[Openvas-commits] r5535 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Wed Oct 14 10:39:13 CEST 2009


Author: mime
Date: 2009-10-14 10:39:10 +0200 (Wed, 14 Oct 2009)
New Revision: 5535

Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/freebsd_clamav15.nasl
   trunk/openvas-plugins/scripts/kiwi_cattools_tftpd_dir_traversal.nasl
   trunk/openvas-plugins/scripts/nav_installed.nasl
   trunk/openvas-plugins/scripts/patchlink_detection.nasl
   trunk/openvas-plugins/scripts/savce_installed.nasl
   trunk/openvas-plugins/scripts/smb_nt.inc
   trunk/openvas-plugins/scripts/smb_suspicious_files.nasl
   trunk/openvas-plugins/scripts/smb_virii.nasl
   trunk/openvas-plugins/scripts/spysweeper_corp_installed.nasl
   trunk/openvas-plugins/scripts/xot_detect.nasl
Log:
Modified scripts so that they don't need smb_func.inc anymore.

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/ChangeLog	2009-10-14 08:39:10 UTC (rev 5535)
@@ -1,3 +1,28 @@
+2009-10-14  Michael Meyer <michael.meyer at intevation.de>
+
+	* scripts/savce_installed.nasl,
+	scripts/patchlink_detection.nasl,
+	scripts/smb_virii.nasl,
+	scripts/smb_suspicious_files.nasl,
+	scripts/spysweeper_corp_installed.nasl,
+	scripts/nav_installed.nasl:
+	Modified so that they don't need smb_func.inc
+	anymore.
+
+	* scripts/smb_nt.inc:
+	Added function smb_get_systemroot().
+
+	* scripts/xot_detect.nasl:
+	Removed call of a nonexistent function which is not needed for
+	the script to work.
+
+	* scripts/freebsd_clamav15.nasl:
+	Bugfix.
+
+	* scripts/kiwi_cattools_tftpd_dir_traversal.nasl:
+	Removed call of a nonexistent function which is not needed for
+	the script to work.
+
 2009-10-13  Thomas Reinke <reinke at securityspace.com>
 
 	* scripts/deb_1902_1.nasl,

Modified: trunk/openvas-plugins/scripts/freebsd_clamav15.nasl
===================================================================
--- trunk/openvas-plugins/scripts/freebsd_clamav15.nasl	2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/freebsd_clamav15.nasl	2009-10-14 08:39:10 UTC (rev 5535)
@@ -84,7 +84,7 @@
     vuln = 1;
 }
 bver = portver(pkg:"clamav-devel");
-if(!isnull(bver) && ssvercheck(a:bver, b:"20080902")<0) {
+if(!isnull(bver) && revcomp(a:bver, b:"20080902")<0) {
     security_note(0, data:"Package clamav-devel version " + bver + " is installed which is known to be vulnerable.");
     vuln = 1;
 }

Modified: trunk/openvas-plugins/scripts/kiwi_cattools_tftpd_dir_traversal.nasl
===================================================================
--- trunk/openvas-plugins/scripts/kiwi_cattools_tftpd_dir_traversal.nasl	2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/kiwi_cattools_tftpd_dir_traversal.nasl	2009-10-14 08:39:10 UTC (rev 5535)
@@ -74,7 +74,7 @@
 get = tftp_get(port:port, path:"z//..//..//..//..//..//boot.ini");
 if (isnull(get)) exit(0);
 # In case the backdoor was missed by tftpd_backdoor.nasl (UDP is not reliable)
-tftp_ms_backdoor(file: 'boot.ini', data: get, port: port);
+#tftp_ms_backdoor(file: 'boot.ini', data: get, port: port);
 
 if (
     ("ECHO" >< get)                || ("SET " >< get)             ||

Modified: trunk/openvas-plugins/scripts/nav_installed.nasl
===================================================================
--- trunk/openvas-plugins/scripts/nav_installed.nasl	2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/nav_installed.nasl	2009-10-14 08:39:10 UTC (rev 5535)
@@ -3,15 +3,13 @@
 # Original script was written by Jeff Adams <jeffadams at comcast.net>;
 #
 # This script is released under GPLv2
-#
-# kst-depend-smb
+# Modified by Michael Meyer <michael.meyer at intevation.de>
 
 if(description)
 {
  script_id(80038);
  script_version("$Revision: 1.497 $");
  name = "Norton Anti Virus Check";
-
  script_name(name);
  desc = "
 This plugin checks that the remote host has Norton Antivirus installed and
@@ -27,14 +25,22 @@
  script_copyright("This script is Copyright (C) 2004-2005 Jeff Adams / Tenable Network Security"); 
  family = "Windows"; 
  script_family(family);
- script_dependencies("netbios_name_get.nasl", "smb_login.nasl", "smb_registry_access.nasl", "smb_enum_services.nasl"); 
- script_require_keys("SMB/name", "SMB/login", "SMB/password", "SMB/registry_full_access", "SMB/transport");
- script_require_ports(139, 445); 
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/Registry/Enumerated");
+ script_require_ports(139, 445);
  exit(0);
 }
-include("smb_func.inc");
 
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
 
+if(!get_kb_item("SMB/WindowsVersion")){
+   exit(0);
+}
+
+if(get_kb_item("SMB/samba"))exit(0);
+
 #==================================================================#
 # Section 1. Utilities                                             #
 #==================================================================#
@@ -49,57 +55,56 @@
 
   key = "SOFTWARE\Symantec\SharedDefs\"; 
   item = "DEFWATCH_10"; 
-  key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-  if ( ! isnull(key_h) )
+
+  if (registry_key_exists(key:key))
   {
-   value = RegQueryValue(handle:key_h, item:item);  
-   if (!isnull (value))
-     vers = value[1];
+   value = registry_get_sz(item:item, key:key);  
+   if (value)
+     vers = value;
    else
    {
     item = "NAVCORP_70"; 
-    value = RegQueryValue(handle:key_h, item:item);  
-    if (!isnull (value))
-      vers = value[1];
+    value = registry_get_sz(item:item, key:key);  
+    if (value)
+      vers = value;
     else
     {
      item = "NAVNT_50_AP1"; 
-     value = RegQueryValue(handle:key_h, item:item);  
-     if (!isnull (value))
-       vers = value[1];
+     value = registry_get_sz(item:item, key:key);  
+     if (value)
+       vers = value;
      else
      {
       item = "AVDEFMGR"; 
-      value = RegQueryValue(handle:key_h, item:item);  
-      if (isnull (value))
+      value = registry_get_sz(item:item, key:key);  
+      if (!value)
       {
-       RegCloseKey (handle:key_h);
        return NULL;
       }
       else
-       vers = value[1];
+       vers = value;
      }
     }    
    }
-   
-   RegCloseKey (handle:key_h);   
   }
 
   key = "SOFTWARE\Symantec\InstalledApps\"; 
   item = "AVENGEDEFS"; 
-  key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-  if ( ! isnull(key_h) )
+  if (registry_key_exists(key:key))
   {
-   value = RegQueryValue(handle:key_h, item:item);  
-   if (!isnull (value))
-     path = value[1];
-
-   RegCloseKey (handle:key_h);
+   value = registry_get_sz(item:item, key:key);
+   if (value)
+     path = value;
   }
 
-  vers = substr (vers, strlen(path) + 1 , strlen(vers)-5);
+  if(!path || !vers)return NULL;
 
-  return vers;
+  vers = substr (vers, strlen(path) + 1 , strlen(vers)-5);
+  if(vers) {
+    return vers;
+  } else {
+    return NULL;
+  }   
 }
 
