////////////////////////////////////////////////////////////////////////////////
//  Scans the Server for files associated with the Nimda virus
//  which are deleted complete with a log of all processing
//
//  Comments: Searches mounted volumes looking for the following:
//            Admin.dll in the root directory of a volume
//            root.exe
//            *.eml
//            *.new
//
//            Matching files are deleted but NOT purged so
//            FILER/SALVAGE can be used to recover any errors
//
//  Note: Search for {MODIFY} comments indicating items which need
//        to be modified or renamed (as appropriate).
//
////////////////////////////////////////////////////////////////////////////////


// Quick check if loaded TaskMaster NLM is able to support this task

IF %TM_VERSION%<3 OR %TM_VERSION%==3 AND %TM_SUBVERSION%<13
  ECHO.
  ECHO %TASK%: Requires TaskMaster v3.13 or later!  Aborting...
  ECHO Visit http://www.avanti-tech.com for info on upgrading.
  ECHO.
  ABORT
ENDIF


// Pre-define the report file to receive the processing output for the Task
// {MODIFY} Specify destination (report file) for the Task processing output

DEFINE %1 SYS:temp\nimda.rpt


// {MODIFY} Specify destination (temporary file) for VOLINFO redirected output

DEFINE %9 SYS:temp\volinfo.dat


// Redirect VOLINFO output to a temporary file then parse it for mounted volumes

VOLINFO > %9


// Check for VOLINFO errors

IF ERRORLEVEL
  DEFINE %0 OPEN_READ Error: Volume data unavailable
  GOTO Log_Error
ENDIF


// Open the redirected output from VOLINFO for reading

OPEN_READ %9


// Check for error opening the VOLINFO redirection file

IF ERRORLEVEL
  DEFINE %0 OPEN_READ Error: Volume data unavailable
  GOTO Log_Error
ENDIF


// Clear a temporary variable for READ operations in WHILE/LOOP

DEFINE %8


// Read any non-Volume related VOLINFO header info

WHILE NOT SCAN_STRING ":" "%8"

  // READ first 17 bytes (16 bytes max Volume plus the colon) of next record

  READ %8 1-17

  // Handle a premature EOF condition (there must be at least 1 mounted volume)

  IF ERRORLEVEL
    DEFINE %0 READ Error: No Volumes found
    GOTO Log_Error
  ENDIF

LOOP


// Receives WHEREIS redirected output of files matching specified virus patterns
// {MODIFY} Destination (temporary file) for WHEREIS redirected output

DEFINE %2 SYS:temp\whereis.dat


// Delete previously defined temporary log file (possibly remnant from
// previous execution) since WHEREIS must utilize appended redirection

IF EXISTS %2 THEN DELETE %2


// Read Volume related VOLINFO data

WHILE SCAN_STRING ":" "%8"

  // Change the Current Working Directory (CWD) to the Volume to check

  CD %8

  // Handle an error accessing the mounted volume for information retrieval

  IF NOT SCAN_STRING "%VOL_NAME%" "%8"
    DEFINE %0 CD %8 Error: Volume inaccesible
    GOTO Log_Error
  ENDIF


  // Check for ADMIN.DLL (Nimda installs in root directories, IIS in others)
  // Appended redirection >> required to avoid data truncation

  WHEREIS ADMIN.DLL >> %2


  // Short rest before proceeding since WHEREIS is full volume scan

  SLEEP 1


  // Check for ROOT.EXE (left by Code Red II and sadmind/IIS, used by Nimda)
  // Appended redirection >> required to avoid data truncation

  WHEREIS ROOT.EXE >> %2


  // Short rest before proceeding since WHEREIS is full volume scan

  SLEEP 1


  // Check for *.EML (Nimda files)
  // Appended redirection >> required to avoid data truncation

  WHEREIS *.EML >> %2


  // Short rest before proceeding since WHEREIS is full volume scan

  SLEEP 1


  // Check for *.NWS (Nimda files)
  // Appended redirection >> required to avoid data truncation

