5 April 2006

Brontok Remover Shell Script

Posted under: at 16:25

Today I shared my whole home directory in read-write mode to a mostly Windows only network. It was such a bad idea, later I found out that my home directory was being filled with nonsense .exe files scattering all over the place. Yes, it was the notorious Brontok virus.

But at least this is a chance to document how I’ve dealt with this virus several months ago. The following quick and dirty shell script saved my day:

#!/bin/sh
MD5=c27efafad30060e52770c4cda28d3183
SIZE=40928

find -type f -iregex '.*\.exe$' -size ${SIZE}c -print0 \
   | xargs -0 md5sum \
   | grep "^$MD5" \
   | sed -e 's/^[a-z0-9]* *//g' -e "s/^/'/g" -e "s/$/'/g" \
   | xargs -p -n1 rm -f

If you want to use the script, keep these in mind:

  • Change MD5 variable to whatever MD5 sum your Brontok variant have.
  • Change SIZE variable to match the size of your Brontok variant.
  • Remove -p from last xargs command to suppress confirmation. Or change it to xargs -n1 echo in order to show all files that are detected as Brontok virus without really going to remove them.

This should have been obvious, but it was done in a non-Windows computer. If you are going to use it in Windows, you will need something like Cygwin.

71 Responses

Trackback: Use this URI to trackback this entry. Use your web browser's function to copy it to your blog posting.

Comment RSS: You can track conversation in this page by using this page's Comments RSS (XML)

Gravatar: You can have a picture next to each of your comments by getting a Gravatar.

Leave a Comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Warning: Comments carrying links to questionable sites will be removed!