I'm not sure if this has already been posted to this list, it came through the
NT BugTraq mailing list this morning. I thought it made sense to pass it on to
all of you.....
Sorry if this is completely OT for the list, I just thought that with the number
of posts we had about the worm it made sense to forward it on.
Live long and prosper,
-= Edward
:> -----Original Message-----
:> From: Windows NTBugtraq Mailing List
:> [mailto:[EMAIL PROTECTED]]On Behalf Of Cerberus Security
:> Team
:> Sent: Monday, May 08, 2000 6:38 PM
:> To: [EMAIL PROTECTED]
:> Subject: Contemplations : Melissa, I love you - not!
:>
:>
:> The Cerberus Security Team have written a tool that will prevent PC users
:> from being infected by such viral worms as the now infamous "I Love You" and
:> its many variants and any others that are still only a gleam in the eye of
:> the budding virus writer. These rely on basic default configurations of a
:> standard Microsoft box to be able to spread - and also a little help from
:> the user by actually opening the attachment! As many will be aware 99% of
:> files on a Windows machine have a three letter extension. This extension
:> tells Windows Explorer how to deal with each file. For example, if you
:> double click on a file with the .txt extension Explorer will look in the
:> Registry to see what application to use to open it - notepad.exe in this
:> case.
:>
:> As far as the "I Love You" worm is concerned it has a .vbs extension and so,
:> when opened by the person it has been sent to, Windows looks in the Regsitry
:> to see what application it should use to deal with the file - in this case
:> wscript.exe. wscript.exe is script interpreter and when passed the file it
:> executes the code it finds there - very much like what command.com or
:> cmd.exe does for batch (.bat) files.
:>
:> The tool the Cerberus Security Team has written goes through the registry
:> and removes these application / file extention associations for
:> VBS,VBE,WSF,WSH, JS and JSE and any viruses or worms that rely on these
:> associations will therefore fail. These are all "dangerous" mappings and to
:> be perfectly frank most computers users never use the functionality provided
:> by these.
:>
:> We provide the source code at the end of this mail and also make the binary
:> version available from our website:
:> http://www.cerberus-infosec.co.uk/vf.exe
:>
:> It has been tested on Windows 98, Windows NT 4 and Windows 2000. Though not
:> yet tested on Windows 95 it should still work.
:>
:> Cheers,
:> The Cerberus Security Team
:> http://www.cerberus-infosec.co.uk/
:> +44(0)208 395 4980
:>
:> ////////////////////////////////////////////////////////////////////////////
:> ////////
:> //
:> // compile with eg Visual C++ link with advapi32.lib
:> //
:> // Cerberus Information Security, Ltd
:> //
:> // 8th May 2000
:> //
:> ////////////////////////////////////////////////////////////////////////////
:> /////////
:>
:> #include <windows.h>
:> #include <stdio.h>
:> #include <winreg.h>
:>
:> #define SUCCESS 1
:> #define FAILURE 0
:>
:> HKEY KeyToChange = HKEY_CLASSES_ROOT;
:>
:> int ChangeFileAssociations(void);
:> int ConnectToRemoteRegistry(char *);
:> LONG DoSetAKey(HKEY, char *, char *);
:>
:> int main(int argc,char *argv[])
:> {
:> DWORD chk=0;
:> char hostname[260]="\\\\";
:> char *errors = "There were errors changing the file associations.\n";
:> char *noerrors = "VBS,VBE,WSF,WSH,JS and JSE file associations have been
:> changed.\n";
:>
:> printf("\nCerberus Security Team\nhttp://www.cerberus-infosec.co.uk/\n8th
:> May 2000\n\n");
:>
:> if(argc == 1)
:> {
:> chk = ChangeFileAssociations();
:> if(chk)
:> {
:> printf(noerrors);
:> return SUCCESS;
:> }
:> else
:> {
:> printf(errors);
:> return FAILURE;
:> }
:> }
:> else
:> {
:> if
:>
:> ( stricmp( argv[1], "/?" ) == 0 ) ||
:> ( stricmp( argv[1], "-?" ) == 0 ) ||
:> ( stricmp( argv[1], "/h" ) == 0 ) ||
:> ( stricmp( argv[1], "-h" ) == 0 ) ||