 
@@ -112,56 +117,16 @@
 
   key = reg; 
   item = "version"; 
-  key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-  if ( ! isnull(key_h) )
+  if (registry_key_exists(key:key))
   {
-   value = RegQueryValue(handle:key_h, item:item);
-   RegCloseKey (handle:key_h);
-
-   if (!isnull (value))
-     return value[1];
+   value =  registry_get_sz(item:item, key:key);
+   if (value)
+     return value;
   }
   
   return NULL;
 }
 
-
-#==================================================================#
-# Section 2. Main code                                             #
-#==================================================================#
-
-
-services = get_kb_item("SMB/svcs");
-#if ( ! services ) exit(0);
-
-access = get_kb_item("SMB/registry_full_access");
-if( ! access )exit(0);
-
-port = get_kb_item("SMB/transport");
-if(!port)port = 139;
-
-name	= kb_smb_name(); 	if(!name)exit(0);
-login	= kb_smb_login(); 
-pass	= kb_smb_password(); 	
-domain  = kb_smb_domain(); 	
-port	= kb_smb_transport();
-
-if ( ! get_port_state(port) ) exit(0);
-soc = open_sock_tcp(port);
-if ( ! soc ) exit(0);
-
-session_init(socket:soc, hostname:name);
-r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
-if ( r != 1 ) exit(0);
-
-hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
-if ( isnull(hklm) ) 
-{
- NetUseDel();
- exit(0);
-}
-
-
 #-------------------------------------------------------------#
 # Checks if McAfee VirusScan is installed                     #
 #-------------------------------------------------------------#
@@ -170,29 +135,21 @@
 
 key = "SOFTWARE\Symantec\InstalledApps\";
 item = "NAVNT";
-key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-if ( ! isnull(key_h) )
+if (registry_key_exists(key:key))
 {
- value = RegQueryValue(handle:key_h, item:"SAVCE");
- if ( isnull (value) )
+ value = registry_get_sz(item:"SAVCE", key:key); 
+ if (!value)
  {
-  value = RegQueryValue(handle:key_h, item:item);
-  if ( isnull (value) ) 
+  value = registry_get_sz(item:item, key:key);
+  if (!value) 
   {
    item = "SAVCE";
-   value = RegQueryValue(handle:key_h, item:item);
+   value = registry_get_sz(item:item, key:key);
   }
  }
- else
-  value = NULL;
-
- RegCloseKey (handle:key_h);
 }
-
-if ( isnull ( value ) )
+if (!value || isnull(value))
 {
-  RegCloseKey(handle:hklm);
-  NetUseDel();
   exit(0);  
 }
 
@@ -211,6 +168,8 @@
 # Checks if Antivirus is running                              #
 #-------------------------------------------------------------#
 
+#services = get_kb_item("SMB/svcs"); # Waiting for smb_enum_services.nasl (LSS)
+
 # Thanks to Jeff Adams for Symantec service.
 if ( services )
 {
@@ -226,11 +185,10 @@
 #-------------------------------------------------------------#
 
 product_version = check_product_version (reg:"SOFTWARE\Symantec\Norton AntiVirus");
+if(!product_version || isnull(product_version)) {
+ exit(0);
+}  
 
-
-RegCloseKey (handle:hklm);
-NetUseDel();
-
 #==================================================================#
 # Section 3. Final Report                                          #
 #==================================================================#
@@ -258,17 +216,17 @@
 
 # Last Database Version
 virus = "20080923";
+if(current_database_version && current_database_version>0) {
+  if ( int(current_database_version) < ( int(virus) - 1 ) )
+  {
+    report += "The remote host has an out-dated version of the Norton
+  virus database. Last version is " + virus + "
 
-if ( int(current_database_version) < ( int(virus) - 1 ) )
-{
-  report += "The remote host has an out-dated version of the Norton
-virus database. Last version is " + virus + "
-
-";
-  warning = 1;
+  ";
+    warning = 1;
+  }
 }
 
-
 #
 # Check if antivirus is running
 #
@@ -281,11 +239,9 @@
   warning = 1;
 }
 
-
 #
 # Create the final report
 #
-
 if (warning)
 {
   report += "As a result, the remote host might be infected by viruses received by

Modified: trunk/openvas-plugins/scripts/patchlink_detection.nasl
===================================================================
--- trunk/openvas-plugins/scripts/patchlink_detection.nasl	2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/patchlink_detection.nasl	2009-10-14 08:39:10 UTC (rev 5535)
@@ -1,12 +1,7 @@
 #
 # Josh Zlatin-Amishav (josh at ramat dot cc)
 # GPLv2
-#
-# Tenable grants a special exception for this plugin to use the library 
-# 'smb_func.inc'. This exception does not apply to any modified version of 
-# this plugin.
-#
-# kst-depend-smb
+# Modified by Michael Meyer <michael.meyer at intevation.de>
 
  desc = "
 Synopsis :
@@ -22,84 +17,50 @@
 patch management system. 
 
 See also : 
-
 http://www.patchlink.com/
 
 Risk Factor: 
-
 None";
 
-
 if(description)
 {
  script_id(80039);
  script_version("$Revision: 1.2 $");
-
  name = "Patchlink Detection";
-
  script_name(name);
-
  script_description(desc);
- 
  summary = "Checks for the presence of Patchlink";
-
  script_summary(summary);
- 
  script_category(ACT_GATHER_INFO);
- 
  script_copyright("Copyright (C) 2005 Josh Zlatin-Amishav and Tenable Network Security");
  family = "Windows";
  script_family(family);
- 
- script_dependencies("netbios_name_get.nasl",
- 		     "smb_login.nasl","smb_registry_access.nasl");
- script_require_keys("SMB/name", "SMB/login", "SMB/password", "SMB/registry_access");
-
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);
  exit(0);
 }
 
-
-include("smb_func.inc");
+include("smb_nt.inc");
 include("secpod_reg.inc");
-if(! get_kb_item("SMB/registry_access")) exit(0);
+include("secpod_smb_func.inc");
 
-name	= kb_smb_name(); 	
-login	= kb_smb_login(); 
-pass	= kb_smb_password(); 	
-domain  = kb_smb_domain(); 	
-port	= kb_smb_transport();
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
 
-if ( ! get_port_state(port) ) exit(0);
-soc = open_sock_tcp(port);
-if ( ! soc ) exit(0);
+if(get_kb_item("SMB/samba"))exit(0);
 
-session_init(socket:soc, hostname:name);
-r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
-if ( r != 1 ) exit(0);
+key = "SOFTWARE\PatchLink\Agent Installer";
 
-hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
-if ( isnull(hklm) )
-{
- NetUseDel();
+if(!registry_key_exists(key:key)){
  exit(0);
-}
+} 
 
-key = "SOFTWARE\PatchLink\Agent Installer";
+version = registry_get_sz(item:"Version", key:key);
 
-key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-if ( isnull(key_h)) debug_print("no key");
-if ( ! isnull(key_h) )
+if (version)
 {
- item = "Version";
- array = RegQueryValue(handle:key_h, item:item);
- version = array[1];
- debug_print(version );
- RegCloseKey(handle:key_h);
-}
-
-if ( ! isnull(version) )
-{
   info = string("Patchlink version ", version, " is installed on the remote host.");
 
   report = string (desc,
@@ -111,5 +72,4 @@
   set_kb_item(name:"SMB/Patchlink/version", value:version);
 }
 
-NetUseDel();
-
+exit(0);

Modified: trunk/openvas-plugins/scripts/savce_installed.nasl
===================================================================
--- trunk/openvas-plugins/scripts/savce_installed.nasl	2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/savce_installed.nasl	2009-10-14 08:39:10 UTC (rev 5535)
@@ -3,8 +3,7 @@
 # Original script was written by Jeff Adams <jeffadams at comcast.net>
 # and Tenable Network Security
 # This script is released under GPLv2
-#
-# kst-depend-smb
+# Modified by Michael Meyer <michael.meyer at intevation.de>
 
 if(description)
 {
@@ -29,20 +28,24 @@
  script_copyright("This script is Copyright (C) 2004-2005 Jeff Adams / Tenable Network Security"); 
  family = "Windows"; 
  script_family(family);
- script_dependencies("netbios_name_get.nasl", "smb_login.nasl", "smb_registry_access.nasl", "smb_enum_services.nasl"); 
- script_require_keys("SMB/name", "SMB/login", "SMB/password", "SMB/registry_full_access", "SMB/transport");
- script_require_ports(139, 445); 
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/Registry/Enumerated");
+ script_require_ports(139, 445);
  exit(0);
 }
-include("smb_func.inc");
 
-global_var hklm, soft_path;
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
 
-#==================================================================#
-# Section 1. Utilities                                             #
-#==================================================================#
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
 
+if(get_kb_item("SMB/samba"))exit(0);
 
+global_var soft_path;
+
 #-------------------------------------------------------------#
 # Checks the virus signature version                          #
 #-------------------------------------------------------------#
@@ -50,25 +53,23 @@
 {
   local_var key, item, items, key_h, val, value, path, vers;
 
-  path = NULL;
-  vers = NULL;
-
   key = soft_path + "Symantec\InstalledApps\"; 
-  key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-  if ( ! isnull(key_h) )
-  {
-   value = RegQueryValue(handle:key_h, item:"AVENGEDEFS");
-   if (!isnull (value)) path = value[1];
 
-   RegCloseKey (handle:key_h);
-  }
-  if (isnull(path)) return NULL;
+   if(!registry_key_exists(key:key)){
+      return NULL;
+   } 
 
-  key = soft_path + "Symantec\SharedDefs\"; 
-  key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-  if ( ! isnull(key_h) )
-  {
-    items = make_list(
+   value = registry_get_sz(item:"AVENGEDEFS", key:key);
+   if (value) path = value;
+   if (isnull(path)) return NULL;
+
+   key = soft_path + "Symantec\SharedDefs\"; 
+
+   if(!registry_key_exists(key:key)){
+    return 0;
+   }  
+
+   items = make_list(
       "DEFWATCH_10", 
       "NAVCORP_72", 
       "NAVCORP_70",
@@ -77,22 +78,20 @@
 
     foreach item (items)
     {
-      value = RegQueryValue(handle:key_h, item:item);
-      if (!isnull (value))
-      {
-        val = value[1];
+      value = registry_get_sz(item:item, key:key);
+      if(!value)return NULL;
+      
+        val = value;
         if (stridx(val, path) == 0)
         {
           val = val - (path+"\");
           if ("." >< val) val = val - strstr(val, ".");
           if (isnull(vers) || int(vers) < int(val)) vers = val;
         }
-      }
+      
     }
 
