So, I wander off to have a look at the system and as I did, I had a strange sense of foreboding, but I shrugged it off - If only I knew ... As I sat down to look at the computer, I had a few other staff members come up and ask me about similar problems with their computers and before I knew it, the list of "problematic" systems had ballooned out to the dozens.
The virus was W32.Nimda.E@mm (dr) and is described in length here. In short, for those unfamiliar with this virus, it replicates via two means - HTML embedded email transmissions (which means even previewing it in an email client can result in infection) and open network shares - In a mostly Win32 network environment with few permissive controls and a userbase mostly-ignorant to computer security, this spelt d-i-s-a-s-t-e-r.
The plan at this point shifted from a computer-by-computer attack to a full-scale network campaign. Everyone was sent home early for the day (which surprisingly there were few complaints about) and I took the network down at the hubs - Well, almost all the network, the mail server and external gateways were left up as there are issues with the upstream provider and mail spooling, but this is another matter. The attack then moved to cleaning up each system one at a time, secure in the knowledge that there was no chance of reinfection through open-shares, the network now off-line. This went well and within a few hours all systems were cleaned up ... well, all except one, the Windows 2000 Server based mail server. This machine, no matter how many times the clean-up tool was run, continued to report infected files which it could not repair or delete. I was quite stumped ...
After two or three tries at virus removal, my thoughts went slightly lateral and it struck me that it was possible that the infected files being reported were in fact emails within user mail spools, awaiting collection. A quick check of the mail spool confirmed this for me, but then came the issue of clean up - There were literally thousands of files in the mail spool which needed to be scanned for the virus and then deleted. If I were on a *NIX-based host, I would simple run find and grep over the mail spool and my work would be done - However, this being Windows 2000 Server, I wasn't so lucky. It then struck me, "Hang on, I have Activestate Perl installed on a system around here" - Sure enough, I did, so I whipped up this short little script that looked for the viral attachment, sample.exe, and acted accordingly:
#!d:\perl\bin\perl.exe use IO::File; use File::Find; find ({ wanted => \&grepfile }, 'F:/'); exit 0; sub grepfile { my ($dev, $ino, $mode, $nlink, $uid, $gid); return unless ($dev, $ino, $mode, $nlink, $uid, $gid) = lstat($_); return unless -f _; my $fh = IO::File->new($_, "r"); my @match = grep { /sample\.exe/i } <$fh>; $fh->close; unlink $File::Find::name if scalar @match; # print $File::Find::name, "\n" if scalar @match; return; }
Now, while a relatively simple use of Perl, this script saved me literally hours of work which would have all been billable hours to the client. In this instance however, Perl proved its worth to the client - The script was short, kludgy and could definitely have been done better, but it got the job done with minimal fuss.
Perl 1, Nimda 0
perl -e 's&&rob@cowsnet.com.au&&&split/[@.]/&&s&.com.&_&&&print'
Edit: chipmunk 2001-12-04
In reply to Using Perl to help remove Nimda by rob_au
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |