Friday, March 30, 2018

removing the exe's of huelar virus: demo on the fun and power of scripting

the old laptops that my scholars use (which you can now buy in ebay for $50) were infected by a virus that creates exe files for each directory. it uses the directory name as the basename. there's actually 2 viruses i'm trying to eliminate and clean: 1) huelar virus that creates the exe in the same directory (e.g. c:\my\music\80s.exe) 2) a mutation of the huelar virus that creates the exe inside the directory (e.g. c:\my\music\80s\80s.exe). this is much trickier to remove as you will see later on because it involves grabbing the leaf directory and appending it to the end of the path before adding ".exe".

there's 2 major things we need to do here:

1) remove the virus. i looked over the internet and found the only way to remove the virus is a complete re-install of the OS. luckily my disaster recovery method makes it fast and easy to refresh the laptops to it's fresh and pristine installation. i documented my technique in this blog article -  http://ian-crystal.blogspot.com/2014/07/i-smile-when-my-iphone-or-laptop-gets.html. this is a big deal for me because the laptops my scholars use has to be a mirror of my own personal laptop (with it's many additional tedious setups to support my geeky needs) so if something happens to my laptop i won't have any downtime. but for most of you who just needs internet access re-installing the OS is probably good enough.

2) remove .exe files from your data directories. i can't find any tool that does this and you will need some scripting knowledge here so i feel sorry for those who got infected by this virus and has lots of  important data. you will also need unix tools installed like cygwin (it's free). i created a video so i can also demo the fun and magic of scripting. but here's some of the code:

# fix file permissions altered by the virus:
attrib *.* /d /s -s -h -r

# list all the directories
find . -type d > dirs.tmp

# perl script:

while (<>) {
  chomp;
  @dirs = split /\//;

  $exe1 = "$_.exe";
  print "$exe1\n" if (-e $exe1);

  #$exe2 = "$_/$dirs[-1].exe";
  #print "$exe3\n" if (-e $exe2);
}

# note i commented out the second exe form so we can do it one at a time. after dealing with the first form we just comment the code for the first form and uncomment the second form.

# run the perl script and redirect to a .bat file so you can use vi magic to massage the file into different tasks. i prefer this manual step by step method over using system commands inside the perl script. and also the system command is the most unreliable and easily broken feature of unix tools in windows.

cat dirs.tmp | perl tmp.pl > exes.bat

vi exes.bat.
# the remaining steps are in this video - removing the huelar virus, removing the .exe files

(for more of my knowledge bombs, click the "ian's knowledge bombs" banner at the top of this article and choose any article in the table of contents that piques your interest)

No comments:

Post a Comment