Monday, October 10, 2005

Killing off a Virus attached to explorer.exe (i.e. NovArg.m) Windows 2000/XP

Because this nasty virus configures itself to launch when explorer loads, preying on the extensibility of the interface, it can be tricky to quickly remove the virus one it has settled in. I found that in a Corporate/Help Desk scenario, utilization of the remote administration functions can resolve this quickly.
  1. have the user log off the system to the CTRL-ALT-DELETE screen
  2. connect to the system remotely, if necessary using the UNC path \\[computername]\C$\WINNT\SYSTEM32
  3. locate shimgapi.dll, delete it
  4. locate taskmon.exe, delete it
  5. have the user log back in
  6. using regedit locally or remotely (slower) search the affected system for registry keys relating to taskmon.exe, and shimgapi.dll

This logic can be applied to many situations, but this was our recent fix. Your first defense is ensuring your virus definitions are up-to-date though user-education is often just as valuable. For more information research the virus at the Symantec or McAfee web sites. Symantec now has a removal tool. You might want to use this as it is more thorough.

Sunday, October 09, 2005

Search and Destroy

The risks to the corporate network by the use of MSN Messenger and similar programs is a minefield in your own network. Using SMS can often detect it and while SMS does an excellent job of detection, if it's not an option, there are other means of detection and destruction using a couple of slighly complex batch files. The following files will find and destroy MSN, though it can be adapted to any file in theory.

I use a couple of PSTools (www.sysinternals.com) to kill it and replace it though detection is enough with strong backing from management. The process is designed to capture a listing of users. This file will NOT work if the install directory is in a non-standard location though I go through some effort to find it in a few places. There's a few things you can do to find it through detection using PSList but this is only if it's running, PSInfo might work too. I did not use these tools for detection in this application.

DOALLPCS.cmd: This batch file will locate most if not all PCs on the network, it's presumed you would have administrative rights on these PCs. It accepts two parameters, the first of which is the batch file to run, the second is passed to the natch file is specified. In this application the batch file specified is the next CMD file, FindMSN. Note the ~SPLIT LINE~ tags... the next line is supposed to be part of this line.

@echo off
echo %TIME%: Start
for /F "skip=1 tokens=1 delims=\ " %%a in ('NET VIEW') ~SPLIT LINE~
do START "Checking %%a using %1..." /MIN %1 %%a BATCH %~2
echo %TIME%: End - %1
:end

FindMSN.CMD: This is the worker in this process. It's big and I'll try to document this in a helpful manner.

@echo off
SET KILLSHARE=NO
SET TARGET=%~1
ECHO %TARGET%...

REG QUERY \\%TARGET%\HKLM\SOFTWARE\Microsoft\MSNMessenger ~SPLIT LINE~
/V InstallationDirectory
IF %ERRORLEVEL% EQU 1 GOTO NOTPRESENT

REG QUERY \\%TARGET%\HKLM\SOFTWARE\Microsoft\MSNMessenger ~SPLIT LINE~
/V InstallationDirectory|FIND /I "C:"
IF %ERRORLEVEL% EQU 0 GOTO ONC

REG QUERY \\%TARGET%\HKLM\SOFTWARE\Microsoft\MSNMessenger ~SPLIT LINE~
/V InstallationDirectory|FIND /I "D:"
IF %ERRORLEVEL% EQU 0 GOTO OND

REG QUERY \\%TARGET%\HKLM\SOFTWARE\Microsoft\MSNMessenger ~SPLIT LINE~
/V InstallationDirectory|FIND /I "E:"
IF %ERRORLEVEL% EQU 0 GOTO ONE
pause
GOTO END

:ONC
echo C Drive
SET LOCATION=\\%TARGET%\C$
ECHO %LOCATION%
IF EXIST %LOCATION%\*.* GOTO DOIT
\\tcint1\apps\ISTOOLS\RMTSHARE %LOCATION%=C:\ | ~SPLIT LINE~
FIND /I "command failed"
IF %ERRORLEVEL% EQU 0 GOTO FAILED
SET KILLSHARE=YES
GOTO DOIT

:OND
echo D Drive
SET LOCATION=%TARGET%\D$
IF EXIST %LOCATION%\*.* GOTO DOIT
\\tcint1\apps\ISTOOLS\RMTSHARE %LOCATION%=D:\ | ~SPLIT LINE~
FIND /I "command failed"
IF %ERRORLEVEL% EQU 0 GOTO FAILED
SET KILLSHARE=YES
GOTO DOIT