-    RegCloseKey (handle:key_h);
-  }
-  if (isnull(vers)) return NULL;
+  if (!vers) return NULL;
 
   set_kb_item(name: "Antivirus/SAVCE/signature", value:vers);
   return vers;
@@ -113,23 +112,21 @@
 
   key = soft_path + "INTEL\LANDesk\VirusProtect6\CurrentVersion";
   item = "ProductVersion";
-  key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-  if ( isnull(key_h) )
-  {
-   key = soft_path + "Symantec\Symantec Endpoint Protection\AV";
-   key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
+
+  if(!registry_key_exists(key:key)){
+    key = soft_path + "Symantec\Symantec Endpoint Protection\AV";
   }
 
-  if ( ! isnull(key_h) )
-  {
-   version = RegQueryValue(handle:key_h, item:item);
+  if(!registry_key_exists(key:key)){
+    return 0;
+  }  
 
-   RegCloseKey (handle:key_h);
+   version = registry_get_sz(item:item, key:key);
 
-   if (!isnull (version))
+   if (version)
    {
-    vhigh = version[1] & 0xFFFF;
-    vlow = (version[1] >>> 16);
+    vhigh = version & 0xFFFF;
+    vlow = (version >>> 16);
 
     v1 = vhigh / 100;
     v2 = (vhigh%100)/10;
@@ -146,48 +143,10 @@
     set_kb_item(name: "Antivirus/SAVCE/version", value:version);
     return version;
    }
-  }
 
  return NULL;
 }
 
-
-#==================================================================#
-# Section 2. Main code                                             #
-#==================================================================#
-
-
-services = get_kb_item("SMB/svcs");
-#if ( ! services ) exit(0);
-
-access = get_kb_item("SMB/registry_full_access");
-if( ! access )exit(0);
-
-port = get_kb_item("SMB/transport");
-if(!port)port = 139;
-
-name	= kb_smb_name(); 	if(!name)exit(0);
-login	= kb_smb_login(); 
-pass	= kb_smb_password(); 	
-domain  = kb_smb_domain(); 	
-port	= kb_smb_transport();
-
-if ( ! get_port_state(port) ) exit(0);
-soc = open_sock_tcp(port);
-if ( ! soc ) exit(0);
-
-session_init(socket:soc, hostname:name);
-r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
-if ( r != 1 ) exit(0);
-
-hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
-if ( isnull(hklm) ) 
-{
- NetUseDel();
- exit(0);
-}
-
-
 #-------------------------------------------------------------#
 # Checks if Symantec AntiVirus Corp is installed              #
 #-------------------------------------------------------------#
@@ -196,35 +155,30 @@
 
 key = "SOFTWARE\Wow6432Node\Symantec\InstalledApps\";
 item = "SAVCE";
-key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-if ( isnull(key_h) )
+
+if(registry_key_exists(key:key)){
+  soft_path = "SOFTWARE\Wow6432Node\"; 
+}  
+
+if (!soft_path)
 {
  key = "SOFTWARE\Symantec\InstalledApps\";
- key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-
- soft_path = "SOFTWARE\";
+ if(registry_key_exists(key:key)){
+   soft_path = "SOFTWARE\";
+ }  
 }
-else
-{
- soft_path = "SOFTWARE\Wow6432Node\";
-}
 
-if ( ! isnull(key_h) )
+if (soft_path)
 {
- value = RegQueryValue(handle:key_h, item:item);
- RegCloseKey (handle:key_h);
+ value = registry_get_sz(item:item, key:key); 
 }
 else
 {
-  RegCloseKey(handle:hklm);
-  NetUseDel();
   exit(0);
 }
 
-if ( isnull ( value ) )
+if (!value)
 {
-  RegCloseKey(handle:hklm);
-  NetUseDel();
   exit(0);  
 }
 
@@ -237,12 +191,13 @@
 
 # Take the first signature version key
 current_signature_version = check_signature_version (); 
- 
 
 #-------------------------------------------------------------#
 # Checks if Antivirus is running                              #
 #-------------------------------------------------------------#
 
+#services = get_kb_item("SMB/svcs"); # Waiting for smb_enum_services.nasl (LSS)
+
 # Thanks to Jeff Adams for Symantec service.
 if ( services )
 {
@@ -265,35 +220,21 @@
 
 key = soft_path + "Intel\LANDesk\VirusProtect6\CurrentVersion\";
 item = "Parent";
-key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-if ( ! isnull(key_h) )
+
+if (registry_key_exists(key:key))
 {
- parent = RegQueryValue(handle:key_h, item:item);
- RegCloseKey (handle:key_h);
+ parent = registry_get_sz(item:item, key:key); 
 }
 
-if ( strlen (parent[1]) <=1 )
+if ( strlen(parent)<=1 )
 {
   set_kb_item(name: "Antivirus/SAVCE/noparent", value:TRUE);
-  RegCloseKey(handle:hklm);
 }
 else
 {
-  set_kb_item(name: "Antivirus/SAVCE/parent", value:parent[1]);
+  set_kb_item(name: "Antivirus/SAVCE/parent", value:parent);
 }  
 
-
-#==================================================================#
-# Section 3. Clean Up                                              #
-#==================================================================#
-
-RegCloseKey (handle:hklm);
-NetUseDel();
-
-#==================================================================#
-# Section 4. Final Report                                          #
-#==================================================================#
-
 # var initialization
 warning = 0;
 
@@ -317,17 +258,17 @@
 
 # Last Database Version
 virus = "20080923";
-
-if ( int(current_signature_version) < ( int(virus) - 1 ) )
-{
-  report += "The remote host has an out-dated version of the Symantec 
+if(current_signature_version>0) {
+  if ( int(current_signature_version) < ( int(virus) - 1 ) )
+  {
+    report += "The remote host has an out-dated version of the Symantec 
 Corporate virus signatures. Last version is " + virus + "
 
-";
-  warning = 1;
+  ";
+    warning = 1;
+  }
 }
 
-
 #
 # Check if antivirus is running
 #
@@ -364,3 +305,5 @@
 {
   set_kb_item (name:"Antivirus/SAVCE/description", value:report);
 }
+
+exit(0);

Modified: trunk/openvas-plugins/scripts/smb_nt.inc
===================================================================
--- trunk/openvas-plugins/scripts/smb_nt.inc	2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/smb_nt.inc	2009-10-14 08:39:10 UTC (rev 5535)
@@ -3656,3 +3656,26 @@
  	}
 	return NULL;
  }
+
+function smb_get_systemroot() {
+
+  local_var sroot, key, item;
+
+  if(sroot = get_kb_item("SMB/SystemRoot"))return sroot;
+
+  key   = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\";
+
+  if(!registry_key_exists(key:key)){
+    return FALSE;
+  }  
+
+  item  = "SystemRoot";
+  sroot = registry_get_sz(item:item, key:key);  
+
+  if(!isnull(sroot)) {
+    set_kb_item(name:"SMB/SystemRoot", value: sroot);
+    return sroot;
+  } else {
+    return FALSE;
+  }  
+}  

Modified: trunk/openvas-plugins/scripts/smb_suspicious_files.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smb_suspicious_files.nasl	2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/smb_suspicious_files.nasl	2009-10-14 08:39:10 UTC (rev 5535)
@@ -3,13 +3,7 @@
 #  This script is released under the GNU GPL v2
 #
 # BHO X http://computercops.biz/clsid.php?type=5 update 27012005
-#
-#
-# Tenable grants a special exception for this plugin to use the library 
-# 'smb_func.inc'. This exception does not apply to any modified version of 
-# this plugin.
-#
-# kst-depend-smb
+# Modified by Michael Meyer <michael.meyer at intevation.de>
 
 if(description)
 {
@@ -50,59 +44,48 @@
  exit(0);
 }
 
-
-include("smb_func.inc");
+include("smb_nt.inc");
 include("secpod_reg.inc");
-if ( get_kb_item("SMB/samba") ) exit(0);
+include("secpod_smb_func.inc");
 
-global_var handle, name, url, key, exp, items;
+local_var nname, url, key, item, exp;
 
+if(!get_kb_item("SMB/WindowsVersion")){
+   exit(0);
+}
 
-port = kb_smb_transport();
-if(!port)exit(0);
+if ( get_kb_item("SMB/samba") ) exit(0);
 
