Novell Cool Solutions: Trench
Digg This -
Posted: 10 May 2000
ZENworks for Desktops really proves its worth in global information emergencies like the recent spread of the ILOVEYOU virus. In the first few hours of a virus, before the antivirus patches become available, ZENworks can help you keep bailing the water out of the boat. And once the patches come out, ZENworks helps you distribute them quickly and efficiently. (And there is nothing more satisfying than walking past the CEO's office after you've saved the day.)
Here are some ways Cool Solutions readers used ZENworks to fight off the ILOVEYOU virus.
Here's a cool tool from the good folks at Cerberus Information Security, that you may want to keep in your back pocket for the next one. You can easily distribute this solution via ZENworks, and enhance your already legendary reputation.
And if you are using GroupWise, here's a great article that appeared in GroupWise Cool Solutions about how to deal with the virus.
- Dealing with the ILOVEYOU Virus, by Tay Kratzer
Craig sent this along the first morning of the virus, before the patches were available. Note that the reg keys are out of date, since the antivirus sites now have patches that will remove the virus and its variants nicely. But this is worth a look, because it shows how you can use ZENworks in the first dark hours of a virus attack.
Woohoo. ZENworks saves the day again. LoveLetter infected our citywide e-mail server, and it took only about 10 minutes to key in enough data to clean the majority of the virus off the infected computers. We have it set to scan and remove the associated files to keep things clean until we get an antivirus update patch.
Download Craig's AOT and AXT.
If you have any questions you may contact Craig at email@example.com
I've attached two AXT files to fix the ILOVEYOU virus - one for 95/98 and one for NT. Presumably, I could've put it all in one using the %*WINSYS16DIR% variable.
Anyway, the AXTs will:
- Force run if the registry has been modified to run the MSKernel32.vbs
- Edit the registry deleting the lines the virus adds;
- Delete the three files the virus adds to the local drive;
- Write two text files, one on the user's local drive and one on a network drive. The text file on the network drive gives the help desk a list of virus-infected PCs; the text file on the local drive lets the technician know that the virus fix was run.
These AXTs WILL NOT delete the JPEG, MP3, etc files that may have been damaged. That is the reason for creating the text file containing the infected PC's information.
Hope these prove helpful to others.
Download fixvirus.zip containing Diane's two AXT files.
If you have any questions you may contact Diane at firstname.lastname@example.org
This is related to the open call for tips on distributing virus definitions. Actually, I'd like to share how we dealt with the "ILOVEYOU" virus utilizing ZENworks 2. We created a simple non-aot object that deleted the 6 or so files that are used to run the virus. Then we imported the registry string and set it up so that those particular strings would be deleted. Set that as a force run at the top of the tree and forced a reboot on all users. All 200+ pc's were cleaned up in a matter of minutes rather than hours. Big sigh of relief there. Being the PC guy around here I wasn't looking forward to visiting every single workstation, but thanks to ZENworks, I didn't have to.
The Cerberus Security Team has written a tool that will prevent PC users from being infected by such viral worms as the now infamous "I Love You" and its many variants, and any others that are still only a gleam in the eye of the budding virus writer. These rely on basic default configurations of a standard Microsoft box to be able to spread - and also a little help from the user by actually opening the attachment.
As many will be aware, 99% of files on a Windows machine have a three-letter extension. This extension tells Windows Explorer how to deal with each file. For example, if you double click on a file with the .txt extension, Explorer will look in the Registry to see what application to use to open it - notepad.exe in this case.
As far as the "I Love You" worm, is concerned it has a .vbs extension and so, when opened by the person it has been sent to, Windows looks in the Registry to see what application it should use to deal with the file - in this case wscript.exe. Wscript.exe is a script interpreter. When passed the file, it executes the code it finds there - very much like what command.com or cmd.exe does for batch (.bat) files.
The tool the Cerberus Security Team has written goes through the registry and removes these application / file extension associations for VBS, VBE, WSF, WSH, JS and JSE and any viruses or worms that rely on these associations will therefore fail. These are all "dangerous" mappings and to be perfectly frank most computer users never use the functionality provided by these.
It has been tested on Windows 98, Windows NT 4 and Windows 2000. Though not yet tested on Windows 95 it should still work.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com