:ONE
echo E Drive
SET LOCATION=%TARGET%\E$
IF EXIST %LOCATION%\*.* GOTO DOIT
\\tcint1\apps\ISTOOLS\RMTSHARE %LOCATION%=E:\ | ~SPLIT LINE~
FIND /I "command failed"
IF %ERRORLEVEL% EQU 0 GOTO FAILED
SET KILLSHARE=YES
GOTO DOIT

:DOIT
ECHO Check Typical Locations...
IF EXIST "%LOCATION%\Program Files\MSN Messenger\*.*" GOTO Found
IF EXIST "%LOCATION%\MSN Messenger\*.*" GOTO Found
echo Not Found
goto end

:Found
echo Found...
IF NOT exist "FoundMSN" MKDIR "FoundMSN"
echo %1 %DATE% %TIME% >> FoundMSN\%1.txt
REG QUERY \\%TARGET%\HKLM\SOFTWARE\Microsoft\MSNMessenger ~SPLIT LINE~
/V InstallationDirectory >> FoundMSN\%1.txt
echo %LOCATION% >> FoundMSN\%1.txt
dir "%LOCATION%\Program Files\MSN Messenger\*.*" >> FoundMSN\%1.txt
dir "%LOCATION%\MSN Messenger\*.*" >> FoundMSN\%1.txt
pslist \\%TARGET% |FIND /i "msnmsgr" >> FoundMSN\%1.txt
IF %errorlevel% EQU 0 pskill \\%TARGET% msnmsgr

:NOTRUNNING
IF NOT EXIST "%LOCATION%\Program Files\MSN Messenger\msnmsgr.exe" GOTO ALT1
dir "%LOCATION%\Program Files\MSN Messenger\*.*" >> FoundMSN\%1.txt
Xcopy F:\msnmsgr.exe "%LOCATION%\Program Files\MSN Messenger" /Y /I
goto wrapup

:ALT1
IF NOT EXIST "%LOCATION%\MSN Messenger\*.*" GOTO HIDDEN
dir "%LOCATION%\MSN Messenger\*.*" >> FoundMSN\%1.txt
Xcopy F:\msnmsgr.exe "%LOCATION%\MSN Messenger" /Y /I
goto wrapup

:HIDDEN
echo Search for EXEcutable... >> FoundMSN\%1.txt
goto wrapup

:WRAPUP
if not exist "\\%TARGET%\e$\My Received Files\msnmsgr.exe" goto end
IF NOT EXIST FoundMSN\%1_MRF MKDIR FoundMSN\MRFList
REM start /min x:\istools\robocopy "\\%TARGET%\e$\My Received Files" ~SPLIT LINE~
FoundMSN\%1_MRF *.* /E /XO /V /ETA
DIR "\\%TARGET%\e$\My Received Files\*.*" >> FoundMSN\MRFList\%1_MRF.TXT
IF "%2"=="NOTIFY" call notify %1 "MSN Messenger"
IF "%3"=="NOTIFY" call notify %1 "MSN Messenger"
goto end

:FAILED
echo Cannot connect to %TARGET%. Aborted.

:end
:NOTPRESENT
IF "%KILLSHARE%"=="YES" RMTSHARE %LOCATION% /d
echo done
IF "%2"=="BATCH" exit

BTW: I don't think this is necessarily the BEST way to do this, it's one way. You may notice I spawn this into many VMs and this can take it's toll but I only need to watch 500-700 PCs. There are ideas you can take from this to do good or evil, please do good. Oh... There's one more batch file I didn't mention... NOTIFY.CMD. This is a wrapped NET SEND to the machine that's been examined. It tells them they're on the list of people that are about to have a very bad day.

This tool is designed to ENSURE that all systems that had received the Microsoft Patches via SMS have been rebooted and/or reported. It uses the DOALLPCS.CMD or DOALLPCS1.CMD which are in Trick 4.

@echo off
SET TARGET=%~1
SET SEARCHID=MSEMF 1
ECHO Checking Target: %TARGET%...

