Novell Home

Rooting out the Sobig Worm

Novell Cool Solutions: Trench
By Peter van Beek

Digg This - Slashdot This

Posted: 13 Nov 2003
 

Want to check to see if installed computers have been infected with the SobigF worm? Just create a ZfD application and let it auto-run! Here's how we do it.

Change the LOG_PATH macro to any convenient directory. Copy everything starting with AXT_FILE 3.1 to an ordinary acsii file called SobigF.axt to be used in the new application.

AXT_FILE 3.1

[Application Name]
Value=SobigF

[Application Caption]
Value=SobigF

[Macro]
Name=LOG_PATH
Value=H:\Drivers\Microsoft\SobigF

[Application Path]
Value= 47 NULL

[Application Flags]
Flag=Install Only
Flag=Not a Disconnectable Application

[Application Platform]
Flag=Windows NT

[Filter OS Version]
Type=Windows NT
Major Version=-1
Minor Version=-1
Revision Version=-1
Flag=Greater Than or Equal

[Filter File Exists]
File=%windir%\WINPPR32.EXE
Flag=Not Exist

[Filter File Exists]
File=%windir%\WINSTT32.DAT
Flag=Not Exist

[Filter Registry Value]
Key=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value=TraxX
Flag=Not Exist

[Filter Registry Value]
Key=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=TraxX
Flag=Not Exist

[Text File Add End]
Flag=Always Distribute Setting
File=%LOG_PATH%\SobigF.log
String=%COMPUTERNAME% is not infected by the SobigF worm!

[Application Association Flags]
Flag=Launcher


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell