McAfee identifies the suspect virus file, but the virus definition is not available in the library, and the file name extension is named Vir or VXE, which establishes the batch file and uses the restored EXE file
McAfee renaming principle:
Original renamed |
Description |
not V?? V?? |
File Extensions that does not start with v are renamed with v as |
|
The initial letter of the file extension. For example, |
|
MYFILE. DOC becomes MYFILE. VOC. |
V?? VIR Font face= "Jenabn+universltstd-light" > |
File extensions that start with v are renamed as . VIR . For |
|
example, MYFILE. VBs becomes MYFILE. VIR. |
VIR ,
V01 - V99 |
These files are are recognized as already infected, and are not Renamed again. |
VIR |
Files with no extensions are given the extension, . VIR . |
@echo off
echo on Error Resume Next >%temp%\filesystem.vbs
echo Const wbemflagreturnimmediately = ^&h10 >>%temp%\filesystem.vbs
echo Const wbemflagforwardonly = ^&h20 >>%temp%\filesystem.vbs
echo for each strComputer in Arrcomputers >>%temp%\filesystem.vbs
echo Set objWMIService = GetObject ("winmgmts:\\.\root\cimv2") >>%temp%\filesystem.vbs >>%temp%\ Filesystem.vbs
echo Set colitems = objWMIService.ExecQuery ("SELECT * from Win32_LogicalDisk", "WQL", _ >>%temp%\filesystem.vbs
echo wbemflagreturnimmediately + wbemflagforwardonly) >>%temp%\filesystem.vbs
echo for each objitem in colitems >>%temp%\filesystem.vbs
echo If objitem.drivertype=3 Then wscript.echo objitem.caption ^& "\" End If >>%temp%\filesystem.vbs
Echo Next >>%temp%\filesystem.vbs
Echo Next >>%temp%\filesystem.vbs
for/f%%i in (' cscript//nologo%temp%\filesystem.vbs ') do Call:change%%i
Goto END
: Change
Cd/d%1
for/f "delims=|"%%i in (' dir *.vxe/b/s/a ') does (cacls "%%i"/e/g everyone:f & Ren "%%i" *.exe)
: End
Del%temp%\filesystem.vbs