As systems administrators, many of us have finished cleaning up after the remote procedure call (RPC) exploit and the Deborm, SQL Slammer, Bagle, and Netsky worms only to now be looking down both barrels of the Sasser worm. Although we make every effort to ensure that our servers and PCs are protected with the appropriate hotfixes and virus protection, often a node will become infected and try to spread that infection through the company. The biggest culprits are usually remote users who inadvertently bring in infected laptops; their infections quickly can become a companywide problem in spite of an effective network firewall.
Systems administrators need to have a strategy and tools to clean up after an infected node is discovered. I've discovered a tool that's perfect for this task: McAfee's Stinger utility. You can find more information about the tool and download the most recent version at http://vil.nai.com/vil/stinger.
Stinger is one of the most popular freeware tools for worm and virus cleanup. This small self-contained removal tool will clean a PC or server of more than 40 recent virus and worm exploits. The tool has a simple, easy-to-use GUI, which Figure 1 shows, and now NAI has made this handy tool even more useful by incorporating a command-line interface.
I receive a lot of questions about Stinger and how to use scripting to maximize its effectiveness. Let me share some of those questions and give you several tricks to make this great tool even more effective for virus and worm cleanup.
Q: The Stinger tool scans only the C drive by default. Can we make the tool scan and clean all drives?
A: Yes, you can configure Stinger to clean all drives. After you download and save the tool to a shared, central location, use the stinger.exe /? command to see the online help. You'll see that Stinger 2.2.5 and later offers four new switch options:
- /ADL—Scan all local drives.
- /GO—Start scanning immediately.
- /LOG—Save the log file after a scan.
- /SILENT—Don't display the GUI.
To launch Stinger and make it scan all local drives, type the command
You can add the /GO switch to make the tool start scanning immediately.
Q:Our Help desk team uses Stinger in GUI mode and uses Netopia's Timbuktu or AT&T Laboratories Cambridge's Virtual Network Computing (VNC) software to launch the tool on the infected node. Is there a better way to launch Stinger?A: Using a remote control product is a good way to launch Stinger, but you can launch it remotely without requiring the Help desk worker to log on to the node. Just use the Psexec tool from Sysinternals (http://www.sysinternals.com/ntw2k/freeware/psexec.shtml) to launch Stinger on the remote node. Psexec uses the following switches:
- -u—specifies the user account that you want to run the tool
- -p—specifies the password for that user account
- -c—copies Stinger to the remote node
- -f—overwrites any old Stinger files
- -i—lets the user watch the Stinger GUI run
For example, a command such as the following launches Stinger in interactive mode (i.e., the Stinger GUI appears on the desktop):
Psexec \\computer1 -u adminacct -p AdminPwHere -c -f -i D:\Tools \Stinger.exe /ADL /GO
To run Stinger in the background so that the GUI doesn't appear, simply eliminate the -i switch and use the /SILENT switch, as the following command shows:
Psexec \\computer1 -u adminacct -p AdminPwHere -c -f D:\Tools\Stinger.exe /ADL /GO /SILENT
Q: Our administrators log on to our servers locally or through Windows 2000 Server Terminal Services and launch a master copy of Stinger located in a shared folder. When we launch the tool on several servers, we notice that Stinger doesn't retain the preference settings and drives that we previously selected. How can we make Stinger retain our settings?
A: When Stinger launches, it creates a small stinger.opt file in the same folder in which stinger.exe resides. If that folder is on a server and has read-only permissions, Stinger can't create the stinger.opt file and won't save the settings. If the folder is writeable and you launch several nodes, each server saves its settings to the stinger.opt file, overwriting the previous settings each time Stinger finishes running on a node. You might also have problems if you use the /LOG switch because it tries to save the stinger.txt log file to the same location where stinger.exe is stored, also overwriting any old log file in that folder.
To overcome this limitation, download the newest Stinger version and store it in a shared folder for which users have write permissions. Then, run the RunStingerSaveOptions.bat script, which Listing 1 shows. You can download RunStingerSaveOptions.bat from the Code Library on the Windows Scripting Solutions Web site (http://www.winnetmag.com/windows scripting, InstantDoc ID 43023). Make sure to store the script in a read-only location, then give users a shortcut to the script.
RunStingerSaveOptions.bat creates a folder named with the built-in %COMPUTERNAME% environment variable, copies Stinger to that folder, and launches the tool. When the user launches Stinger in the future, the preferences will be preserved because there is a retained stinger.opt file. After a stinger.opt file exists for a node, Stinger always launches in the /GO mode. Each scan creates a new log file and replaces the old one for each node. Stinger saves the file to the shared folder when the user closes Stinger. This approach works well for a small number of nodes in small and midsized server farms. If you plan to use Stinger for all your desktop nodes or for a large number of servers, a local Stinger copy on the PC or server might be a better approach. The beauty of this approach is that it stores your log files in a central location, so you can easily review them for virus and worm hits. The last line of the script lets you opt to delete the Stinger.exe file that's in the %COMPUTERNAME% folder after the script runs.
Q: We need to use the same custom Stinger preferences whenever we scan our machines. Can we launch Stinger with those preferences on a new machine that has never run Stinger?
A: Yes, you can create a template stinger.opt file and use it on other nodes. To create the template file, open Stinger on a test node, select the options you require, and close the application, creating the stinger.opt file. Set the file attribute to read-only. You can then use the template file to launch Stinger with your preset preferences on all nodes. Simply place the stinger.opt file in the folder that houses stinger.exe. When these nodes close, they attempt to save their changes to the stinger.opt file but quietly fail because the file is read-only. Users can modify the preferences only for the current Stinger session. When next opened, Stinger reverts to the permissions in the read-only stinger.opt file.
Q: We're having some reinfections of the Deborm worm. Can we use Group Policy to run Stinger on only the infected machines at reboot?
A:Yes, you can use a computer startup script to launch Stinger on only the infected machines. First, research the virus or worm signature that you want to look for. For example, I determined that all our Deborm-infected nodes had a Deborm signature file in the C:\Documents and Settings\All Users\Start Menu\Programs\Startup directory. I researched our antivirus vendor's Web site and identified the names of several payload files—oocfwm.exe, results.exe, ~2.EXE, lknq.exe, oocfwm.exe, and gwigsb.exe—that I wanted to test for in the C:\Documents and Settings\All Users\Start Menu\Programs\Startup directory. If any of these filenames were present in the All Users Startup folder, I wanted to start Stinger in silent mode to clean up that node.
To automate this process, I put Stinger on a shared folder to which Authenticated Users or Domain Computers have Read permission. Then, I created a Group Policy Object (GPO) and added a computer startup script that contains the code in Listing 2, which will launch Stinger when any of the six target files are found. Apply the GPO to the organization unit (OU) that contains all nodes. The startup script will run Stinger on all nodes that have any of the target files.
Q: Some users and administrators in our organization use pocket USB drives to transfer files between their PCs. Using Stinger with the /ADL switch doesn't scan these files. How can we tell Stinger to clean these files?
A: The /ADL switch doesn't work with removable media drives such as USB drives and 3.5" disk drives. You need to insert these drives into the node, then use the Stinger GUI at runtime to manually add the drive.
Taking the Sting Out
I've tried to give you a basic understanding of how the Stinger utility works as well as some useful techniques you can use with the utility in your environment. Stinger is a great administrative tool, and by taking advantage of its command-line interface, you can take the sting out of virus and worm attacks.