diff --git a/find_cryptowall_infected_files.rb b/find_cryptowall_infected_files.rb deleted file mode 100644 index 48bad9f..0000000 --- a/find_cryptowall_infected_files.rb +++ /dev/null @@ -1,89 +0,0 @@ -require 'win32ole' -require 'FileUtils' - - -def infectedFiles(decryptFile) - infectedPath = File.dirname("#{decryptFile}") - infectedFiles = Dir["#{infectedPath}/*.*"] - return infectedFiles -end - -def infectedFileExpandedPath(file) - infectedFileExpandedPath = File.expand_path(file.to_s) - return infectedFileExpandedPath -end - -def decryptFiles(path) - decryptFiles = Dir["#{path}/**/DECRYPT_INSTRUCTION.TXT"] - return decryptFiles -end - - -def myFile - myFile = File.new("files.txt","a") - return myFile -end - -def openFile - openFile = File.open("files.txt","a") - return openFile -end - -def writeMyFile(whatToWrite) - if !isDecryptInstructions(whatToWrite) && !isTorInstructions(whatToWrite) - whatToWrite = infectedFileExpandedPath(whatToWrite) - whatToWrite = whatToWrite.gsub("/","\\") - openFile.puts(whatToWrite) - openFile.close - end -end - -def deleteInstructions(file) - if isTorInstructions(file) or isDecryptInstructions(file) - FileUtils.rm(File.expand_path(file.to_s)) - end -end - -def isTorInstructions(file) - if file.include? "TOR" - return true - else - return false - end -end - -def isDecryptInstructions(file) - if file.include? "DECRYPT" - return true - else - return false - end -end - -def findInfectedFiles(path) - decryptFiles(path).each do |f| - infectedFiles(f).each do |returnedFiles| - writeMyFile(returnedFiles) - deleteInstructions(returnedFiles) - end - end - -end - - -file_system = WIN32OLE.new("Scripting.FileSystemObject") -drives = file_system.Drives -drives.each do |drive| - if drive.DriveType == 2 - findInfectedFiles(drive.Path) - end -end - - - - - - - - - diff --git a/source/cryptowallFinder.rb b/source/cryptowallFinder.rb new file mode 100644 index 0000000..4161a79 --- /dev/null +++ b/source/cryptowallFinder.rb @@ -0,0 +1,68 @@ +require 'FileUtils' +require_relative 'searchUtil' + + +class Cryptowallfinder + + attr_accessor :outputFile, :path + + @search = Searchutil.new + + def infectedFiles(decryptFile) + infectedPath = File.dirname("#{decryptFile}") + infectedFiles = Dir["#{infectedPath}/*.*"] + return infectedFiles + end + + def infectedFileExpandedPath(file) + infectedFileExpandedPath = File.expand_path(file.to_s) + return infectedFileExpandedPath + end + + def decryptFiles(path) + decryptFiles = Dir["#{path}/**/DECRYPT_INSTRUCTION.TXT"] + return decryptFiles + end + + def writeMyFile(whatToWrite) + if !isDecryptInstructions(whatToWrite) && !isTorInstructions(whatToWrite) + whatToWrite = infectedFileExpandedPath(whatToWrite) + whatToWrite = whatToWrite.gsub("/","\\") + @openFile = self.outputFile.open + @openFile.puts(whatToWrite) + @openFile.close + end + end + + def deleteInstructions(file) + if isTorInstructions(file) or isDecryptInstructions(file) + FileUtils.rm(File.expand_path(file.to_s)) + end + end + + def isTorInstructions(file) + if file.include? "TOR" + return true + else + return false + end + end + + def isDecryptInstructions(file) + if file.include? "DECRYPT" + return true + else + return false + end + end + + def findInfectedFiles + decryptFiles(self.path).each do |f| + infectedFiles(f).each do |returnedFiles| + writeMyFile(returnedFiles) + deleteInstructions(returnedFiles) + end + end + + end +end \ No newline at end of file diff --git a/source/filecreate.rb b/source/filecreate.rb new file mode 100644 index 0000000..a40c1d7 --- /dev/null +++ b/source/filecreate.rb @@ -0,0 +1,15 @@ +require 'FileUtils' + +class Filecreate + + attr_accessor :filename + + def create + myFile = File.new(self.filename,"a") + end + + def open + openFile = File.open(self.filename,"a") + return openFile + end +end \ No newline at end of file diff --git a/source/find_cryptowall_infected_files.rb b/source/find_cryptowall_infected_files.rb new file mode 100644 index 0000000..89f5dab --- /dev/null +++ b/source/find_cryptowall_infected_files.rb @@ -0,0 +1,27 @@ +require_relative 'windowsFileSystem' +require_relative 'cryptowallFinder' +require_relative 'filecreate' + +@outputFile = Filecreate.new +@outputFile.filename = "files.txt" +@outputFile.create +@fileSystem = Windowsfilesystem.new +@drives = @fileSystem.allDrives +puts @drives +@drives.each do |drive| + if drive.DriveType == 2 + @find = Cryptowallfinder.new + @find.outputFile = @outputFile + @find.path = drive.Path + @find.findInfectedFiles + end +end + + + + + + + + + diff --git a/source/searchUtil.rb b/source/searchUtil.rb new file mode 100644 index 0000000..1037d9d --- /dev/null +++ b/source/searchUtil.rb @@ -0,0 +1,5 @@ +require 'FileUtils' + +class Searchutil + +end \ No newline at end of file diff --git a/source/windowsFileSystem.rb b/source/windowsFileSystem.rb new file mode 100644 index 0000000..2ee957d --- /dev/null +++ b/source/windowsFileSystem.rb @@ -0,0 +1,12 @@ +require 'win32ole' + +class Windowsfilesystem + + def file_system + return WIN32OLE.new("Scripting.FileSystemObject") + end + + def allDrives + return file_system.Drives + end +end \ No newline at end of file diff --git a/start.bat b/start.bat index 36aa4b6..ae57abb 100644 --- a/start.bat +++ b/start.bat @@ -9,10 +9,12 @@ echo . echo . pause cls -call ruby\bin\irb.bat find_cryptowall_infected_files.rb +call ruby\bin\irb.bat source\find_cryptowall_infected_files.rb xcopy "files.txt" "%userprofile%\Desktop" cls echo The script has finished.... +echo You can find files.txt on your desktop. DO NOT LOSE THIS FILE!! +echo All DECRYPT_INSTRUCTION files have been deleted. echo . pause exit