Hi Everyone,

In the news I read that there is a virus around (Dorifel) that is creating lots of screendumps (extension *.scr) to obtain information internet banking details. Ofcourse, my virusscanner is up2date and nothing can happen to me ... right ?

I wanted to have a double check on the results of my virusscanner.

I decided to test Kace to find out how easy it is to write a script, deploy and report in how many systems are potential infected in my network. After reading a few blogs and posts it became clear that VBS scripts is the way to go. Ofcourse, I decided to go the opposite way because the first VBS script I read was a ... virus !

After a few hours I came up with a 'DOS' script that does everything I need which I want to share with you because I needed to workaround a problem with environment variables:

 On Success

  1. Launch SYS\cmd.exe with params /C echo Scanning for *.SCR files > c:\SCR-list.txt & set SCRcount=0 & for /r c:\ %x in (*.scr) do @ echo %x >>  c:\SCR-list.txt & set /a SCRcount+=1 > c:\SCR-count.txt.
  2. Log Scan for *.scr issued successfully, collected and file will be uploaded to Kace server to status.
  3. Upload c:\\SCR-list.txt to the server.
Basically the script does 2 things:
 
· Searching, collecting *.scr file names and uploading this list to K1000 (file c:\SCR-list.txt)
·  Keeping track of how many *.scr files have been found (file c:\SCR-count) and adding this to the (custom) inventory for the Asset.

By creating a creating a Custom Inventory Field (Rule: ShellCommandNumberReturn(cmd.exe /c type c:\SCR-count.txt))

I am able to create a report, showing me which client/server contains the most *.scr files and would be a potential victim.

(PS. There is a small bug in the Report builder for numeric custom inventory fields: STR_FIELD_VALUE should be STR_NUM_VALUE)

A potential victim can be checked by analysing the uploaded file containing filenames and paths of the *.SCR files.

Both virusscanner and this script did not find any suspicious, so I guess I am safe ... Are you safe ?  Are you sure ??? Cool

PS

I duplicate this script to check my network for *.VBS files as well and added a check for other drives as well.

Cheers

Wilco