-if(!get_port_state(port))return(FALSE);
-login = kb_smb_login();
-pass  = kb_smb_password();
-domain = kb_smb_domain();
-
-soc = open_sock_tcp(port);
-if(!soc)exit(0);
-
-session_init(socket:soc, hostname:kb_smb_name());
-ret = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
-if ( ret != 1 ) exit(0);
-
-handle = RegConnectRegistry(hkey:HKEY_CLASS_ROOT);
-if ( isnull(handle) ) exit(0);
-
-
-function check_reg(name, url, key, item, exp)
+function check_reg(nname, url, key, item, exp)
 {
   local_var key_h, value, sz, report;
 
+  key = "SOFTWARE\Classes\" + key;
+  if(!registry_key_exists(key:key)){
+    return 0;
+  } 
+    
+  foreach value (registry_enum_values(key:key)) {
 
-  key_h = RegOpenKey(handle:handle, key:key, mode:MAXIMUM_ALLOWED);
-  if( ! isnull(key_h) )
-  {
-    value = RegQueryValue(handle:key_h, item:item);
-    RegCloseKey(handle:key_h);
-    if ( ! isnull(value) ) sz = value[1]; 
-    else return 0;
-  }
-  else return 0;
-  
- if(exp == NULL || tolower(exp) >< tolower(sz))
- {
-  report = string(
-"'", name, "' is installed on the remote host.\n",
+    if ( ! isnull(value) )  {
+      sz = value; 
+    }  else {
+      continue;
+    }
+
+    if(exp == NULL || tolower(exp) >< tolower(sz))
+    {
+
+report = string(
+"'", nname, "' is installed on the remote host.\n",
 "Make sure that the user of the remote host intended to install
 this software and that its use matches your corporate security
 policy.\n\n",
 "Solution : ", url, "\n",
 "Risk factor : High");
  
-  security_hole(port:kb_smb_transport(), data:report);
+   security_hole(port:kb_smb_transport(), data:report);
+  } 
  }
 }
 
@@ -114,58 +97,39 @@
 {
  local_var files, n, i, j;
 
- name = make_list();
+ nname = make_list();
  url  = make_list();
  key  = make_list();
  items  = make_list();
  exp = make_list();
-files = split(keep:FALSE, _FCT_ANON_ARGS[0]);
+ files = split(keep:FALSE, _FCT_ANON_ARGS[0]);
 
-n = max_index(files);
-i = 0;
-for ( j = 0 ;  j < n ;  i ++ )
-{
- if ( !(files[j] =~ "^NAME" &&
-      files[j+1] =~ "^URL" &&
-      files[j+2] =~ "^KEY" &&
-      files[j+3] =~ "^ITEM" &&
-      files[j+4] =~ "^EXP") )
-	{
-	display("Error at line ", j,"\n");
-	break;
+ n = max_index(files);
+ i = 0;
+ for ( j = 0 ;  j < n ;  i ++ )
+ {
+  if ( !(files[j] =~ "^NAME" &&
+       files[j+1] =~ "^URL" &&
+       files[j+2] =~ "^KEY" &&
+       files[j+3] =~ "^ITEM" &&
+       files[j+4] =~ "^EXP") )
+        {
+	 display("Error at line ", j,"\n");
+	 break;
 	}
-  name[i]	= files[j++] - "NAME=";
-  url[i]	= files[j++] - "URL=";
-  key[i]	= files[j++] - "KEY=";
-  items[i] = files[j++] - "ITEM=";
-  exp[i]   = files[j++] - "EXP=";
+   nname[i]	= files[j++] - "NAME=";
+   url[i]	= files[j++] - "URL=";
+   key[i]	= files[j++] - "KEY=";
+   items[i] = files[j++] - "ITEM=";
+   exp[i]   = files[j++] - "EXP=";
  }
 }
 
-
-
-
-
 ##################################################
 
-
-RegCloseKey(handle:handle);
-
-
-rootfile = hotfix_get_systemroot();
+rootfile = smb_get_systemroot();
 if ( ! rootfile ) exit(0);
 
-NetUseDel(close:FALSE);
-share =  ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:rootfile); 
-r = NetUseAdd(login:login, password:pass, domain:domain, share:share);
-if ( r != 1 )
-{
- NetUseDel();
- exit(1);
-}
-
-
-
 fill_names("NAME=Commonname toolbar
 URL=http://www.doxdesk.com/parasite/CommonName.html
 KEY=CLSID\{00000000-0000-0000-0000-000000000000}\InprocServer32
@@ -3647,15 +3611,11 @@
 ITEM=
 EXP=bin376.dll");
 
-
-
-for(i=0;name[i];i++)
+for(i=0;nname[i];i++)
 {
- if (DEBUG) display("clsid ",i,": ",name[i],"\n");
-  check_reg(name:name[i], url:url[i], key:key[i], item:items[i], exp:exp[i]);
+  check_reg(nname:nname[i], url:url[i], key:key[i], item:items[i], exp:exp[i]);
 }
 
-
 fill_names("NAME=NetNucleus/Mirar webband
 URL=http://www.kephyr.com/spywarescanner/library/mirartoolbar.winnb42/index.phtml
 KEY=
@@ -3712,26 +3672,19 @@
 ITEM=
 EXP=aclui.dll");
 
+for(i=0;nname[i];i++)
+{
+   my_file = string(rootfile, "\",exp[i]);
 
+   file  = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:my_file); 
+   share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:my_file);
+   myread = read_file(file:file, share:share, offset:0, count:8);
 
-if (DEBUG) display("start main for detection from hardrive\n");
-for(i=0;name[i];i++)
-{
-   if (DEBUG) display("file ",i,": ",name[i],"\n");
-   
-   file =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\" + exp[i], string:rootfile); 
-   handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                        share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
-   if( ! isnull(handle) )
+   if(myread)
    {
-     report = string(
-    "The dll '"+name[i]+"' is present on the remote host\n",
-    "Solution : "+url[i]+"\n",
-    "Risk factor : High"); 
+    report = string("The dll ", nname[i], " (", my_file ,") is present on the remote host\nSolution: ", url[i], "\nRisk factor : High"); 
     security_hole(port:port, data:report);
-    CloseFile(handle:handle);
-  }
+  } 
 }
-if (DEBUG) display("end main for detection from hardrive\n");
 
-NetUseDel();
+exit(0);

Modified: trunk/openvas-plugins/scripts/smb_virii.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smb_virii.nasl	2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/smb_virii.nasl	2009-10-14 08:39:10 UTC (rev 5535)
@@ -3,16 +3,13 @@
 #
 # This script is released under the GPLv2
 #
-# kst-depend-smb
+# Modified by Michael Meyer <michael.meyer at intevation.de>
 
 if(description)
 {
  script_id(80043);
-
  script_version("$Revision: 1.71 $");
-
  name = "The remote host is infected by a virus";
-
  script_name(name);
  
  desc = "
@@ -68,112 +65,44 @@
 Risk factor : High
 Solution : See the URLs which will appear in the report";
 
-
  script_description(desc);
- 
  summary = "Checks for the presence of different virii on the remote host";
-
  script_summary(summary);
- 
  script_category(ACT_GATHER_INFO);
- 
  script_copyright("This script is Copyright (C) 2005 Tenable Network Security");
  family = "Windows";
  script_family(family);
- 
- script_dependencies("netbios_name_get.nasl",
- 		     "smb_login.nasl","smb_registry_access.nasl");
- script_require_keys("SMB/name", "SMB/login", "SMB/password",  "SMB/registry_access");
-
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);
  exit(0);
 }
 
-include("smb_func.inc");
+include("smb_nt.inc");
 include("secpod_reg.inc");
-if ( get_kb_item("SMB/samba") ) exit(0);
+include("secpod_smb_func.inc");
 
-global_var handle;
+local_var nname, url, key, item, exp;
 
-name = kb_smb_name();
-if(!name)exit(0);
-
-port = kb_smb_transport();
-if(!port)exit(0);
-
-if(!get_port_state(port))return(FALSE);
-login = kb_smb_login();
-pass  = kb_smb_password();
-domain = kb_smb_domain();
-
-if(!login)login = "";
-if(!pass) pass = "";
-
-	  
-soc = open_sock_tcp(port);
-if(!soc) exit(0);
-
-session_init(socket:soc, hostname:name);
-ret = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
-if ( ret != 1 ) exit(0);
-handle = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
-if ( isnull(handle) ) exit(0);
-
-run = "SOFTWARE\Microsoft\Windows\CurrentVersion";
-key_h = RegOpenKey(handle:handle, key:run, mode:MAXIMUM_ALLOWED);
-n = 0;
-
-if ( ! isnull(key_h) ) 
-{
- info = RegQueryInfoKey(handle:key_h);
- if ( ! isnull(info) ) 
- {
-  for ( i = 0 ; i != info[0] ; i ++ )
-  {
-   value = RegEnumValue(handle:key_h, index:i);
-   if ( isnull(value) ) break;
-
-   content = RegQueryValue(handle:key_h, item:value[1]);
-   run_content[n++] = value[1];
-   run_content[n++] = content[1];
-  }
- }
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
 }
 
