'=======================================================================

'ManageEngine Desktop Central - DNSChanger malware detection and removal

'=======================================================================



 on error resume next

const ERROR_VIRUS_INFECTED = 20001 

const ERROR_SCOPE_NOT_FOUND = 20002

const ERROR_VIRUS_DELETED = 20003

const ERROR_BAD_ARGUMENTS = 160

const INVALID_IPADDRESS = 9552

const ERROR_SUCCESS = 0



argIndex = 0

retValue = 0

silent = 0

arrResetDNSServerSearchOrder = Array()

arrNewDNSServerSearchOrder = Array()



rogueDNS = Array("85.255.112.0","85.255.127.255",_

				 "67.210.0.0","67.210.15.255",_

				 "93.188.160.0","93.188.167.255",_

				 "77.67.83.0","77.67.83.255",_

				 "213.109.64.0","213.109.79.255",_

				 "64.28.176.0","64.28.191.255")

				 

Do while argIndex < WScript.Arguments.Count()

	Select Case UCase(WScript.Arguments.Item(argIndex))

		Case "-SCAN"

			retValue = QueryandFixDNS(false,0)

			'Display retValue

			argIndex = argIndex+1

		Case "-FIX"

			if   argIndex +1 < WScript.Arguments.Count() Then

				if StrComp(UCase(WScript.Arguments.Item(argIndex+1)),"RESET") = 0 Then

					retValue = QueryandFixDNS(true,0)

				else

					initializenewDNS(WScript.Arguments.Item(argIndex+1))

					retValue = QueryandFixDNS(true,1)

				end if

				argIndex = argIndex+2

				Display retValue

			else

				Display "Invalid arguements : Type -help for details"

				argIndex = argIndex+1

				retValue = ERROR_BAD_ARGUMENTS

			End if

		Case "-SILENT"

			silent = 1

			argIndex = argIndex+1

		Case "HELP"

			help

			argIndex = argIndex+1

		Case "-HELP"

			help

			argIndex = argIndex+1

		Case "/?"

			help

			argIndex = argIndex+1

		Case Else

			argIndex = argIndex+1

	End Select

Loop

if WScript.Arguments.Count() = 0 Then

	help

	retValue = ERROR_BAD_ARGUMENTS

End if



wscript.quit retValue





sub help()

	helpdoc ="-silent --This parameter should be the first to supress the popup                            " &vbcr _

			 &"-scan --To identify the computers affetecd by DNSChanger Trojan                     " &vbcr _

			 &"-fix reset --To fix the affected computers and reset the DNS settings to 'Obtain DNS server address automatically'" &vbcr _

			 &"-fix <Ip address separated by comma> --If DNSChanger malware found it will set the DNS server address in the given order ." &vbcr _

			 &"-help --To View this help card"

	Display helpdoc			 

end sub





function QueryandFixDNS(fix,mode)

    on error resume next

	strServerName = "."

	aliveconnection = 0

    Set objWMIService =    GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strServerName & "\root\cimv2")

    Set colNICConfigs = objWMIService.ExecQuery("SELECT DNSServerSearchOrder, Description FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True")

    for each objNICConfig in colNICConfigs

		aliveconnection = 1

        OldDNSConfiguration = Join(objNICConfig.DNSServerSearchOrder, ",")

        if LEN(OldDNSConfiguration)>1 THEN

            Display "DNS Server List  : "& "  " & OldDNSConfiguration

			DNSlist = Split(OldDNSConfiguration, ",")

			For i = 0 To UBound(DNSlist)

				'Display "DNSlist" &" " & DNSlist(i)

				QueryandFixDNS = ScanDNS(DNSlist(i))

				Exit for

			Next

			if QueryandFixDNS = ERROR_VIRUS_INFECTED then

					Display  "This computer is affected by DNSChanger malware"

			Else if QueryandFixDNS = ERROR_SCOPE_NOT_FOUND then

					Display "This computer is not affected by DNSChanger malware"

			End if

			End if

			if fix = true And QueryandFixDNS = ERROR_VIRUS_INFECTED Then

				if mode = 0 then

					retval = objNICConfig.SetDNSServerSearchOrder(arrResetDNSServerSearchOrder)

					if retval = 0 then

						QueryandFixDNS = ERROR_VIRUS_DELETED

						Display "DNS setting has been successfully reset to 'Obtain DNS server address automatically'"

					else 

						Display "Error in changing the DNS setting"

						QueryandFixDNS = retval

					end if

				else 

					retval = objNICConfig.SetDNSServerSearchOrder(arrNewDNSServerSearchOrder)

					if retval = 0 then

						QueryandFixDNS = ERROR_VIRUS_DELETED

						Display "DNS address set to given ip addresses sucessfully"

					else 

						Display "Error in changing the DNS setting" 

						if retval = 70 then 

							QueryandFixDNS = INVALID_IPADDRESS

						else 

							QueryandFixDNS = retval

						end if

					end if

				End if

			else if fix = true And QueryandFixDNS = ERROR_SCOPE_NOT_FOUND Then 

				QueryandFixDNS	= ERROR_SCOPE_NOT_FOUND

			end if

			end if			

        end if

    next

	if aliveconnection = 0 Then

		'Display "Connection Not found"

		QueryandFixDNS = ERROR_SCOPE_NOT_FOUND 

	end if

END function



function ScanDNS(DNSAddress)

	For i = 0 To UBound(rogueDNS) step 2

		'Display rogueDNS(i) & "  " & rogueDNS(i+1)

		If ip2num(DNSAddress) >= ip2num(rogueDNS(i)) And ip2num(DNSAddress) <= ip2num(rogueDNS(i+1)) Then

			ScanDNS = ERROR_VIRUS_INFECTED

			Exit for

		Else

			ScanDNS = ERROR_SCOPE_NOT_FOUND

		End If 

	Next

end function



sub initializenewDNS(iplist)

	arrNewDNSServerSearchOrder = Split(iplist,",")

end sub



Public Function ip2num(ip)

	Dim i, a, N

	a = Split(ip, ".")

	N = CDbl(0)

	For i = 0 To UBound(a)

		N = N * 256 + a(i)

	Next

	ip2num = N

End Function



sub Display(String)

'wscript.echo String

	if silent = 0 then

		Wscript.echo String

	end if

end sub