$log_info_virus+" delete.infected.files" ENDIF ; -------------------------------------------------------------------------- ; - Internet Explorer - ; -------------------------------------------------------------------------- :script_iexplorer $ikey="HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" IF (ExistKey($ikey) = 0) IF ($debug_mode = "yes") ? "input -> ["+$ikey+"]" ENDIF $ikey_ex="Start Page" $ivalue=ReadValue($ikey, $ikey_ex) IF (ExistKey($ikey+"\"+$ikey_ex) = 0) $result_data_type=ReadType($ikey, $ikey_ex) IF (@error <> 0) OR (len($result_data_type) = 0) $result_data_type="REG_SZ" ENDIF ELSE $result_data_type="REG_SZ" ENDIF IF ($debug_mode = "yes") ? " "+$ikey_ex+"="+ReadValue($ikey, $ikey_ex) ENDIF IF ($ivalue <> $default_start_page) IF (WriteValue($ikey, $ikey_ex, $default_start_page, $result_data_type) = 0) $log_info_virus=$log_info_virus+" IExplorer.Start_Page[old]=('"+$ivalue+"' > '"+$default_start_page+"')" ENDIF ENDIF ENDIF ; -------------------------------------------------------------------------- ; - system.ini + win.ini - ; -------------------------------------------------------------------------- :script_ini IF (Exist("c:\winnt\nul") = 1) IF ($debug_mode = "yes") ? "system.ini" ? " [boot:shell] = "+ReadProfileString("c:\winnt\system.ini","boot","shell") ? "win.ini" ? " [windows:load] = "+ReadProfileString("c:\winnt\windows.ini","windows","load") ? " [windows:run] = "+ReadProfileString("c:\winnt\windows.ini","windows","run") ENDIF ELSE IF ($debug_mode = "yes") ? "system.ini" ? " [boot:shell] = "+ReadProfileString("c:\windows\system.ini","boot","shell") ? "win.ini" ? " [windows:load] = "+ReadProfileString("c:\windows\windows.ini","windows","load") ? " [windows:run] = "+ReadProfileString("c:\windows\windows.ini","windows","run") ENDIF ENDIF ; -------------------------------------------------------------------------- ; - - ; -------------------------------------------------------------------------- IF ($debug_mode = "yes") ? ? "-REGISTRY PART- virus_clean (summary)" ? ? " -> "+$key ? " -> "+$log_info_virus ? IF ($found_virus_key = "yes") ? " -> VIRUS found" ELSE ? " -> no VIRUS found" ENDIF ENDIF ; IF (RedirectOutput("",1) = 0) ENDIF ? IF ($found_virus_key = "yes") ? " -> VIRUS found" ELSE ? " -> no VIRUS found" ENDIF ? :end_script IF ($found_virus_key = "yes") IF open(9, $log_file, 5) = 0 IF writeline(9, $key+"="+$tmp+$log_info_virus+$eol) ENDIF IF close(9) ENDIF ENDIF ENDIF ; IF ($NT_mode = "yes") $time_stop=@time $log_info="Kixtart-VIC "+$prgrm_version+" script completed successfully" $log_info=$log_info+" for '"+LCASE($user)+"' "+UCASE($domain) $log_info=$log_info+" ("+$time_start+" - "+$time_stop+" - '"+$ip_new+"')" IF (len(@fullname) > 0) $log_info=$log_info+" '"+LCASE(@fullname)+"'" ENDIF IF ($found_virus_key = "yes") IF logevent(0, 1, $log_info, "", "Kixtart VIC @kix"+"c") ENDIF ELSE IF logevent(0, 1, $log_info, "", "Kixtart VIC @kix"+"s") ENDIF ENDIF ENDIF ; IF (RedirectOutput("CON") = 0) ENDIF IF ($found_virus_key = "yes") ? "Informative VirusCLN.KIX: remove VBS files & disable VBS file association" ELSE ? "Informative VirusCLN.KIX: disable VBS file association" ENDIF ? "Informative VirusCLN.KIX: possible log file '"+$log_file+"'" IF ($debug_mode = "yes") ? "Informative VirusCLN.KIX: create debug list '"+$debug_file+"'" ELSE ? "Informative VirusCLN.KIX: no creation of debug list '"+$debug_file+"'" ENDIF BREAK ON FLUSHKB