<!--

Title:   Remove-ILOVEYOU.wsf
Purpose: To completely remove the ILoveYou.A virus.
  
  Deletes the following files:
    mskernel32.vbs
    Win32dll.vbs
    LOVE-LETTER-FOR-YOU.TXT.VBS
    LOVE-LETTER-FOR-YOU.HTM
    Win-BugsFix.exe
    Recurses all drives deleting *.VBS files containing 
      "I hate go to school" in the first line.
      (Creates a file named drclnily.txt at the 
       root of each drive so that it will only scan a drive once.)
  
  Deletes the following registry entries:
    HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MSKernel32
    HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WIN-BUGFIX
    HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\\Win32DLL
  
  Changes Internet Explorers start page
  
  Creates a Tab-Seperated log file which includes:
    Field 1: Time and Date
    Field 2: Machine Name
    Filed 3: Messages - Infected, Clean, Infected that have been deleted

Usage:
  1. Set log file
  2. Set default IE start page URL
  3. Execute.
  
Author:  Nathan Hartley
Date:    5/5/00 11:08AM
Notes:   

-->
<package>
<job id="1">
<?job debug="false" error="false" ?>

<script language="VBScript">

</script>

<script language="JScript">

// To turn off logging set sLogFile=""
var sLogFile = "\\\\NTServer\\MainApps\\ILoveYou.log";

// Internet Explorer Start Page set on infected machines
var sURL     = "http://www.secu.org/default2.htm";

var oFso = new ActiveXObject("Scripting.FileSystemObject");
var oShell = new ActiveXObject( "WScript.Shell" );
var sDirWin = oFso.GetSpecialFolder(0);
var sDirSystem = oFso.GetSpecialFolder(1);
var sDirTemp = oFso.GetSpecialFolder(2);
var sDirDL = readReg("HKCU\\software\\microsoft\\internet explorer\\download directory");
var bInfected;

if (oFso.FileExists(sDirSystem + "\\mskernel32.vbs")){
  oFso.DeleteFile(sDirSystem + "\\mskernel32.vbs",true);
  bInfected = true;
  }
if (oFso.FileExists(sDirWin + "\\Win32dll.vbs")){
  oFso.DeleteFile(sDirWin + "\\Win32dll.vbs",true);
  bInfected = true;
  }
if (oFso.FileExists(sDirSystem + "\\LOVE-LETTER-FOR-YOU.TXT.VBS")){
  oFso.DeleteFile(sDirSystem + "\\LOVE-LETTER-FOR-YOU.TXT.VBS",true);
  bInfected = true;
  }

if (oFso.FileExists(sDirSystem + "\\LOVE-LETTER-FOR-YOU.HTM")){
  oFso.DeleteFile(sDirSystem + "\\LOVE-LETTER-FOR-YOU.HTM",true);
  bInfected = true;
  }

if (oFso.FileExists(sDirDL + "\\win-bugsfix.exe")){
  oFso.DeleteFile(sDirDL + "\\win-bugsfix.exe",true);
  bInfected = true;
  }

if (delReg("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MSKernel32")) bInfected=true;
if (delReg("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WIN-BUGFIX")) bInfected=true;
if (delReg("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\\Win32DLL")) bInfected=true;

if (bInfected) {
  var msg = "Your PC was infected with the ILOVEYOU virus.\n\n";
  msg += "Please wait while it is cleaned up.";
  oShell.Popup( msg ,10,"Notice:",48);
  writeReg("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page",sURL);
  log(sLogFile,"Infected with ILOVEYOU.A");
  drives();
   oShell.Popup("The ILOVEYOU virus has been removed from this system.",30,"Notice:",48);
  WScript.Quit(1);
  }
log(sLogFile,"Clean - ILOVEYOU.A was not detected.");
var msg = "Your PC was not infected with the ILOVEYOU virus!\n\n";
msg += "Thank you for not executing unknown e-mail attachments.";
oShell.Popup( msg ,30,"Notice:",64);  
WScript.Quit(0);

