Thursday, 6 March 2014

Let me see you script




The song is only for motivation, but the interesting coincidence was that I was listening to it on the radio when a client asked for a way to delete whole archives with infected objects inside and well so the title was naturally born "Let me see you script". 

I wrote another perl script to solve this challenge. It takes the report file of the antivirus which looks like this.

REPORT.TXT:
Command line: *************

Workstation name: test
Scanning options: ***********


Scanning Engines:

Cannot open a file in archive C:\test3\test.CAB
C:\test\test.zip\test.exe Infection: Trojan.Generic.3290465  
File C:\test2\test2.zip\RUSSE/goldpriemopred.doc is encrypted
Cannot open a file in archive C:\test\test.DBX


Scanned
Files:     *

Result
Viruses:     *
Spyware:       0
Suspected:     0
Riskware:       0

Actions
Disinfected:     0
Deleted:       0
Renamed:       0
Quarantined:   *

Boot Sectors
Scanned:       *
Infected:       0
Suspected:     0
Disinfected:     0

And gives this output:

del /p C:\test\test.zip

You can basicly do report_parse.exe > del.bat and then execute it to do the deleting. Here is the script itself:

#!/usr/bin/perl # open(OUTF,"REPORT.TXT") or dienice("Can't open survey.out: $!"); @ary = <OUTF>; @files = (); $command = "del /p "; close(OUTF); foreach $line (@ary) { if (index($line, '.zip') != -1) { #print $line; #($encrypted) = $line =~ /File (.*).zip/; #print $encrypted .".zip" ."\n"; if ($line =~ m/Infection/){ my @infected = split('.zip',$line); print $command; print "@infected[0].zip\n"; #print $line ."\n"; } } if (index($line, '.ZIP') != -1) { if ($line =~ m/Infection/){ my @infectedd = split('.zip',$line); print $command; print "@infectedd[0].ZIP\n"; } } if (index($line, '.7Z') != -1) { # print $line; } if (index($line, '.7z') != -1) { # print $line; } if (index($line, '.rar') != -1) { if ($line =~ m/Infection/){ my @infecteddd = split('.zip',$line); print $command; print "@infecteddd[0].rar\n"; } } if (index($line, '.RAR') != -1) { if ($line =~ m/Infection/){ my @infectedddd = split('.zip',$line); print $command; print "@infectedddd[0].RAR\n"; } } }

To convert the perl to an exe file you can use tinyperl