I have written a simple script to flag systems that have
the nachi/welchi worm. But when run against a known infected
system with the registry keys it doesn't flag anything.
The worm installs two services, so I am checking for one of
Service registry entries.
The plug-in runs. I have the correct smb username/password in
I even get the warning about connecting to a remote registry
to prove it. I have enable dependencies turned on.
Any ideas ? I know I am prob. missing something simple.
The business part of the script is below.
script_dependencies ("netbios_name_get.nasl",
"smb_login.nasl",
"smb_registry_access.nasl");
script_require_keys ("SMB/name",
"SMB/login",
"SMB/password",
"SMB/registry_access");
script_require_ports(139, 445);
exit(0);
}
include("smb_nt.inc");
key = "SYSTEM\CurrentControlSet\Services\RpcTftpd";
item = "Network Connections Sharing";
a = registry_get_sz(key:key, item:item);
if("%System%\wins\svchost.exe" >< a)security_hole(135);
- Harry Anderson
-------------------------------
-- Even though this E-Mail has been scanned and found clean of
-- known viruses, OPM can not guarantee this message is virus free.
-------------------------------
-- This message was automatically generated.
-------------------------------mo