-RegCloseKey(handle:key_h);
+if(get_kb_item("SMB/samba"))exit(0);
 
-function check_reg(name, url, key, item, exp)
+function check_reg(nname, url, key, item, exp)
 {
-  local_var key_h, sz, i, report;
+  if(!registry_key_exists(key:key)){
+    return 0;
+  } 
 
-  # Look in our local "cache" first
-  if ( key == "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" )
-  {
-    for ( i = 0 ; run_content[i]; i += 2 )
-	{
-	  if ( run_content[i] == item )
-		{
-		 if ( exp == NULL ) return TRUE;
-		 else if ( tolower(exp) >< tolower(run_content[i+1]) ) return TRUE;
-		 else return FALSE;
-		}
-	} 
-    return FALSE;
-  }
+  value = registry_get_sz(item:item, key:key);
+  if(!value)return 0;
 
-  key_h = RegOpenKey(handle:handle, key:key, mode:MAXIMUM_ALLOWED);
-  if  ( ! isnull(key_h) )
+  if(exp == NULL || tolower(exp) >< tolower(value))
   {
-    value = RegQueryValue(handle:key_h, item:item);
-    RegCloseKey(handle:key_h);
-    if ( isnull(value) ) return 0;
-  }
-  else return 0;
-  
- if(exp == NULL || tolower(exp) >< tolower(value))
- {
-  report = string(
-"The virus '", name, "' is present on the remote host\n",
+   report = string(
+"The virus '", nname, "' is present on the remote host\n",
 "Solution : ", url, "\n",
 "Risk factor : High");
  
@@ -181,14 +110,11 @@
  }
 }
 
-
-
-
 i = 0;
-name = NULL;
+nname = NULL;
 
 # http://www.infos3000.com/infosvirus/badtransb.htm
-name[i] 	= "W32/Badtrans-B";
+nname[i] 	= "W32/Badtrans-B";
 url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html";
 key[i] 		= "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce";
 item[i] 	= "kernel32";
@@ -197,7 +123,7 @@
 i++;
 
 # http://www.infos3000.com/infosvirus/jsgiggera.htm
-name[i] 	= "JS_GIGGER.A at mm";
+nname[i] 	= "JS_GIGGER.A at mm";
 url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/js.gigger.a@mm.html";
 key[i] 		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
 item[i] 	= "NAV DefAlert";
@@ -206,7 +132,7 @@
 i ++;
 
 # http://www.infos3000.com/infosvirus/vote%20a.htm
-name[i]		= "W32/Vote-A";
+nname[i]	= "W32/Vote-A";
 url[i]		= "http://www.sophos.com/virusinfo/analyses/w32vote-a.html";
 key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
 item[i]		= "Norton.Thar";
@@ -214,7 +140,7 @@
 
 i++ ;
 
-name[i]         = "W32/Vote-B";
+nname[i]        = "W32/Vote-B";
 url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.vote.b@mm.html";
 key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
 item[i]         = "ZaCker";
@@ -223,7 +149,7 @@
 i ++;
 
 # http://www.infos3000.com/infosvirus/codered.htm
-name[i]		= "CodeRed";
+nname[i]		= "CodeRed";
 url[i]		= "http://www.symantec.com/avcenter/venc/data/codered.worm.html";
 key[i]		= "SYSTEM\CurrentControlSet\Services\W3SVC\Parameters";
 item[i]		= "VirtualRootsVC";
@@ -232,7 +158,7 @@
 i ++;
 
 # http://www.infos3000.com/infosvirus/w32sircam.htm
-name[i]		= "W32.Sircam.Worm at mm";
+nname[i]		= "W32.Sircam.Worm at mm";
 url[i]		= "http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html";
 key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices";
 item[i]		= "Driver32";
@@ -240,7 +166,7 @@
 
 i++;
 
-name[i]  	= "W32.HLLW.Fizzer at mm";
+nname[i]  	= "W32.HLLW.Fizzer at mm";
 url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizzer@mm.html";
 key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
 item[i]		= "SystemInit";
@@ -248,7 +174,7 @@
 
 i++;
 
-name[i]  	= "W32.Sobig.B at mm";
+nname[i]  	= "W32.Sobig.B at mm";
 url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.b@mm.html";
 key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
 item[i]		= "SystemTray";
@@ -256,7 +182,7 @@
 
 i ++;
 
-name[i]		= "W32.Sobig.E at mm";
+nname[i]		= "W32.Sobig.E at mm";
 url[i]		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html";
 key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
 item[i]		= "SSK Service";
@@ -264,7 +190,7 @@
 
 i ++;
 
-name[i]		= "W32.Sobig.F at mm";
+nname[i]		= "W32.Sobig.F at mm";
 url[i]		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html";
 key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
 item[i]		= "TrayX";
@@ -272,7 +198,7 @@
 
 i ++;
 
-name[i]		= "W32.Sobig.C at mm";
+nname[i]		= "W32.Sobig.C at mm";
 url[i]		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.c@mm.html";
 key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
 item[i]		= "System MScvb";
@@ -280,25 +206,23 @@
 
 i ++;
 
-name[i] 	= "W32.Yaha.J at mm";
+nname[i] 	= "W32.Yaha.J at mm";
 url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.j@mm.html";
 key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
 item[i]		= "winreg";
 exp[i]		= "winReg.exe";
 
-
 i++;
 
-name[i] 	= "W32.mimail.a at mm";
+nname[i] 	= "W32.mimail.a at mm";
 url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html";
 key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
 item[i]		= "VideoDriver";
 exp[i]		= "videodrv.exe";
 
-
 i++;
 
-name[i] 	= "W32.mimail.c at mm";
+nname[i] 	= "W32.mimail.c at mm";
 url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.c@mm.html";
 key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
 item[i]		= "NetWatch32";
@@ -306,21 +230,21 @@
 
 i++;
 
-name[i] 	= "W32.mimail.e at mm";
+nname[i] 	= "W32.mimail.e at mm";
 url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.e@mm.html";
 key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
 item[i]		= "SystemLoad32";
 exp[i]		= "sysload32.exe";
 
 i++;
-name[i] 	= "W32.mimail.l at mm";
+nname[i] 	= "W32.mimail.l at mm";
 url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.l@mm.html";
 key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
 item[i]		= "France";
 exp[i]		= "svchost.exe";
 
 i++;
-name[i] 	= "W32.mimail.p at mm";
+nname[i] 	= "W32.mimail.p at mm";
 url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.p@mm.html";
 key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
 item[i]		= "WinMgr32";
@@ -328,304 +252,295 @@
 
 i++;
 
-name[i]        = "W32.Welchia.Worm";
-url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html";
-key[i]         = "SYSTEM\CurrentControlSet\Services\RpcTftpd";
-item[i]        = "ImagePath";
-exp[i]         = "%System%\wins\svchost.exe";
+nname[i]        = "W32.Welchia.Worm";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html";
+key[i]          = "SYSTEM\CurrentControlSet\Services\RpcTftpd";
+item[i]         = "ImagePath";
+exp[i]          = "%System%\wins\svchost.exe";
 
-
 i++;
 
-name[i]        = "W32.Randex.Worm";
-url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.b.html";
-key[i]         = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]        = "superslut";
-exp[i]         = "msslut32.exe";
+nname[i]        = "W32.Randex.Worm";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.b.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "superslut";
+exp[i]          = "msslut32.exe";
 
 i++;
 
-name[i]        = "W32.Randex.Worm";
-url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.c.html";
-key[i]         = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]        = "Microsoft Netview";
-exp[i]         = "gesfm32.exe";
+nname[i]        = "W32.Randex.Worm";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.c.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "Microsoft Netview";
+exp[i]          = "gesfm32.exe";
 
 i++;
 
-name[i]        = "W32.Randex.Worm";
-url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.d.html";
-key[i]         = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]        = "mssyslanhelper";
-exp[i]         = "msmsgri32.exe";
+nname[i]        = "W32.Randex.Worm";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.d.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "mssyslanhelper";
+exp[i]          = "msmsgri32.exe";
 
-
 i++;
 
-name[i]        = "W32.Randex.Worm";
-url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.d.html";
-key[i]         = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]        = "mslanhelper";
-exp[i]         = "msmsgri32.exe";
+nname[i]        = "W32.Randex.Worm";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.d.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "mslanhelper";
+exp[i]          = "msmsgri32.exe";
 
 i ++;
-name[i]        = "W32.Beagle.A";
-url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html";
-key[i]         = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]        = "d3update.exe";
-exp[i]         = "bbeagle.exe";
+nname[i]        = "W32.Beagle.A";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "d3update.exe";
+exp[i]          = "bbeagle.exe";
 
 i ++;
 