:> ( stricmp( argv[1], "?" ) == 0 ) ||
:> ( stricmp( argv[1], "help" ) == 0 ) ||
:> ( stricmp( argv[1], "/help" ) == 0 ))
:> {
:> return 0;
:> }
:> else
:> {
:> strncat(hostname,argv[1],250);
:> chk = ConnectToRemoteRegistry(hostname);
:> if (!chk)
:> {
:> printf("Error connecting to %s\n",hostname);
:> return FAILURE;
:> }
:> else
:> {
:> chk = ChangeFileAssociations();
:> if(chk)
:> {
:> printf(noerrors);
:> return SUCCESS;
:> }
:> else
:> {
:> printf(errors);
:> return FAILURE;
:> }
:> }
:>
:> }
:> }
:> }
:>
:>
:>
:> int ConnectToRemoteRegistry(char *host)
:> {
:> HKEY hkcr = HKEY_CLASSES_ROOT;
:> LONG connect;
:>
:>
:> connect = RegConnectRegistry(host,hkcr,&KeyToChange);
:> if(connect == ERROR_SUCCESS)
:> {
:> return SUCCESS;
:> }
:> else
:> {
:> return FAILURE;
:> }
:> }
:>
:> int ChangeFileAssociations()
:> {
:> LONG chk=0;
:>
:> chk = DoSetAKey(KeyToChange,"VBSFile\\Shell\\Open\\Command","Foobar");
:> if(chk != SUCCESS)
:> {
:> if(chk != ERROR_FILE_NOT_FOUND)
:> {
:> printf("Error %d\n",chk);
:> return FAILURE;
:> }
:> }
:> chk = DoSetAKey(KeyToChange,"VBSFile\\Shell\\Open2\\Command","Foobar");
:> if(chk != SUCCESS)
:> {
:> if(chk != ERROR_FILE_NOT_FOUND)
:> {
:> printf("Error %d\n",chk);
:> return FAILURE;
:> }
:> }
:> chk = DoSetAKey(KeyToChange,"WSHFile\\Shell\\Open\\Command","Foobar");
:> if(chk != SUCCESS)
:> {
:> if(chk != ERROR_FILE_NOT_FOUND)
:> {
:> printf("Error %d\n",chk);
:> return FAILURE;
:> }
:> }
:> chk = DoSetAKey(KeyToChange,"WSHFile\\Shell\\Open2\\Command","Foobar");
:> if(chk != SUCCESS)
:> {
:> if(chk != ERROR_FILE_NOT_FOUND)
:> {
:> printf("Error %d\n",chk);
:> return FAILURE;
:> }
:> }
:> chk = DoSetAKey(KeyToChange,"VBEFile\\Shell\\Open\\Command","Foobar");
:> if(chk != SUCCESS)
:> {
:> if(chk != ERROR_FILE_NOT_FOUND)
:> {
:> printf("Error %d\n",chk);
:> return FAILURE;
:> }
:> }
:> chk = DoSetAKey(KeyToChange,"VBEFile\\Shell\\Open2\\Command","Foobar");
:> if(chk != SUCCESS)
:> {
:> if(chk != ERROR_FILE_NOT_FOUND)
:> {
:> printf("Error %d\n",chk);
:> return FAILURE;
:> }
:> }
:> chk = DoSetAKey(KeyToChange,"WSFFile\\Shell\\Open\\Command","Foobar");
:> if(chk != SUCCESS)
:> {
:> if(chk != ERROR_FILE_NOT_FOUND)
:> {
:> printf("Error %d\n",chk);
:> return FAILURE;
:> }
:> }
:> chk = DoSetAKey(KeyToChange,"WSFFile\\Shell\\Open2\\Command","Foobar");
:> if(chk != SUCCESS)
:> {
:> if(chk != ERROR_FILE_NOT_FOUND)
:> {
:> printf("Error %d\n",chk);
:> return FAILURE;
:> }
:> }
:> chk = DoSetAKey(KeyToChange,"JSEFile\\Shell\\Open\\Command","Foobar");
:> if(chk != SUCCESS)
:> {
:> if(chk != ERROR_FILE_NOT_FOUND)
:> {
:> printf("Error %d\n",chk);
:> return FAILURE;
:> }
:> }
:> chk = DoSetAKey(KeyToChange,"JSEFile\\Shell\\Open2\\Command","Foobar");
:> if(chk != SUCCESS)
:> {
:> if(chk != ERROR_FILE_NOT_FOUND)
:> {
:> printf("Error %d\n",chk);
:> return FAILURE;
:> }
:> }
:>
:> chk = DoSetAKey(KeyToChange,"JSFile\\Shell\\Open\\Command","Foobar");
:> if(chk != SUCCESS)
:> {
:> if(chk != ERROR_FILE_NOT_FOUND)
:> {
:> printf("Error %d\n",chk);
:> return FAILURE;
:> }
:> }
:> chk = DoSetAKey(KeyToChange,"JSFile\\Shell\\Open2\\Command","Foobar");
:> if(chk != SUCCESS)
:> {
:> if(chk != ERROR_FILE_NOT_FOUND)
:> {
:> printf("Error %d\n",chk);
:> return FAILURE;
:> }
:> }
:>
:>
:>
:> return SUCCESS;
:> }
:>
:>
:>
:> LONG DoSetAKey(HKEY root, char *key, char *set)
:> {
:>
:> HKEY hResult;
:> DWORD bufsize = MAX_PATH;
:> LONG nResult;
:>
:>
:> nResult = RegOpenKeyEx(root,key,0,KEY_WRITE,&hResult);
:> if(nResult != ERROR_SUCCESS)
:> {
:> if(nResult != ERROR_FILE_NOT_FOUND)
:> {
:> RegCloseKey(hResult);
:> return FAILURE;
:> }
:> else
:> {
:> return ERROR_FILE_NOT_FOUND;
:> }
:> }
:> nResult = RegSetValueEx(hResult,NULL,0,REG_MULTI_SZ,(CONST
:> BYTE*)set,strlen(set));
:>
:> if(nResult != ERROR_SUCCESS)
:> {
:> RegCloseKey(hResult);
:> return FAILURE;
:> }
:> else
:> {
:> printf("Success\n");
:> RegCloseKey(hResult);
:> return SUCCESS;
:> }
:> }
:>
:>
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