  WHEREIS *.NWS >> %2


  // Short rest before proceeding since WHEREIS is full volume scan

  SLEEP 1


  // READ first 17 bytes (16 bytes max Volume plus the colon) of next record

  READ %8 1-17


  // Check for EOF (i.e., no more records)

  IF ERRORLEVEL THEN BREAK

LOOP


// Close the VOLINFO/OPEN_READ file since processing is complete

CLOSE %9


// Delete the VOLINFO/OPEN_READ file since processing is complete (cleanup)

DELETE %9


// Open previously defined WHEREIS redirection output file for input

OPEN_READ %2


// Check for error opening the WHEREIS redirection file

IF ERRORLEVEL
  DEFINE %0 OPEN_READ Error: Suspicious file data unavailable
  GOTO Log_Error
ENDIF


// Open previously defined report file for output

OPEN_WRITE %1 TRUNCATE


// Check for error opening the report (output) file

IF ERRORLEVEL
  DEFINE %0 OPEN_WRITE Error: Unable to open report file
  GOTO Log_Error
ENDIF


// WRITE some appropriate header information

WRITE %TASK%: Started - %HOUR%:%MINUTE%:%SECOND%%AM_PM% on %MONTH%/%DAY%/%YEAR%
WRITE


// Use this variable as a counter of the number of suspicious files found

DEFINE %9 0


WHILE

  // Read the first/next WHEREIS redirected output record

  READ %8


  // Check for EOF (i.e., no more records)

  IF ERRORLEVEL THEN BREAK


  // Check for null/blank record (header/separator between WHEREIS executions)

  IF "%8"=="" THEN CONTINUE


  // Check if info record (i.e., xx files(s) found / ??? File(s) not found ???)

  IF SCAN_STRING "ile(s) found" "%8" OR SCAN_STRING "???" "%8" THEN CONTINUE


  // First processed record so WRITE a header record in the report

  IF %9==0
    WRITE The following file(s) were considered suspicious and processed.
    WRITE Note: PURGE not executed so recovery possible via FILER/SALVAGE
    WRITE
  ENDIF


  // Increment the suspicious file counter

  DEFINE %9 %9+=1


  // Store the suspicious file name in a temporary variable for ADMIN.DLL check

  DEFINE %7 %8


  // Convert the temporary file name to upper case for SCAN_STRING check

  TOUPPER %7


  // Check for ADMIN.DLL then confirm existence in root directory else skip

  IF SCAN_STRING "ADMIN.DLL" "%7"

    IF NOT SCAN_STRING ":\ADMIN.DLL" "%7" AND NOT SCAN_STRING ":ADMIN.DLL" "%7"

      // Not in the root directory so bypass/skip but log for review

      WRITE %8 {Skipped}


      // Resume the processing at the top of the WHILE/LOOP

      CONTINUE

    ENDIF

  ENDIF


  // Attempt to DELETE the suspicious file
  // Enclose %8 in quotes in case path/file has embedded spaces (Long support)

  DELETE "%8"


  // Check for DELETE success and WRITE an appropriate entry to the log
  // Enclose %8 in quotes in case path/file has embedded spaces (Long support)

  IF EXIST "%8"
    WRITE %8 {ERR:?In Use?}
  ELSE
    WRITE %8 [Deleted]
  ENDIF

LOOP


IF "%9"=="0" THEN WRITE No suspicious files found!


// WRITE some appropriate footer information

WRITE
WRITE %TASK%: Finished - %HOUR%:%MINUTE%:%SECOND%%AM_PM% on %MONTH%/%DAY%/%YEAR%


// Close the WHEREIS/OPEN_READ file since processing is complete
// Close the report (output) file since processing is complete

CLOSE


// Delete the WHEREIS/OPEN_READ file since processing is complete (cleanup)

DELETE %2


// Check if any suspicious files found (SEND a message if so)
// {MODIFY} Specify the User to be notified in the event suspicious files found

IF "%9">"0" THEN SEND "%TASK% - Suspicious files found!" to ADMIN


// Exit normally (the following section(s) are for handling errors

EXIT


:Log_Error
OPEN_WRITE %1 TRUNCATE
WRITE %0
WRITE Report process aborted!
CLOSE
ABORT