Initial commit

2015-02-17 20:53:15 -05:00
parent 0197bcb289
commit 6b60acb4bd
2286 changed files with 403579 additions and 0 deletions
--- a/find_cryptowall_infected_files.rb
+++ b/find_cryptowall_infected_files.rb
@@ -0,0 +1,89 @@
+require 'win32ole'
+require 'FileUtils'
+
+
+def infectedFiles(decryptFile)
+	infectedPath = File.dirname("#{decryptFile}")
+	infectedFiles = Dir["#{infectedPath}/*.*"]
+	return infectedFiles
+end
+
+def infectedFileExpandedPath(file)
+	infectedFileExpandedPath = File.expand_path(file.to_s)
+	return infectedFileExpandedPath
+end
+
+def decryptFiles(path)
+	decryptFiles = Dir["#{path}/**/DECRYPT_INSTRUCTION.TXT"]
+	return decryptFiles
+end
+
+
+def myFile
+	myFile = File.new("files.txt","a")
+	return myFile
+end
+
+def openFile
+	openFile = File.open("files.txt","a")
+	return openFile
+end
+
+def writeMyFile(whatToWrite)
+	if !isDecryptInstructions(whatToWrite) && !isTorInstructions(whatToWrite)
+		whatToWrite = infectedFileExpandedPath(whatToWrite)
+		whatToWrite = whatToWrite.gsub("/","\\")
+		openFile.puts(whatToWrite)
+		openFile.close
+	end
+end
+
+def deleteInstructions(file)
+	if isTorInstructions(file) or isDecryptInstructions(file)
+		FileUtils.rm(File.expand_path(file.to_s))
+	end
+end
+
+def isTorInstructions(file)
+	if file.include? "TOR"
+		return true
+	else
+		return false
+	end
+end
+
+def isDecryptInstructions(file)
+	if file.include? "DECRYPT"
+		return true
+	else 
+		return false
+	end
+end
+
+def findInfectedFiles(path)
+	decryptFiles(path).each do |f|
+		infectedFiles(f).each do |returnedFiles|
+			writeMyFile(returnedFiles)
+			deleteInstructions(returnedFiles)
+		end
+	end
+
+end
+
+
+file_system = WIN32OLE.new("Scripting.FileSystemObject")
+drives = file_system.Drives
+drives.each do |drive|
+	if drive.DriveType == 2
+		findInfectedFiles(drive.Path)
+	end
+end
+
+
+
+
+
+
+
+
+