worm fix (was Re: ILOVEYOU)
Peter Samuelson
peter at cadcamlab.org
Thu May 4 20:15:08 GMT 2000
[Ryan Yagatich <ryagatich at csn1.com>]
> here's how to remove it.
>
> delete from outlook.
>
> run registry editor by typing regedit at the run menu.
>
> goto "HKLM\Software\Microsoft\Windows\Current Version\Run" and delete the: MSKernel32.vbs link.
> then
> goto "HKLM\Software\Microsoft\Windows\Current Version\Run Services" and delete the: Win32DLL.vbs link
Oh, don't do that. Not if you have more than half a dozen computers.
Try this, from Unix. May require Samba-TNG. (Thank you, Samba Team!)
Note that it doesn't delete
hkcu\software\ms\ie\main\start page
That wouldn't work unless you use the same username as whoever is on
the console. Getting the right hkey_users\* from a script is left as
an exercise to the reader. (Hint: run rpcclient, grep for S-1-, then
run rpcclient again.)
Peter
#!/bin/sh
machine=$1;
domain=$2;
if [ -n "$3" ]; then
username=$3
else
username=Administrator
fi
if [ -n "$4" ]; then
password=$4;
else
stty -echo; echo -n "$machine\$username password: "; read password; stty echo
fi
smbclient //$machine/admin\$ -W $domain -U ${username}%${password} -c '
del win32dll.vbs;
cd system32;
del mskernel32.vbs;
del love-letter-for-you.txt.vbs;
'
rpcclient -S $machine -W $domain -U ${username}%${password} -c '
regdeleteval "hkey_local_machine\software\microsoft\windows\currentversion\run\mskernel32";
regdeleteval "hkey_local_machine\software\microsoft\windows\currentversion\runservices\win32dll";
regdeleteval "hkey_local_machine\software\microsoft\windows\currentversion\run\win-bugsfix";
quit;
'
More information about the samba-ntdom
mailing list