Bugtraq mailing list archives
Contemplations : Melissa, I love you - not!
From: CST () CERBERUS-INFOSEC CO UK (Cerberus Security Team)
Date: Mon, 8 May 2000 18:37:48 +0100
The Cerberus Security Team have written a tool that will prevent PC users from being infected by such viral worms as the now infamous "I Love You" and its many variants and any others that are still only a gleam in the eye of the budding virus writer. These rely on basic default configurations of a standard Microsoft box to be able to spread - and also a little help from the user by actually opening the attachment! As many will be aware 99% of files on a Windows machine have a three letter extension. This extension tells Windows Explorer how to deal with each file. For example, if you double click on a file with the .txt extension Explorer will look in the Registry to see what application to use to open it - notepad.exe in this case. As far as the "I Love You" worm is concerned it has a .vbs extension and so, when opened by the person it has been sent to, Windows looks in the Regsitry to see what application it should use to deal with the file - in this case wscript.exe. wscript.exe is script interpreter and when passed the file it executes the code it finds there - very much like what command.com or cmd.exe does for batch (.bat) files. The tool the Cerberus Security Team has written goes through the registry and removes these application / file extention associations for VBS,VBE,WSF,WSH, JS and JSE and any viruses or worms that rely on these associations will therefore fail. These are all "dangerous" mappings and to be perfectly frank most computers users never use the functionality provided by these. We provide the source code at the end of this mail and also make the binary version available from our website: http://www.cerberus-infosec.co.uk/vf.exe It has been tested on Windows 98, Windows NT 4 and Windows 2000. Though not yet tested on Windows 95 it should still work. Cheers, The Cerberus Security Team http://www.cerberus-infosec.co.uk/ +44(0)208 395 4980 //////////////////////////////////////////////////////////////////////////// //////// // // compile with eg Visual C++ link with advapi32.lib // // Cerberus Information Security, Ltd // // 8th May 2000 // //////////////////////////////////////////////////////////////////////////// ///////// #include <windows.h> #include <stdio.h> #include <winreg.h> #define SUCCESS 1 #define FAILURE 0 HKEY KeyToChange = HKEY_CLASSES_ROOT; int ChangeFileAssociations(void); int ConnectToRemoteRegistry(char *); LONG DoSetAKey(HKEY, char *, char *); int main(int argc,char *argv[]) { DWORD chk=0; char hostname[260]="\\\\"; char *errors = "There were errors changing the file associations.\n"; char *noerrors = "VBS,VBE,WSF,WSH,JS and JSE file associations have been changed.\n"; printf("\nCerberus Security Team\nhttp://www.cerberus-infosec.co.uk/\n8th May 2000\n\n"); if(argc == 1) { chk = ChangeFileAssociations(); if(chk) { printf(noerrors); return SUCCESS; } else { printf(errors); return FAILURE; } } else { if ( stricmp( argv[1], "/?" ) == 0 ) || ( stricmp( argv[1], "-?" ) == 0 ) || ( stricmp( argv[1], "/h" ) == 0 ) || ( stricmp( argv[1], "-h" ) == 0 ) || ( stricmp( argv[1], "?" ) == 0 ) || ( stricmp( argv[1], "help" ) == 0 ) || ( stricmp( argv[1], "/help" ) == 0 )) { return 0; } else { strncat(hostname,argv[1],250); chk = ConnectToRemoteRegistry(hostname); if (!chk) { printf("Error connecting to %s\n",hostname); return FAILURE; } else { chk = ChangeFileAssociations(); if(chk) { printf(noerrors); return SUCCESS; } else { printf(errors); return FAILURE; } } } } } int ConnectToRemoteRegistry(char *host) { HKEY hkcr = HKEY_CLASSES_ROOT; LONG connect; connect = RegConnectRegistry(host,hkcr,&KeyToChange); if(connect == ERROR_SUCCESS) { return SUCCESS; } else { return FAILURE; } } int ChangeFileAssociations() { LONG chk=0; chk = DoSetAKey(KeyToChange,"VBSFile\\Shell\\Open\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"VBSFile\\Shell\\Open2\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"WSHFile\\Shell\\Open\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"WSHFile\\Shell\\Open2\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"VBEFile\\Shell\\Open\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"VBEFile\\Shell\\Open2\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"WSFFile\\Shell\\Open\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"WSFFile\\Shell\\Open2\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"JSEFile\\Shell\\Open\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"JSEFile\\Shell\\Open2\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"JSFile\\Shell\\Open\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"JSFile\\Shell\\Open2\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } return SUCCESS; } LONG DoSetAKey(HKEY root, char *key, char *set) { HKEY hResult; DWORD bufsize = MAX_PATH; LONG nResult; nResult = RegOpenKeyEx(root,key,0,KEY_WRITE,&hResult); if(nResult != ERROR_SUCCESS) { if(nResult != ERROR_FILE_NOT_FOUND) { RegCloseKey(hResult); return FAILURE; } else { return ERROR_FILE_NOT_FOUND; } } nResult = RegSetValueEx(hResult,NULL,0,REG_MULTI_SZ,(CONST BYTE*)set,strlen(set)); if(nResult != ERROR_SUCCESS) { RegCloseKey(hResult); return FAILURE; } else { printf("Success\n"); RegCloseKey(hResult); return SUCCESS; } }
Current thread:
- Re: Race condition in "rm -r", (continued)
- Re: Race condition in "rm -r" Glynn Clements (May 06)
- Re: Race condition in "rm -r" David Brownlee (May 07)
- Re: Race condition in "rm -r" Glynn Clements (May 07)
- Re: Race condition in "rm -r" David Brownlee (May 08)
- Re: Race condition in "rm -r" Alex Belits (May 07)
- Re: Race condition in "rm -r" Glynn Clements (May 07)
- Ipchains! Dimuthu Parussalla (May 07)
- Re: Ipchains! Paul D. Carlucci (May 10)
- Prevent Current and Future E-Mail Worms AXENT Security Team (May 12)
- Cisco Security Advisory: Cisco IOS HTTP Server Vulnerability Cisco Systems Product Security Incident Response Team (May 15)
- Contemplations : Melissa, I love you - not! Cerberus Security Team (May 08)
- June 2000 FIRST Conference Reminder Roger Safian (May 08)