#!/usr/bin/perl ###################################################### # Simple script that will parse IPs and port numbers # from a Storm Worm Config file. The current config # file is found in the C:\windows\ directory and is # aromis.config. This file name changes all the time # the config file structure has held true for a long time. # I do not guarantee the accuarcy of the config file # nor do I guarantee ths script to work. Use it at # your own risk. # # Written by: Jeremy Conway # Email: jeremy [at] sudosecure [dot] net # Date: 4 April 2008 # use Getopt::Long; my @hashes = (); sub hex_to_dec ($) { (my $str = shift) =~ s/([a-fA-F0-9]{2})/int(hex $1) . "."/eg; chop($str); return $str; } sub parse_file ($){ my $infile = $_; open(DAT, $infile) || die("Could not open file: $config_file\n"); while (){ if( $_ =~ m/^[0-9a-fA-F]*?=/){ my @temp = split(/=/,$_ ); my $temp_hash_ip = substr($temp[1],0,8); my $temp_ip = hex_to_dec($temp_hash_ip); my $temp_hash_port = substr($temp[1],8,4); my $temp_port = int(hex $temp_hash_port); push(@hashes,"$temp_ip:$temp_port"); } } close DAT; } GetOptions( 'f=s{,}' => \@files, 'h' => \$help); if($help || !@files){ print "Usage: storm_config_decoder.pl -f [FILES]\n"; print "Parse the Storm Worms Peer configuration file\n"; print "and print Peer IPs and Ports.\n"; print "\n\t-f\tFile or files to parse."; print "\n\t-h\tShow usage\n\n"; print "Wildcard * can be used in the file option \"-f\"\n"; print "Report bugs to jeremy [at] sudosecure [dot] net\n"; exit(0); } foreach (@files){ $config_file = $_; if (-r $config_file){ parse_file $config_file; } else { print STDERR "$config_file could not be found to parse.\n"; } } @hashes = sort { $a <=> $b } @hashes; undef %saw; @uniq_hashes = grep(!$saw{$_}++, @hashes); for $host (@uniq_hashes) { print $host,"\n"; } my $size = @uniq_hashes; print "\nstorm_config_decoder.pl identified $size IPs.\n"; exit(0);