In the news I read that there is a virus around (Dorifel) that is creating lots of screendumps (extension *.scr) to obtain information internet banking details. Ofcourse, my virusscanner is up2date and nothing can happen to me ... right ?
I wanted to have a double check on the results of my virusscanner.
I decided to test Kace to find out how easy it is to write a script, deploy and report in how many systems are potential infected in my network. After reading a few blogs and posts it became clear that VBS scripts is the way to go. Ofcourse, I decided to go the opposite way because the first VBS script I read was a ... virus !
After a few hours I came up with a 'DOS' script that does everything I need which I want to share with you because I needed to workaround a problem with environment variables:
- Launch “SYS\cmd.exe” with params “/C echo ”Scanning for *.SCR files“ > c:\SCR-list.txt & set SCRcount=0 & for /r c:\ %x in (*.scr) do @ echo %x >> c:\SCR-list.txt & set /a SCRcount+=1 > c:\SCR-count.txt”.
- Log “Scan for *.scr issued successfully, collected and file will be uploaded to Kace server” to “status”.
- Upload “c:\\SCR-list.txt” to the server.
By creating a creating a Custom Inventory Field (Rule: ShellCommandNumberReturn(cmd.exe /c type c:\SCR-count.txt))
I am able to create a report, showing me which client/server contains the most *.scr files and would be a potential victim.
(PS. There is a small bug in the Report builder for numeric custom inventory fields: STR_FIELD_VALUE should be STR_NUM_VALUE)
A potential victim can be checked by analysing the uploaded file containing filenames and paths of the *.SCR files.
Both virusscanner and this script did not find any suspicious, so I guess I am safe ... Are you safe ? Are you sure ???
I duplicate this script to check my network for *.VBS files as well and added a check for other drives as well.