/* Functions */
function delReg( sName ){
  var oShell = new ActiveXObject("WScript.Shell");
  try{ 
  oShell.RegDelete( sName );
  return( true );
  }
  catch(error){ return( false )}
  }
  
function drives(){
  var fso, e ;
  fso = new ActiveXObject("Scripting.FileSystemObject");
  e = new Enumerator(fso.Drives);
  for (; !e.atEnd(); e.moveNext()){
    if ((e.item().DriveType == 2) || (e.item().DriveType == 3)){
      if (!fso.FileExists(e.item().RootFolder+"drclnily.txt")){
        cleanFiles( e.item() );
        var msg = "This drive has been cleaned of ILoveYou virus infected files.\n";
        writeText(e.item().RootFolder + "drclnily.txt", msg );
        }      
      }
    }
  }
  
function cleanFiles( dir ){
   var f;
   fso = new ActiveXObject("Scripting.FileSystemObject");

   // Get Current Folder  
   var srcFolder = fso.GetFolder( dir );

   // Get Files in current directory  
   var files = new Enumerator( srcFolder.files );
  
   // Loop through files  
   for(; !files.atEnd(); files.moveNext() ){
      f = files.item();
      if (fso.GetExtensionName(f.Path).toLowerCase() == "vbs"){
        var f2 = fso.OpenTextFile( f.Path , 1);
        var sLine = f2.ReadLine();
        f2.Close();
        if ( sLine.indexOf("i hate go to school") > 0 ){
        try{
          log(sLogFile,"Deleted ILOVEYOU infected file: " + f.Path);
          f.Delete(true); }
        catch( oError ){}
        }

        }
      else if ( fso.GetFileName(f).toLowerCase() == "script.ini" ){
      try{
        log(sLogFile,"Deleted file: " + f.Path);
        f.Delete(true);
        }
      catch( oError ){}
        }
    }
  
    // Get any sub folders to current directory  
    var subs = new Enumerator( srcFolder.SubFolders );
  
   // Loop through sub folder list and scan
   // through a recursive call to this function
   for(; !subs.atEnd(); subs.moveNext() ){
       cleanFiles( subs.item() );
      }
    }

function log(sLogFile, sMessage){
  if ( sLogFile == "" ) return(false);
  var ForAppending = 8;
  var fso = new ActiveXObject("Scripting.FileSystemObject");
  var WshNetwork = new ActiveXObject("Wscript.Network");
  var failed=0  
  while ( (failed < 20) && (failed != -1) ){
    try{
  f = fso.OpenTextFile( sLogFile , ForAppending, true);
  f.WriteLine(new Date().toUTCString() + "\t" + WshNetwork.ComputerName + "\t" + "\t" + sMessage);
  f.Close();
  failed=-1;
  }
    catch(err){
  failed++;
  WScript.Sleep(1000);
    }
  }    
  return( ( failed=-1)? true : false);
}

function readReg( sName ){
  var oShell = new ActiveXObject("WScript.Shell");
  try{ 
  return( oShell.RegRead( sName ) );
  }
  catch(error){ return( null )}
  }
  
function writeReg( sName, aData, sType ){
  var oShell = new ActiveXObject("WScript.Shell");
  if ( writeReg.arguments.length < 3 ) sType = "REG_SZ";
  try{
    oShell.RegWrite( sName, aData, sType );
    return(true);
    }
  catch(error){ return(false); }
  }

function writeText(sLogFile, sMessage){
  if ( sLogFile == "" ) return(false);
  var ForAppending = 8;
  var fso = new ActiveXObject("Scripting.FileSystemObject");
  var WshNetwork = new ActiveXObject("Wscript.Network");
  var failed=0  
  while ( (failed < 20) && (failed != -1) ){
    try{
      f = fso.OpenTextFile( sLogFile , ForAppending, true);
      f.Write(sMessage);
      f.Close();
      failed=-1;
      }
    catch(err){
      failed++;
      WScript.Sleep(1000);
      }
    }    
  return( ( failed=-1)? true : false);
  }
  
  
</script>

</job>
</package>