FYI
I have two scripts: One for the MS Patch and one to remove the virus
code:
; **************************************************************************************************************
; * *
; * Dit script controleerd of Security Patch Q823980 geinstalleerd is op Windows XP pc's. *
; * Indien dit niet het geval is wordt het alsnog geinstalleerd. *
; * Datgene wat het script aantreft wordt gelogd *
; * *
; * 14/08/2003 - Co *
; * *
; **************************************************************************************************************
$srv='\\server\log$\Q823980\'+@wksta+'.txt'
If @INWIN=1
open(1,$srv,5)
$logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT Version'+'Mac Address'+Chr(9)+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(9)+'RPC Version'+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
Dim $KBPath,$RPCver
$KBPath='\\server\updates\Q823980.exe'
$RPCver=GetFileVersion('%windir%\system32\Rpcrt4.dll', 'Productversion')
Select
Case @ProductType='Windows XP Professional' and $CSD = 0 and $RPCver <> '5.1.2600.109' and not KeyExist('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB823980')
Shell '%comspec% /c $KBPath'
$logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(9)+$RPCver+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
Case @ProductType='Windows XP Professional' and $CSD = 1 and $RPCver <> '5.1.2600.1230' and not KeyExist('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB823980')
;Shell '%comspec% /c '+$KBPath+'\'+$KBFile+''
Shell '%comspec% /c $KBPath'
$logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(9)+$RPCver+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
Case @ProductType='Windows XP Professional' and $RPCver = '5.1.2600.109' or $RPCver = '5.1.2600.1230'
$logdata=@Wksta+Chr(9)+'Q823980 is reeds geinstalleerd'+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
EndSelect
EndIf
:end
$nul=Close(1)
code:
; **************************************************************************************************************
; * *
; * Dit script controleerd of het W32.Blaster virus of varianten hiervan aanwezig is op Windows XP pc's. *
; * Indien dit niet het geval is wordt het alsnog geinstalleerd. *
; * Als het script het virus aantreft wordt het gelogd. *
; * *
; * 14/08/2003 - Co *
; * *
; **************************************************************************************************************
$sys='system32'
If @inwin = 2
$sys='system'
endif
$srv='\\server\log$\msblast\'+@wksta+'.log'
$reg = readvalue("HKLM\Software\Microsoft\Windows\currentVersion\Run","Windows auto update")
If @error = 0
open(1,$srv,5)
$logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT '+'Mac'+Chr(9)+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(13)+Chr(10)
$actie='Regkey Windows auto update is verwijderd'+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$nul=writeline(1,$actie)
Delvalue("HKLM\Software\Microsoft\Windows\currentVersion\Run","Windows auto update")
$nul=Close(1)
Endif
If exist("%windir%\$sys\msblast.exe")<>0
open(1,$srv,5)
$logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT'+chr(9)+'Mac'+Chr(9)+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(13)+Chr(10)
$actie='msblast.exe is verwijderd'+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$nul=writeline(1,$actie)
Shell "%COMSPEC% /e:1024 /c \\server\Updates\Sophos\RESOLVE.COM -DF=BLASTERA.DAT -NOC > nul"
del "%windir%\$sys\msblast.exe"
$nul=Close(1)
Endif
If exist("%windir%\$sys\teekids.exe")<>0
open(1,$srv,5)
$logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT'+Chr(9)+'Mac'+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(13)+Chr(10)
$actie='teekids.exe is verwijderd'+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$nul=writeline(1,$actie)
Shell "%COMSPEC% /e:1024 /c \\server\Updates\Sophos\RESOLVE.COM -DF=BLASTERA.DAT -NOC > nul"
del "%windir%\$sys\teekids.exe"
$nul=Close(1)
Endif
If exist("%windir%\$sys\penis32.exe")<>0
open(1,$srv,5)
$logdata='Workstation'+Chr(9)+'OS'+Chr(9)+'Build'+Chr(9)+'SP'+Chr(9)+'NT'+Chr(9)+'Mac'+Chr(9)+'IPAddress'+Chr(9)+'UserID'+Chr(9)+'Full Name'+Chr(9)+'privilege level'+Chr(9)+'day'+Chr(9)+'date'+Chr(9)+'Time'+Chr(13)+Chr(10)
$actie='penis32.exe is verwijderd'+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$logdata=@Wksta+Chr(9)+@ProductType+Chr(9)+@Build+Chr(9)+@CSD+Chr(9)+@Dos+Chr(9)+@Address+Chr(9)+@IPADDRESS0+Chr(9)+@UserID+Chr(9)+@FullName+Chr(9)+@priv+Chr(9)+@day+Chr(9)+@date+Chr(9)+@Time+Chr(13)+Chr(10)
$nul=WriteLine(1,$logdata)
$nul=writeline(1,$actie)
Shell "%COMSPEC% /e:1024 /c \\server\Updates\Sophos\RESOLVE.COM -DF=BLASTERA.DAT -NOC > nul"
del "%windir%\$sys\penis32.exe"
$nul=Close(1)
Endif
[ 21. August 2003, 09:03: Message edited by: CO ]
