WARNING - Love Letter Virus alert!
Peter Samuelson
peter at cadcamlab.org
Fri May 5 01:13:23 GMT 2000
[Seth Vidal <skvidal at phy.duke.edu>]
> could that script be reposted
> I missed it.
Sure. This iteration, while still a kludge, is much more sophisticated
than the kludge I posted a few hours ago. Requires:
- Samba-TNG `rpcclient' in your path (not necessarily *installed*, per se)
- GNU findutils ("find -print0 | xargs -0")
- Linux with smbfs and a somewhat recent smbmount
- NT clients, with the default administrative shares ADMIN$, C$, etc.
Peter
#!/bin/sh
#
# ILOVEYOU-REMOVE by Peter Samuelson <peter at cadcamlab.org>, 3 May 2000
# with contributions by other NIAR admin staff
#
# HOW TO RUN: run this with computer names on the command line.
# Change the next couple lines to reflect your domain and domain admin account
# (usually "Administrator").
#
# Theory of operation:
# - removes winnt\win32dll.vbs,
# winnt\system32\mskernel32.vbs,
# winnt\system32\love-letter-for-you.txt.vbs
#
# - removes registry values:
# HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSKernel32
# HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
# HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\win32dll
#
# - attempts to reset the MSIE start page for the current user:
# HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
# NOTE that this only affects the current-logged-in user.
# If any other users have logged on and been hit on this machine,
# they will still have the bogus page in their profile.
# You might think about just removing everyone's profile....
#
# - attempts to remove every 10-kilobyte *.vbs on drives C, D, E and F
# You may wish to edit this part.
# BE CAREFUL if you have a lot of legitimate VBScript.
if [ -z "$1" ]; then
echo >&2 "usage: $0 machine1 machine2 ..."
exit 1
fi
domain=niar
user=Administrator
stty -echo;
echo -n "$domain\\$user password: ";
read pass;
echo ""
stty echo;
exec 4> /tmp/$(basename $0).log
for machine in "$@"; do
echo "====================== $machine ======================="
# We can't use HKEY_CURRENT_USER directly, because, well, we just can't.
# We *can* go through HKEY_USERS. Here we enumerate it...
echo -n "Current user(s) ... "
sids=$(rpcclient -S $machine -W $domain -U ${user}%${pass} \
-c 'regenum hkey_users; quit;' |
awk '/S-1-5-21/ { print $1 }')
echo $sids
echo -n "Blowing away major culprits ... "
# the ADMIN$ share is normally NT's \WINNT directory.
smbclient //$machine/admin\$ -W $domain -U ${user}%${pass} -c '
del win32dll.vbs;
cd system32;
del mskernel32.vbs;
del love-letter-for-you.txt.vbs;
' >&4 2>&4
echo "done."
# Registry diddling.
echo -n "Frobbing registry ... "
for sid in $sids; do
creates="$creates
regcreateval \"hkey_users\\$sid\\Software\\Microsoft\\Internet Explorer\\main\\Start Page\" 1 \"http://www.niar.twsu.edu/\";"
done
rpcclient -S $machine -W $domain -U ${user}%${pass} -c '
regdeleteval "hkey_local_machine\software\microsoft\windows\currentversion\run\mskernel32";
regdeleteval "hkey_local_machine\software\microsoft\windows\currentversion\runservices\win32dll";
regdeleteval "hkey_local_machine\software\microsoft\windows\currentversion\run\win-bugsfix";
'"$creates"'
quit;
' >&4 2>&4
echo "done."
# Try to mount the C$, D$, E$ and F$ shares in search of VBScript to destroy.
# This part of the script is fragile. It frequently fails, with poor
# diagnostics. Blame smbfs, and maybe the design of smbmount.
mkdir -p /tmp/winmnt
for dr in C D E F; do
echo -n "Mounting //$machine/$dr\$ ... "
if mount -t smbfs -o "workgroup=$domain,username=$user,password=$pass" \
//$machine/$dr\$ /tmp/winmnt >&4 2>&4; then
echo "done."
echo -n "Deleting suspect VBS files ... "
find /tmp/winmnt \( -name '*.[Vv][Bb][Ss]' -size 10k \)
-o -name WIN-BUGSFIX.EXE -print0 2>&- | xargs -0 rm -fv
echo "done."
umount /tmp/winmnt 2>&4
else
echo "FAILED."
fi
done
done
More information about the samba-ntdom
mailing list