-name[i]        = "W32.Novarg.A";
-url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html";
-key[i]         = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]        = "TaskMon";
-exp[i]         = "taskmon.exe";
+nname[i]        = "W32.Novarg.A";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "TaskMon";
+exp[i]          = "taskmon.exe";
 
 i++;
 
-name[i]       = "Vesser";
-url[i]        = "http://www.f-secure.com/v-descs/vesser.shtml";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "KernelFaultChk";
-exp[i]        = "sms.exe";
+nname[i]        = "Vesser";
+url[i]          = "http://www.f-secure.com/v-descs/vesser.shtml";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "KernelFaultChk";
+exp[i]          = "sms.exe";
 
 i++;
 
-name[i]       = "NetSky.C";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.c@mm.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "ICQ Net";
-exp[i]        = "winlogon.exe";
+nname[i]        = "NetSky.C";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.c@mm.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "ICQ Net";
+exp[i]          = "winlogon.exe";
 
-
 i++;
 
-name[i]      = "Doomran.a";
-url[i]       = "http://es.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_DOOMRAN.A";
-key[i]       = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]      = "Antimydoom";
-exp[i]       = "PACKAGE.EXE";
+nname[i]        = "Doomran.a";
+url[i]          = "http://es.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_DOOMRAN.A";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "Antimydoom";
+exp[i]          = "PACKAGE.EXE";
 
 i++;
 
-name[i]      = "Beagle.m";
-url[i]       = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.m@mm.html";
-key[i]       = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]      = "winupd.exe";
-exp[i]       = "winupd.exe";
+nname[i]        = "Beagle.m";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.m@mm.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "winupd.exe";
+exp[i]          = "winupd.exe";
 
 i++;
 
-name[i]      = "Beagle.j";
-url[i]       = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@mm.html";
-key[i]       = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]      = "ssate.exe";
-exp[i]       = "irun4.exe";
+nname[i]        = "Beagle.j";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@mm.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "ssate.exe";
+exp[i]          = "irun4.exe";
 
 i++;
 
-name[i]      = "Agobot.FO";
-url[i]       = "http://www.f-secure.com/v-descs/agobot_fo.shtml";
-key[i]       = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]      = "nVidia Chip4";
-exp[i]       = "nvchip4.exe";
+nname[i]        = "Agobot.FO";
+url[i]          = "http://www.f-secure.com/v-descs/agobot_fo.shtml";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "nVidia Chip4";
+exp[i]          = "nvchip4.exe";
 
 i ++;
-name[i]       = "NetSky.W";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.w@mm.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "NetDy";
-exp[i]        = "VisualGuard.exe";
+nname[i]        = "NetSky.W";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.w@mm.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "NetDy";
+exp[i]          = "VisualGuard.exe";
 
-
 i++;
-name[i]       = "Sasser";
-url[i]        = "http://www.lurhq.com/sasser.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "avserve.exe";
-exp[i]        = "avserve.exe";
+nname[i]        = "Sasser";
+url[i]          = "http://www.lurhq.com/sasser.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "avserve.exe";
+exp[i]          = "avserve.exe";
 
 i++;
-name[i]       = "Sasser.C";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.c.worm.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "avserve2.exe";
-exp[i]        = "avserve2.exe";
+nname[i]        = "Sasser.C";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.c.worm.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "avserve2.exe";
+exp[i]          = "avserve2.exe";
 
 i++;
-name[i]       = "W32.Wallon.A";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.wallon.a@mm.html";
-key[i]        = "SOFTWARE\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B1}";
-item[i]       = "Icon";
-exp[i]        = NULL;
+nname[i]        = "W32.Wallon.A";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.wallon.a@mm.html";
+key[i]          = "SOFTWARE\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B1}";
+item[i]         = "Icon";
+exp[i]          = NULL;
 
-
 i++;
-name[i]       = "W32.MyDoom.M / W32.MyDoom.AX";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "JavaVM";
-exp[i]        = "JAVA.EXE";
+nname[i]        = "W32.MyDoom.M / W32.MyDoom.AX";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "JavaVM";
+exp[i]          = "JAVA.EXE";
 
 i++;
-name[i]       = "W32.MyDoom.AI";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ai@mm.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "lsass";
-exp[i]        = "lsasrv.exe";
+nname[i]        = "W32.MyDoom.AI";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ai@mm.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "lsass";
+exp[i]          = "lsasrv.exe";
 
 i++;
-name[i]       = "W32.aimdes.b / W32.aimdes.c";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.aimdes.c@mm.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "MsVBdll";
-exp[i]        = "sys32dll.exe";
+nname[i]        = "W32.aimdes.b / W32.aimdes.c";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.aimdes.c@mm.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "MsVBdll";
+exp[i]          = "sys32dll.exe";
 
-
 i++;
-name[i]       = "W32.ahker.d";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.ahker.d@mm.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "Norton Auto-Protect";
-exp[i]        = "ccApp.exe";
+nname[i]        = "W32.ahker.d";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.ahker.d@mm.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "Norton Auto-Protect";
+exp[i]          = "ccApp.exe";
 
 i++;
-name[i]       = "Trojan.Ascetic.C";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/trojan.ascetic.c.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "SystemBoot";
-exp[i]        = "Help\services.exe";
+nname[i]        = "Trojan.Ascetic.C";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/trojan.ascetic.c.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "SystemBoot";
+exp[i]          = "Help\services.exe";
 
 i++;
-name[i]       = "W32.Alcra.A";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "p2pnetwork";
-exp[i]        = "p2pnetwork.exe";
+nname[i]        = "W32.Alcra.A";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "p2pnetwork";
+exp[i]          = "p2pnetwork.exe";
 
 i++;
-name[i]       = "W32.Shelp";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.shelp.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "explorer";
-exp[i]        = "explorer.exe";
+nname[i]        = "W32.Shelp";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.shelp.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "explorer";
+exp[i]          = "explorer.exe";
 
-
 # Submitted by David Maciejak
 i++;
-name[i]       = "Winser-A";
-url[i]        = "http://www.sophos.com/virusinfo/analyses/trojwinsera.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "nortonsantivirus";
-exp[i]        = NULL;
+nname[i]        = "Winser-A";
+url[i]          = "http://www.sophos.com/virusinfo/analyses/trojwinsera.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "nortonsantivirus";
+exp[i]          = NULL;
 
 i++;
-name[i]         = "Backdoor.Berbew.O";
+nname[i]        = "Backdoor.Berbew.O";
 url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/backdoor.berbew.o.html";
 key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad";
 item[i]         = "Web Event Logger";
 exp[i]          = "{7CFBACFF-EE01-1231-ABDD-416592E5D639}";
 
 i++;
-name[i]         = "w32.beagle.az";
+nname[i]        = "w32.beagle.az";
 url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.az@mm.html";
 key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
 item[i]         = "Sysformat";
 exp[i]          = "sysformat.exe";
 
 i++;
-name[i]       = "Hackarmy.i";
-url[i]        = "http://www.zone-h.org/en/news/read/id=4404/";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "putil";
-exp[i]        = "%windir%";
+nname[i]        = "Hackarmy.i";
+url[i]          = "http://www.zone-h.org/en/news/read/id=4404/";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "putil";
+exp[i]          = "%windir%";
 
 
 i++;
-name[i]       = "W32.Assiral at mm";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.assiral@mm.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "MS_LARISSA";
-exp[i]        = "MS_LARISSA.exe";
+nname[i]        = "W32.Assiral at mm";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.assiral@mm.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "MS_LARISSA";
+exp[i]          = "MS_LARISSA.exe";
 
 i++;
-name[i]       = "Backdoor.Netshadow";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/backdoor.netshadow.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "Windows Logger";
-exp[i]        = "winlog.exe";
+nname[i]        = "Backdoor.Netshadow";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/backdoor.netshadow.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "Windows Logger";
+exp[i]          = "winlog.exe";
 
 i++;
-name[i]       = "W32.Ahker.E at mm";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.ahker.e@mm.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "Generic Host Process for Win32 Services";
-exp[i]        = "bazzi.exe";
+nname[i]        = "W32.Ahker.E at mm";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.ahker.e@mm.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "Generic Host Process for Win32 Services";
+exp[i]          = "bazzi.exe";
 
 i++;
-name[i]       = "W32.Bropia.R";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.bropia.r.html";
-key[i]        = "Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "Wins32 Online";
-exp[i]        = "cfgpwnz.exe";
+nname[i]        = "W32.Bropia.R";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.bropia.r.html";
+key[i]          = "Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "Wins32 Online";
+exp[i]          = "cfgpwnz.exe";
 