IF /I "%TARGET%"=="%COMPUTERNAME%" echo Cannot Reboot Self...&goto end 2

PING -n 1 %target%|find /i "Reply from" 3
if %errorlevel% EQU 0 goto :checkver
goto END

:checkver 4
For /F "skip=1 tokens=1,2 delims=:" %%a in ('psinfo \\%TARGET%') do ~SPLIT LINE~
call :SetVars "%%a" "%%b"
IF "%NU_Product type%"=="Server" goto end
IF "%NU_Product type%"=="Professional" goto COI
goto end

:COI 5
ECHO %TARGET%: %NU_Uptime%>> F:\UPTIME.TXT
SET /A X12=%NU_Uptime:~0,2%
REM IF %X12% EQU 0 echo Not Required...&goto end
:: ---------------------------------------------------
:: PAYLOAD
:: ---------------------------------------------------

:DETECT FILE - END 6
IF NOT EXIST "\\%TARGET%\C$\Program Files\Common Files\~SPLIT LINE~
Microsoft Shared\Grphflt\MS.EMF
" GOTO END
IF NOT EXIST 20051108\*.* MKDIR 20051108
ECHO Found
ECHO FOUND MS.EMF AT %DATE% %TIME% >> 20051108\%TARGET%_%SEARCHID%.LOG
:DETECT FILE - END

:: REBOOT CODE 7
goto NOREBOOT
echo g:\istools\shutdown -m \\%target% -t 30 -r -f
g:\istools\shutdown -m \\%target% -t 300 -r -f
ECHO %TARGET%: To Be Rebooted! (%NU_Product type%)>> F:\UPTIME.TXT
:: REBOOT CODE
:NOREBOOT

:: ---------------------------------------------------
:: PAYLOAD 8
:: ---------------------------------------------------

goto end

:SetVars 9
SET VAR=%~1
SET VALUE=%~2
REM echo **NU_%W1%**
:TRIMLEAD
IF "%VALUE%"=="" SET VAR=&GOTO :eof
IF "%VALUE:~0,1%"==" " SET VALUE=%VALUE:~1%&goto TrimLead
ECHO %VAR%=%VALUE%
SET NU_%VAR%=%VALUE%
goto :eof

:end
:NOTPRESENT
echo done
color
IF /I "%BATCHMODE%"=="ON" exit 10

1 Set this to a difference code so it's easy to find the files.
2 Don't reboot the computer you're running this on.
3 Check to be sure the target is available.
4 Check to be sure you're not targetting a server (or are if you wanna get fired). Calling SetVars ( 9 ) captures the variables you'll need.
5 This first checks to see if the system has been rebooted recently, if it has, no need to interfere again.
6 This is the file you're checking for, this may be more complex than looking at the existence of a file, but the test can go here. If you haven't created a place to save the logs the folder is created (20051108) and the date and time is logged to a file. This is a manner of validation for the process.
7 While there are a couple of versions of SHUTDOWN.EXE, please make sure your versions parameters are correct. If not time, embarrassement is saved when you test thoroughly.
8 This may be additional actions. I haven't used this, but you can deliver files or registry settings here if required.
9 This is the procedure to capture various settings on your target system. The output of PSINFO.EXE (from sysinternals.com) is processed into environment variables. It also Trims Leading characters to ensure the data is relatively clean.
10 This is a catch all that allows the code to exist if it's shelled from another batch file.

Sunday, January 09, 2005

COMMAND Scripted Tools for Network Administration

This is a very long post, sorry.

The following are tools useful in performing Security or Administrative functions, they consist of Windows2000 or WindowsNT Resource Kit tools wrapped into CMD (batch) files. Please use all due care when connecting to remote systems to minimize impact and risks. You must acquire the Resource Kits on your own.


CMD: Finding a PC on the network.

This uses the NET command to find a machine matching criteria. If you're looking for Bob Jackson's computer (JACKSONB01) you might type 'FINDSYS jack' to return a list. If you do not include a parameter, it will prompt for the partial.

FINDSYS.CMD
@echo off
SET userid=%1
if "%userid%" == "" SET /P userid=Please enter the users ID or partial:
net view | find /I "%userid%" > %temp%\finduser.txt
start notepad %temp%\finduser.txt

CMD: Creating an User's Network Drive (F:)

This tool was created because the administrative function of creating an F Drive takes time best spent doing other things. The user must already exist, but after the creation of the user, this process takes only seconds and can be given to anyone with authority to resolve problems or oversights.

