I do not speak to people directly. If you need me, please send a page to me as I sit in my ivory tower...

Well, MSBLAST got into the network today. Our salesmen all have laptops, and they regularly dial up to their ISP with them. One of them probably got the worm before we got his laptop patched, and today was the first time he'd plugged it into our network. I wasn't too worried about patching internal systems, because my hope was that if I kept the gates secure, the invaders could never harm the peasants inside (yeah, I love to compare corporate networks to feudal kingdoms. :)).

I had to scramble a little this afternoon to get everything cleaned up, but I'm glad I had the experience. Why? 'Cause I found something uber-cool, that's why. http://www.sysinternals.com/ntw2k/freeware/pstools.shtml is a bunch of freeware process management tools for Windows NT and greater. They give me, as an admin, the ability to remotely start, stop, list, etc. processes on another machine.

So how does this tie back to MSBlast? This worm is pretty simple to detect--if it infects you, you wind up with an msblast.exe file somewhere on your system. I could do a quick dir \\remotesystem\c$ /s to see if it's there. Problem is, if it's there, then it's probably running as well. You can't delete it if it's in use. So, pskill \\remotesystem msblast.exe shuts it off. Then I can delete it. Then I can use psexec \\remotesystem regedit regfile.reg to modify the registry, removing the item that MSBlast puts in there.

But it gets better. I can run the patch on the remote system as well. I can copy the patch to the remote system (I like to name it patch.exe, so it's easy to find later, and replaced if I roll out another patch), and then run psexec \\remotesystem patch.exe /u /z /q. The parms are pretty standard for Microsoft updates: /u runs it in unattended mode (this might be redudant with /q), /z prevents it from rebooting, and /q runs it without a user interface. After that returns, I can run psshutdown \\remotesystem -r to reboot the remote system.

Being the lazy guy that I am, I've put all this into a batch file that I can simply pass a system name to. My ultimate plan is to pick one evening a month that I ask everyone to leave their systems on, but logged off. I create a list of system names, pass it to the batch file, and viola, everyone is patched and rebooted come morning.