January 29th, 2004, 04:05 PM
Using DOS to remove potentially infected .zip files
Our antivirus software has been renaming all of the MyDoom .zip files rather than deleting them, so I've been ordered to manually remove them via DOS. Basically I'm going to our mail server, going into the folder in which attachments are stored (named "K:\MAILATCH") and then finding and deleting all *.zip files. I was told to do a "dir *.zip". I'm not very well schooled in DOS commands (I know, a sad thing), so this is a bit foreign to me. Mind lending some knowledge on how to do this? What commands do I use?
January 29th, 2004, 04:23 PM
Basic dos commands....
dir [argument] - list contents of directory
rmdir [directory] - remove directory
del [file] - delete file
cd [directory] - change directory
* - wild card character (everything)
if you cant do it with those commands then, research dos on www.google.com
January 29th, 2004, 04:26 PM
del *.zip /S
will remove all zip files from the directory and all subdirectories. Just make sure you are in the correct directory before you issue that or you may destroy other zips you want to keep.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
January 29th, 2004, 04:27 PM
What mail system are you using? I'm guessing as you are saying that you are going to a drive and deleting files that you are referring the the virtual M:\ drive on exchange 2000. If so, the easiest and fastest way to do what you want to do is with a tool called exmerge.
You can download the tool for free from MS, and there is plenty of documentation about how the tool works. But it will basically look inside of every mailbox for whatever criteria you specify and archive out the messages that meet your criteria. In this way you can get much more specific and not delete all .zip's but only those .zip's that have a subject line that corresponds to the mydoom.
Exmerge instructions Check the reskit for the exmerge .exe's.
Also, in exchange 2000, you are using the virus api 2.0 which does not allow for the message to be deleted entirely through vapi scanning. There are three possible fixes for this:
1: Use an "smtpsink" to delete the messages at the connector level. This is however a rather CPU intensive process. If your machine is not that heavily utilized it may be the best solution though. SMTPsink instructions
2: Newer AV products such as NAI Groupshield 6.0 have transport scanning. This is very similiar to the MS provided smtpsink, it is just much more efficient.
3: Upgrade to exchange2003 and a current antivirus package that support vapi2.5. In vapi2.5 you have the option to permanently delete the messages without notification to sender/recipient. VAPI 2.5 info
January 29th, 2004, 04:37 PM
Thanks guys, AntiOnline crew saves the day again. That's exactly what I needed to know.