Malware – Finding the source site

A little interesting problem popped up on the CCE (Certified Computer Examiner) mail list today.  One of the members asked for scripting help on trying to test which of a list of urls was the source of malware that infected a machine he was examining.  The examiner had setup a clean Windows XP install in vmware and would test there.  He knew what he was looking for in what it does to Windows files, registries etc.  He just needed to test a hundred or so likely urls.  In the  process of writing up my reply email another member replied with a linear batch file to do it.  So I took my looping script and added his taskkill command to produce a quick simple result.

The script reads a text file that has one URL per line, it tells IE to open using the URL and pause.  That gives the examiner time to check for the infection.  If nothing found he just brings focus back to the command line window where he executed the script and presses a key. It closes the previous IE instance and opens the next from the file.

The file of urls is referenced in the script as sites.txt and you can make the following script in a bat file.  Call it visitsites.bat for instance.

for /F “eol=- tokens=1” %%i in (sites.txt) do (
start iexplore %%i
taskkill /f /im iexplore.exe