 i++;
-name[i]       = "Trojan.Prevert";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/trojan.prevert.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "Service Controller";
-exp[i]        = "%System%\service.exe";
+nname[i]        = "Trojan.Prevert";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/trojan.prevert.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "Service Controller";
+exp[i]          = "%System%\service.exe";
 
 i++;
-name[i]       = "W32.AllocUp.A";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.allocup.a.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = ".msfupdate";
-exp[i]        = "%System%\msveup.exe";
+nname[i]        = "W32.AllocUp.A";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.allocup.a.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = ".msfupdate";
+exp[i]          = "%System%\msveup.exe";
 
 i++;
-name[i]       = "W32.Kelvir.M";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.kelvir.m.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "LSASS32";
-exp[i]        = "Isass32.exe";
+nname[i]        = "W32.Kelvir.M";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.kelvir.m.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "LSASS32";
+exp[i]          = "Isass32.exe";
 
 i++;
-name[i]       = "VBS.Ypsan.B at mm";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/vbs.ypsan.b@mm.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "BootsCfg";
-exp[i]        = "wscript.exe C:\WINDOWS\System\Back ups\Bkupinstall.vbs";
+nname[i]        = "VBS.Ypsan.B at mm";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/vbs.ypsan.b@mm.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "BootsCfg";
+exp[i]          = "wscript.exe C:\WINDOWS\System\Back ups\Bkupinstall.vbs";
 
 i++;
-name[i]       = "W32.Mytob.AA at mm";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.aa@mm.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "MSN MESSENGER";
-exp[i]        = "msnmsgs.exe";
+nname[i]        = "W32.Mytob.AA at mm";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.aa@mm.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "MSN MESSENGER";
+exp[i]          = "msnmsgs.exe";
 
 i++;
-name[i]       = "Dialer.Asdplug";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/dialer.asdplug.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "ASDPLUGIN";
-exp[i]        = "exe -N";
+nname[i]        = "Dialer.Asdplug";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/dialer.asdplug.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "ASDPLUGIN";
+exp[i]          = "exe -N";
 
-
-
 # Submitted by Jeff Adams
 i++;
-name[i]       = "W32.Erkez.D/Zafi.D";
-url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.erkez.d@mm.html";
-key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i]       = "Wxp4";
-exp[i]        = "Norton Update";
+nname[i]        = "W32.Erkez.D/Zafi.D";
+url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.erkez.d@mm.html";
+key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i]         = "Wxp4";
+exp[i]          = "Norton Update";
 
 i ++;
 
-name[i]         = "W32.blackmal.e at mm (CME-24)";
+nname[i]        = "W32.blackmal.e at mm (CME-24)";
 url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html";
 key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
 item[i]         = "ScanRegistry";
@@ -633,7 +548,7 @@
 
 i ++;
 
-name[i]         = "W32.Randex.GEL";
+nname[i]        = "W32.Randex.GEL";
 url[i]          = "http://www.symantec.com/security_response/writeup.jsp?docid=2006-081910-4849-99&tabid=2";
 key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices";
 item[i]         = "MS Java for Windows XP & NT";
@@ -641,7 +556,7 @@
 
 i ++;
 
-name[i]         = "W32.Randex.GEL";
+nname[i]        = "W32.Randex.GEL";
 url[i]          = "http://www.symantec.com/security_response/writeup.jsp?docid=2006-081910-4849-99&tabid=2";
 key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices";
 item[i]         = "MS Java for Windows NT";
@@ -649,7 +564,7 @@
 
 i ++;
 
-name[i]         = "W32.Randex.GEL";
+nname[i]        = "W32.Randex.GEL";
 url[i]          = "http://www.symantec.com/security_response/writeup.jsp?docid=2006-081910-4849-99&tabid=2";
 key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices";
 item[i]         = "MS Java Applets for Windows NT, ME & XP";
@@ -657,7 +572,7 @@
 
 i ++;
 
-name[i]         = "W32.Randex.GEL";
+nname[i]        = "W32.Randex.GEL";
 url[i]          = "http://www.symantec.com/security_response/writeup.jsp?docid=2006-081910-4849-99";
 key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices";
 item[i]         = "Sun Java Console for Windows NT & XP";
@@ -665,7 +580,7 @@
 
 i ++;
 
-name[i]         = "W32.Fujacks.A";
+nname[i]        = "W32.Fujacks.A";
 url[i]          = "http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-111415-0546-99";
 key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
 item[i]         = "svohost";
@@ -674,59 +589,37 @@
 
 i ++;
 
-name[i]         = "W32.Fujacks.B";
+nname[i]        = "W32.Fujacks.B";
 url[i]          = "http://www.symantec.com/security_response/writeup.jsp?docid=2006-112912-5601-99&tabid=2";
 key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
 item[i]         = "svcshare";
 exp[i]          = "spoclsv.exe";
 
-for(i=0;name[i];i++)
+for(i=0;nname[i];i++)
 {
-  check_reg(name:name[i], url:url[i], key:key[i], item:item[i], exp:exp[i]);
+  check_reg(nname:nname[i], url:url[i], key:key[i], item:item[i], exp:exp[i]);
 }
 
-
-
-
-RegCloseKey(handle:handle);
-NetUseDel(close:FALSE);
-
-rootfile = hotfix_get_systemroot();
+rootfile = smb_get_systemroot();
 if ( ! rootfile ) exit(0);
 
 share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:rootfile);
 file =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\system.ini", string:rootfile);
 
+off = 0;
+resp = read_file(file:file, share:share, offset:off, count:16384);
+if(resp) {
+  data = resp;
+  while(strlen(resp) >= 16383)
+  {
+   off += strlen(resp);
+   resp = read_file(file:file, share:share, offset:off, count:16384);
+   data += resp;
+   if(strlen(data) > 1024 * 1024)break;
+  }
 
-r = NetUseAdd(login:login, password:pass, domain:domain, share:share);
-if ( r != 1 )
-{
- NetUseDel();
- exit(1);
-}
-
-
-handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
-if( ! isnull(handle) )
-{
- off = 0;
- resp = ReadFile(handle:handle, length:16384, offset:off);
- data = resp;
- while(strlen(resp) >= 16383)
- {
-  off += strlen(resp);
-  resp = ReadFile(handle:handle, length:16384, offset:off);
-  data += resp;
-  if(strlen(data) > 1024 * 1024)break;
- }
-
-
- CloseFile(handle:handle);
-
-
  if("shell=explorer.exe load.exe -dontrunold" >< data)
- {
+ { 
   report = string(
 "The virus 'W32.Nimda.A at mm' is present on the remote host\n",
 "Solution : http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html\n",
@@ -737,39 +630,33 @@
 }
  
 file =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\goner.scr", string:rootfile); 
+handle = read_file(file:file, share:share, offset:0, count:8);
 
-handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
-if( ! isnull(handle) )
+if(handle)
 {
  report = string(
 "The virus 'W32.Goner.A at mm' is present on the remote host\n",
 "Solution : http://www.symantec.com/avcenter/venc/data/w32.goner.a@mm.html\n",
 "Risk factor : High"); 
  security_hole(port:port, data:report);
- CloseFile(handle:handle);
 }
 
 file =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\winxp.exe", string:rootfile); 
+handle = read_file(file:file, share:share, offset:0, count:8);
 
-handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
-if( ! isnull(handle) )
+if(handle)
 {
  report = string(
 "The virus 'W32.Bable.AG at mm' is present on the remote host\n",
 "Solution : http://www.symantec.com/avcenter/venc/data/w32.beagle.ag@mm.html\n",
 "Risk factor : High"); 
  security_hole(port:port, data:report);
- CloseFile(handle:handle);
 }
 
-
 file =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\System32\dnkkq.dll", string:rootfile); 
+handle = read_file(file:file, share:share, offset:0, count:8);
 
-handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
-if( ! isnull(handle) )
+if(handle)
 {
  report = string(
 "The backdoor 'Backdoor.Berbew.K' is present on the remote host\n",
@@ -786,91 +673,61 @@
 Solution : http://securityresponse.symantec.com/avcenter/venc/data/backdoor.berbew.k.html
 Risk factor : High"); 
  security_hole(port:port, data:report);
- CloseFile(handle:handle);
 }
 
-
 file =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\Swen1.dat", string:rootfile); 
+handle = read_file(file:file, share:share, offset:0, count:8);
 
-handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
-if( ! isnull(handle) )
+if(handle)
 {
  report = string(
 "The virus 'W32.Swen.A at mm' is present on the remote host\n",
 "Solution : http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html\n",
 "Risk factor : High"); 
  security_hole(port:port, data:report);
- CloseFile(handle:handle);
 }
 
-
 # Submitted by Josh Zlatin-Amishav
 
 file =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:rootfile); 
-#trojanname = raw_string(0xFF, 0x73, 0x76, 0x63, 0x68, 0x6F, 0x73, 0x74, 0x2E, 0x65,0x78, 0x65);
 trojanname = raw_string(0xa0, 0x73, 0x76, 0x63, 0x68, 0x6F, 0x73, 0x74, 0x2E, 0x65,0x78, 0x65);
 
