Earlier in the week I found a few PC's that were infected with the Conficker malware. After looking at the infected PC's I noted that the infected file that was detected always had the following characteristics.
- Always a dll file in the Windows\system32 directory
- Always exactly the same size (155858 bytes)
- Always has ReadOnly, System, Archive and Hidden attributes set
Out of curiosity I wrote the following script to pull from AD a list of servers, ping them and then search through the System32 directory on servers that were up for dll files with those attributes set.
I found 3 servers that had dodgy AV signatures and infected dll files.....Powershell wins!!
#Get the server list
$ServerList = @(get-qadcomputer -OSName "Windows Server*"); $Servers = $ServerList | foreach {$_.Name}; Write-host "These Servers will be checked" -fore green ; $Servers
#Ping Server
function Find-Infection{
$ping = gwmi -q "SELECT * FROM Win32_Pingstatus WHERE Address = '$serv'"
if($ping.statusCode -eq 0) { Write-Host "Checking $Serv Now" -fore Yellow;
#Check for File
gci -path \\$serv\c$\windows\system32 -filter *.dll -force | where { $_.attributes -eq "ReadOnly, Hidden, System, Archive" }
}
else { write-host "$serv is not responding" -for Red}
}
foreach ($serv in ($servers))
{
Find-Infection | select Length,Mode,FullName | ft -auto
}
