Reader to Reader - 15 Jun 2000

[Editor's Note: Email your scripting solutions (400 words or less) to Reader to Reader at [email protected]. Please include your script and phone number. We edit submissions for style, grammar, and length. If we print your contribution, you receive $100.]

In response to the Love Letter virus, I wrote a script, LLClean.vbs, that scans Windows 2000 and Windows NT systems' drives, parses all .vbs files, and deletes those files with the virus. The script scans all hard disks and attached drives. However, the script doesn't scan Win2K's hidden system folder System Volume Information because any search of this folder generates an error.

When the script scans a file, it reads the file's first line and compares that line with a specified search phrase. If the script finds a match, it immediately deletes the file. The script records all file scans, deletions, and errors in a log file. In the script, this file's path is C:llscan.log, but you can change it to whatever you want.

In its current form, the script scans files that have the .vbs extension and searches for the Love Letter virus phrase rem barok -loveletter(vbe) . You can customize this script to scan other types of files and to delete other viruses. You can also modify the script to scan the entire document instead of the first line. (For information about how to scan the entire document, see Dino Esposito, "Understanding VBScript: The TextStream Object," May 2000.) You can even adapt this script to remove unwanted files (e.g., .tmp files).

Listing 1, page 16, contains an excerpt from LLClean.vbs that shows the script's subroutine that finds and deletes the targeted files. You can find the entire script in the Code Library on the Win32 Scripting Journal Web site (http://www.win32scripting.com).

To use LLClean.vbs, you need to have Windows Script Host (WSH) installed on the system from which you'll run this script. Before running the script, you must disable any program that might prevent the script from accessing infected files (e.g., virus scanners). This script deletes only infected files and doesn't address any Registry changes that the Love Letter infection might have caused. This script isn't meant as a replacement for an up-to-date virus scanner but rather an interim measure until you get one.

—Jesse M. Torres
[email protected]