CREATEF.CMD
@echo off
IF "%1" == "" GOTO SYNTAX
IF "%2" == "" GOTO SYNTAX
showgrps tcidmnnt\%1 | FIND /i "Invalid User Specified"
if errorlevel == 1 goto userfound
goto nouser
:userfound
mkdir \\servername\f$\users\%1
cacls \\servername\f$\users\%1 /E /G %1:F
rmtshare \\servername\%1=f:\users\%1
/GRANT everyone:"Full Control"
/REMARK:"by %username% on V#:%2"
DATE /T >> "\\servername\userdata\support\FDRIVE.LOG"
TIME /T >> "\\servername\userdata\support\FDRIVE.LOG"
echo Create F: Drive: %2 %1 >> "\\servername\userdata\support\FDRIVE.LOG"
echo Done.
showacls \\servername\f$\users\%1
goto end
:SYNTAX
echo Please use syntax: createf.cmd userid ticket#
goto end
:nouser
echo ERROR: User (%1) not found.
goto end
:end
pause

This tool can be used from the Start.Run or command-line and will create the F drive for a new user. You may need to wait a 1/2 hour for the server to know who the new user is after creation. The Syntax is 'CREATEF userid 00000' where 00000 is the Help Desk Ticket number. This requires Domain Admin or equivelant rights on the server and access to the following NT/NT Resource Kit tools: cacls.exe, rmtshare.exe, showgrps.exe

CMD: Make Remote Shares

Occationally I need to access a system that does not have the default shares (C$, D$, etc.). To make the connection process simple MKSHARES.CMD will establish the shares temporarily (until next re-boot). The syntax is 'MKSHARES computername'. Some machines do not have a D:, E, or Y: drive but the drives that do exist are created.

MKSHARES.CMD
@echo off
rmtshare \\%1\c$=c:\
rmtshare \\%1\d$=d:\
rmtshare \\%1\e$=e:\
rmtshare \\%1\y$=y:\

F Drive Clean Up Tool.

This is a tool designed to let you find those old and unused folders of users long gone. It checks the 'Domain Users' membership and reports the folders that don't exist as accounts.

KLEENUP.CMD
@echo off
Title F Drive Kleen-Up
echo Querying Domain...
echo Folders without Users > fldrlist.txt
showmbrs tcidmnnt\domain users | ~SPLIT LINE~
FIND /V "$" | SORT /O %TEMP%
\DOMAINU.TXT
echo Checking F Drives...
dir \\servername\f$\users /a:d /b > %TEMP%\usrfldrs.txt
echo Analyzing...
for /f %%u in (%TEMP%\usrfldrs.txt) do call chk4usr %%u
cls
start notepad fldrlist.txt
start \\servername\f$\users
CHK4USR.CMD
@echo off
type %TEMP%\DOMAINU.TXT| FIND /I "%1"
IF ERRORLEVEL 1 GOTO NOTFOUND
GOTO END
:NOTFOUND
echo %1 (Extra Folder)
echo %1 >> fldrlist.txt
GOTO END
:END

CMD: Checking a Remote Computer for Welchia Virus

This is more for Virus Hunting. When checking a remote machine that has been acting like a host to the Welchia virus, this tool will help determine the virus' presence in a non-invasive manner. Once the presence has been determined the removal can proceed through remote control and or manual removal. There is a need for the NT Resource Kit tool, rmtshare.exe to allow this to work. Please ensure this is in the SystemRoot folder. The tags 'found1' and 'found2' represent different strains of Welchia, the latest hitting mid-February.

CHK4WELCHIA.CMD
@echo off
rmtshare %1\welchia$=c:\winnt\system32
if exist %1\welchia$\wins\*.* goto found1
if exist %1\welchia$\drivers\svchost.exe goto found1
goto end
:found1
dir %1\welchia$\wins\*.*
pause
goto end
:found2
dir %1\welchia$\drivers\svchost.exe
pause
:end
rmtshare %1\welchia$ /d

Syntax:
CHK4WELCHIA \\computername

Try this Command line:

for /F "skip=1" %a in ('net view') do call CHK4WELCHIA %a

This should search through every machione on your network (that's visible with NET VIEW) and test for Welchia. An Alternate and more raw test would be the following:

for /F "skip=1" %a in ('net view') do IF EXIST ~SPLIT LINE~
%a\c$\winnt\system32\drivers\svchost.exe echo %a >> E:\targets.txt

This logs the hunt to a file. Any infected PC is noted and your staff can hunt these systems down and clean them up. The best protection is a up-to-date antivirus tools.


Duplicating Rights by Group from one user to another

This is essential to my job as there are moves on a regular basis as rights don't move with people.

