On Wed, Sep 03, 2003 at 11:42:40AM -0400, Anderson, Harry F wrote:
> I have written a simple script to flag systems that have
> the nachi/welchi worm. But when run against a known infected
> system with the registry keys it doesn't flag anything.
...
> key = "SYSTEM\CurrentControlSet\Services\RpcTftpd";
> item = "Network Connections Sharing";
> a = registry_get_sz(key:key, item:item);
> if("%System%\wins\svchost.exe" >< a)security_hole(135);
I think item should be "ImagePath", not "Network Connections Sharing" --
ImagePath is the subkey used to locate the service.
By the way, it might be nicer to incorporate this into smb_virii.nasl. Here's
a patch that does just that:
---- snip, snip, snip ----
--- smb_virii.nasl-orig Thu Aug 21 19:00:17 2003
+++ smb_virii.nasl Thu Sep 4 17:27:14 2003
@@ -8,7 +8,7 @@
{
script_id(11329);
- script_version("$Revision: 1.12 $");
+ script_version("$Revision: 1.13 $");
name["english"] = "The remote host is infected by a virus";
@@ -32,6 +32,7 @@
- [EMAIL PROTECTED]
- [EMAIL PROTECTED]
- [EMAIL PROTECTED]
+ - W32.Welchia.Worm
Risk factor : High
Solution : See the URLs which will appear in the report";
@@ -183,7 +184,13 @@
exp[i] = "videodrv.exe";
+i++;
+name[i] = "W32.Welchia.Worm";
+url[i] =
"http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html";;
+key[i] = "SYSTEM\CurrentControlSet\Services\RpcTftpd";
+item[i] = "ImagePath";
+exp[i] = "%System%\wins\svchost.exe";
---- snip, snip, snip ----
George
--
[EMAIL PROTECTED]
pgp00000.pgp
Description: PGP signature
