« Home | Group Policy Auto Logon Administrative Template » | Microsoft SQL Server T-SQL UDF Luhn Function » | Sysprep changes in Windows XP SP2 » 

Friday, January 20, 2006 

CME-24 / Blackworm / Blackmal / Nyexm / MyWife Virus Check

Here's a quick and dirty script that will check for known CME-24 virus files. As this virus does not use any cloaking techniques this should be an easy way to see if any of your users are affected. A normal return code (ERRORLEVEL) is returned if the system is clean and a return code of 1000 is returned if the system had one of the associated files. We're using this script via SMS to quickly check and validate that our systems are clean.

Download Script

Begin Code (checkBlackworm.vbs):
' ---------------------------------------------------------
'
' checkBlackworm
'
' Version 1.0
'
' Walt Howd
'
'
' This script will check to see if any of the known files
' for the Blackworm/Nyxem worms are present on the machine.
'
' If the files are found, then the script will exit with
' a custom error level. This can be used in SMS reporting
' to see systems that might be at risk.
'
' ---------------------------------------------------------

' ---------------------------------------------------------
' Initialize variables
' ---------------------------------------------------------
On Error Resume Next
dim objShell, filesys, windir, system32, blackworm_files

Set objShell = WScript.CreateObject("WScript.Shell")
Set filesys = CreateObject("Scripting.FileSystemObject")

windir = objShell.Environment("Process").Item("windir") & "\"
system32 = windir & "system32\"

' ---------------------------------------------------------
' Known Blackworm files
' ---------------------------------------------------------
blackworm_files = Array("rundll16.exe", "scanregw.exe", "update.exe", "winzip.exe", "WINZIP_TMP.exe")

' ---------------------------------------------------------
' Check for files in WINDOWS and SYSTEM32 directories
' ---------------------------------------------------------
For Each file in blackworm_files

If filesys.FileExists(windir & file) OR filesys.FileExists(system32 & file) Then
wscript.quit(1000)
End If

Next

' ---------------------------------------------------------
' If no files were found, quit with the normal errorlevel
' ---------------------------------------------------------
wscript.quit(0)


3:26 PM |

Post a Comment

Links to this post

Create a Link

About me

Photos

Sponsored Links:

Previous posts

Archives

Links

Digg

Syndicate this site (XML)