  @echo off
REM SYNTAX: mirror DONOR RECIPIENT
FOR /F "tokens=2,3,4 delims=/ " %%a in ('echo %DATE%') do SET DSTAMP
=%%c-%%a-%%b
echo Preserving Original Group List for %2...
showgrps DOMAINNAME\%2 > E:\ID_%2_ORIG_%DSTAMP%.TXT
echo Obtaining Mirror List from %1...
showgrps DOMAINNAME\%1 > E:\ID_%2_MIRROR_%1_%DSTAMP%.TXT
echo Clearing Current groups for %2...
for /F "skip=1 tokens=1,2 delims=\" %%s in ('type E:
\ID_%2_ORIG_%DSTAMP%.TXT') do (IF "%%s" == " DOMAINNAME" ~SPLIT LINE~
echo Removing %2
from "%%t" & net group "%%t" %2 /DELETE /DOMAIN )
echo Mirroring %1 groups for %2...
for /F "skip=1 tokens=1,2 delims=\" %%s in ('type E:
\ID_%2_MIRROR_%1_%DSTAMP%.TXT') do (IF "%%s" == " DOMAINNAME" ~SPLIT LINE~
echo Adding %2
to "%%t" & net group "%%t" %2 /ADD /DOMAIN )

CMD: Connecting to the first available drive letter

Sometimes you NEED to use a drive, can't use a UNC path, must be a drive. So... Here's a tick that might help.

@echo off
CLS
color 2F
echo Initiating SMS Manual Installation...
SET DRIVE=
FOR /F "tokens=2 delims= " %%x in ('net use * \\SERVERNAME\sharename') do IF
NOT "%%x"=="error" IF NOT "%%x"=="command" IF NOT "%%x"=="network" echo
CONNECTED as %%x&SET DRIVE=%%x
ECHO %DRIVE%
REM DO what you want here...
NET USE %DRIVE% /D /Y

CMD: Opening a weekly report on a single click - UPDATED!!!!

The purpose of this batch file is to look for the last status report (Last-Week/This-Week/Next-Week Report or LTN) and open it. The functionality of the batch file counts on your date format being English(United States) but this is easily changed to suit your needs. The process is simple and not perfect but somewhat logical. The file system doesn't really care about the date so we disect it into parts and assign these to the variables YEAR, MONTH, DAY. If the file isn't dated with today's date then we subtract 1 from day and try again. If the day reaches 1 then we set the day to 32, subtract 1 from the month, subtracting 1 from the day again as a matter of logic puts us at 31 and try again. Even if the month has 28 days, this will still work. The COUNTER variable ensures this doesn't go on forever, I figure 10 is enough as a week is 7 days and the most offset from a month-end (31 vs 28) is 3 days.

When I first wrote this I found it didn't subtract properly... the simple answer is don't mess of the math with cosmetics. seperate the calculations from adding the leading zeros and all works fine.

This thing was created because I hate having to look for the file and the filename changes every week. Ya... real lazy. I connect it to an icon and can open my target file in a single click. That I like!

OpenLTN.CMD
@echo off
SET DOCPATH=F:\Reports\Weekly
for /f "tokens=2,3,4,5 delims=/ " %%a in ('date /t') do ~SPLIT LINE~
SET MONTH=%%a&SET DAY=%%b&SET YEAR=%%c
SET COUNTER=0
IF "%DAY%" EQU "08" SET DAY=8
IF "%MONTH%" EQU "08" SET MONTH=8
echo *%MONTH%*
pause
SET /A DDAY=%DAY%+3
SET /A MONTH=%MONTH%
echo %YEAR%-%MONTH%-%DDAY%
SET /A DDAY=%DDAY% + 1
ECHO %DDAY%
ECHO %MONTH%
echo Begin Search...
:START
SET /A MONTH=%MONTH%+0
SET /A DDAY=%DDAY%+0
IF %DDAY% EQU 1 SET DDAY=32
IF %DDAY% EQU 32 SET /A MONTH = %MONTH% - 1
IF %DDAY% GTR 0 SET /A DDAY=%DDAY%-1
SET /A DDAY=%DDAY% * 1

SET D=%DDAY%
IF %DDAY% LSS 10 SET D=0%DDAY%

SET M=%MONTH%
IF %MONTH% LSS 10 SET M=0%MONTH%

SET /A COUNTER=%COUNTER%+1
IF %COUNTER% EQU 60 GOTO NOTFOUND

echo Checking Date: %YEAR%-%MONTH%-%DDAY% (%YEAR%-%M%-%D%)
if exist "%DOCPATH%\%YEAR%_%M%_%D%.doc" start winword "%DOCPATH%\%YEAR%_%M%_%D%.doc"
if exist "%DOCPATH%\%YEAR%_%M%_%D%.doc" goto end

Goto START

:notfound
echo Can't find the blasted file... sorry.
pause

:end

There is no individual ownership when you are part of a team, it's the sum of the parts that makes you the RESILIENT team you need to be...