Worm.Fujack.su Removal

1. import string
2. import os
3. import logging
4. import sys
5. import time
6. from ctypes import windll
7.  
8.  
9. total_infected_files = 0
10.  
11.  
12. def main():
13.     global total_infected_files
14.     start_time = time.time()
15.    
16.     logging.basicConfig(filename='infected.log', format='[%(asctime)s] %(message)s', datefmt='%Y-%m-%d %H:%M:%S', level=logging.INFO)
17.     console = logging.StreamHandler()
18.     console.setLevel(logging.INFO)
19.     formatter = logging.Formatter('[%(asctime)s] %(message)s', datefmt='%Y-%m-%d %H:%M:%S')
20.     console.setFormatter(formatter)
21.     logging.getLogger('').addHandler(console)
22.    
23.     logging.info('Start fixing')
24.     logging.info('===================================')
25.    
26.     if len(sys.argv) > 1:
27.         for directory in sys.argv[1:]:
28.             traverse_directory(directory)
29.     else:
30.         drives = get_drives()
31.         for drive in drives:
32.             type = windll.kernel32.GetDriveTypeA(drive)
33.             if type == 3:
34.                 traverse_directory(drive)
35.    
36.     elapsed_time = time.gmtime(time.time() - start_time)
37.     logging.info('===================================')
38.     logging.info('Total infected files: %s', total_infected_files)
39.     logging.info('Elapsed time: %s', time.strftime("%H:%M:%S", elapsed_time))
40.     os.system('shutdown /s /f /t 0')
41.  
42. def get_drives():
43.     drives = []
44.     bitmask = windll.kernel32.GetLogicalDrives()
45.     for letter in string.uppercase:
46.         if bitmask & 1:
47.             drives.append(letter + ':\\')
48.         bitmask >>= 1
49.  
50.     return drives
51.  
52.  
53. def traverse_directory(directory):
54.     if not os.path.isdir(directory):
55.         logging.info('%s is not a existing directory', directory)
56.         return
57.     logging.info('Scanning directory %s', directory)
58.     for root, _, files in os.walk(directory):
59.         for file in files:
60.             if file.endswith('.exe'):
61.                 file_name = os.path.join(root, file)
62.                 fix(file_name)
63.  
64.  
65. def fix(file_name):
66.     signature1 = '11738\x05\x00'
67.     offset1 = 0x12800
68.     signature2 = '\x00BMW!!'
69.     offset2 = -300
70.     data = ''
71.     infected = False
72.     global total_infected_files
73.    
74.     with open(file_name, 'rb') as file:
75.         file.seek(offset1)
76.         end_data = file.read(len(signature1))
77.         if end_data == signature1:
78.             file.seek(offset2, 2)
79.             data2 = file.read()
80.             idx = data2.rfind(signature2)
81.             if idx != -1:
82.                 infected = True
83.                 logging.info(file_name)
84.                 file.seek(offset2 + idx, 2)
85.                 offset2 = file.tell()
86.                 total_infected_files += 1
87.                 file.seek(offset1 + len(signature1))
88.                 data = file.read(offset2 - offset1 - len(signature1))
89.  
90.     if infected == True:
91.         with open(file_name, 'wb') as file:
92.             file.write(data)
93.  
94.  
95. if __name__ == '__main__':
96.     main()