-handle = CreateFile (file:string(file, "\\System32\\",trojanname),
-                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_HIDDEN,
-                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+handle = read_file(file:string(file, "\\System32\\",trojanname), share:share, offset:0, count:8);
 
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\_svchost.exe"),
-                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\_svchost.exe"), share:share, offset:0, count:8);  
 
-if ( isnull(handle) )
-  handle = CreateFile (file:string(file, "\\System32\\Outlook Express"),
-                       desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                       share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\Outlook Express"), share:share, offset:0, count:8);  
 
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\CFXP.DRV"),
-                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\CFXP.DRV"), share:share, offset:0, count:8);  
 
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\CHJO.DRV"),
-                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\CHJO.DRV"), share:share, offset:0, count:8);
 
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\MMSYSTEM.DLX"),
-                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\MMSYSTEM.DLX"), share:share, offset:0, count:8);  
 
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\OLECLI.DLX"),
-                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\OLECLI.DLX"), share:share, offset:0, count:8);  
 
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\Windll.dlx"),
-                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\Windll.dlx"), share:share, offset:0, count:8);  
 
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\Activity.AVI"),
-                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\Activity.AVI"), share:share, offset:0, count:8);  
 
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\Upgrade.AVI"),
-                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\Upgrade.AVI"), share:share, offset:0, count:8);  
 
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\System.lst"),
-                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\System.lst"), share:share, offset:0, count:8);  
 
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\PF30txt.dlx"),
-                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\PF30txt.dlx"), share:share, offset:0, count:8);  
 
-if( ! isnull(handle) )
+if(handle)
 {
   report = string(
 "The trojan 'hotword' is present on the remote host\n",
@@ -881,9 +738,6 @@
   security_hole(port:port, data:report);
 }
 
-
-
-
 # Submitted by David Maciejak
 
 sober = make_list("nonzipsr.noz",
@@ -903,44 +757,36 @@
 foreach f (sober)
 {
  file =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\" + f, string:rootfile); 
- handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                      share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
- if( ! isnull(handle) )
+ handle = read_file(file:file, share:share, offset:0, count:8);  
+ if(handle)
  {
   report = string(
 "The virus 'Sober.i at mm' is present on the remote host\n",
 "Solution : http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.i@mm.html\n",
 "Risk factor : High"); 
   security_hole(port:port, data:report);
-  CloseFile(handle:handle);
+  break;
  }
 }
 
 file =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\System32\wgareg.exe", string:rootfile); 
-
-handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
-if( ! isnull(handle) )
+handle = read_file(file:file, share:share, offset:0, count:8);
+if(handle)
 {
  report = string(
 "The virus 'W32.Wargbot at mm' is present on the remote host\n",
 "Solution : http://www.symantec.com/security_response/writeup.jsp?docid=2006-081312-3302-99\n",
 "Risk factor : High"); 
  security_hole(port:port, data:report);
- CloseFile(handle:handle);
 }
 
-
-
 # Submitted by Josh Zlatin-Amishav
 
 foreach f (make_list("zsydll.dll", "zsyhide.dll"))
 {
  file =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\System32\" + f, string:rootfile);
-
- handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
-                      share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
- if( ! isnull(handle) )
+ handle = read_file(file:file, share:share, offset:0, count:8);
+ if(handle)
  {
    report = string(
    "The backdoor 'W32.Backdoor.Ginwui.B' is present on the remote host\n",
@@ -948,8 +794,8 @@
    "Solution :  Use latest anti-virus signatures to clean the machine.\n",
    "Risk factor : High");
    security_hole(port:port, data:report);
-   CloseFile(handle:handle);
+   break;
  }
-} 
+}
 
-NetUseDel();
+exit(0);

Modified: trunk/openvas-plugins/scripts/spysweeper_corp_installed.nasl
===================================================================
--- trunk/openvas-plugins/scripts/spysweeper_corp_installed.nasl	2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/spysweeper_corp_installed.nasl	2009-10-14 08:39:10 UTC (rev 5535)
@@ -29,14 +29,22 @@
  script_copyright("This script is Copyright (C) 2004-2005 Jeff Adams / Tenable Network Security"); 
  family = "Windows"; 
  script_family(family);
- script_dependencies("netbios_name_get.nasl", "smb_login.nasl", "smb_registry_access.nasl", "smb_enum_services.nasl"); 
- script_require_keys("SMB/name", "SMB/login", "SMB/password", "SMB/registry_full_access", "SMB/transport");
- script_require_ports(139, 445); 
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/Registry/Enumerated");
+ script_require_ports(139, 445);
  exit(0);
 }
-include("smb_func.inc");
 
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
 
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+if(get_kb_item("SMB/samba"))exit(0);
+
 #==================================================================#
 # Section 1. Utilities                                             #
 #==================================================================#
@@ -51,13 +59,18 @@
 
   key = "SOFTWARE\Webroot\Enterprise\CommAgent\"; 
   item = "sdfv"; 
-  key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-  value = RegQueryValue(handle:key_h, item:item);  
 
-  RegCloseKey (handle:key_h);   
+  if(!registry_key_exists(key:key)){
+    return NULL;
+  }    
 
-  set_kb_item(name: "Antivirus/SpySweeperEnt/signature", value:value[1]);
-  return value[1];
+  value = registry_get_sz(item:item, key:key); 
+  if(value) {
+    set_kb_item(name: "Antivirus/SpySweeperEnt/signature", value:value);
+    return value;
+  } else {
+    return NULL;
+  }   
 }
 
 
@@ -70,100 +83,36 @@
 {
   local_var key, item, key_h, value;
 
-  key = "SOFTWARE\Webroot\Enterprise\Spy Sweeper";
-  key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-  if (!isnull(key_h)) {
-      value = RegQueryValue(handle:key_h, item:"id");
-    if (!isnull(value)) path = value[1];
+  key = "SOFTWARE\Webroot\Enterprise\Spy Sweeper\";
+  if (registry_key_exists(key:key)) {
+      value = registry_get_sz(item:"id", key:key);
+      if (value) path = value;
       else path = NULL;
-
-    RegCloseKey(handle:key_h);
   }
   else path = NULL;
-
-  RegCloseKey(handle:hklm);
-
   if (isnull(path)) {
-    NetUseDel();
     exit(0);
   }
 
-  share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
-  exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\SpySweeperUI.exe", string:path);
-
-  conn = NetUseAdd(login:login, password:pass, domain:domain, share:share);
-  if (conn != 1) {
-    NetUseDel();
-    exit(0);
-  }
-
-  fh = CreateFile(
-    file:exe,
-    desired_access:GENERIC_READ,
-    file_attributes:FILE_ATTRIBUTE_NORMAL,
-    share_mode:FILE_SHARE_READ,
-    create_disposition:OPEN_EXISTING
-  );
-
-  if (isnull(fh))
-  {
-    NetUseDel();
-    exit(0);
-  }
-
-  version = GetFileVersion(handle:fh);
-  CloseFile(handle:fh);
-
+  file = path + "\SpySweeperUI.exe";
+  version = GetVersionFromFile(file:file);
   if (isnull(version))
   {
     ver = "Unable to determine version";
     set_kb_item(name: "Antivirus/SpySweeperEnt/version", value:ver);
-    NetUseDel();
     exit(0);
   }
 
-   ver = string(version[0], ".", version[1], ".", version[2], ".", version[3]);
+   ver = string(version);
    set_kb_item(name: "Antivirus/SpySweeperEnt/version", value:ver);
 
    return ver;
 }
 
-
 #==================================================================#
 # Section 2. Main code                                             #
 #==================================================================#
 
-
-services = get_kb_item("SMB/svcs");
-#if ( ! services ) exit(0);
-
-access = get_kb_item("SMB/registry_full_access");
-if( ! access )exit(0);
-
-port = get_kb_item("SMB/transport");
-if(!port)port = 139;
-
-name	= kb_smb_name(); 	if(!name)exit(0);
-login	= kb_smb_login(); 
-pass	= kb_smb_password(); 	
-domain  = kb_smb_domain(); 	
-port	= kb_smb_transport();
-
-if ( ! get_port_state(port) ) exit(0);
-soc = open_sock_tcp(port);
-if ( ! soc ) exit(0);
-
-session_init(socket:soc, hostname:name);
-r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
-if ( r != 1 ) exit(0);
-
-hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
-if ( isnull(hklm) ) 
-{
- NetUseDel();
- exit(0);
-}
-
 #-------------------------------------------------------------#
 # Checks if Spy Sweeper Enterprise is installed               #
 #-------------------------------------------------------------#
@@ -172,17 +121,14 @@
 
 key = "SOFTWARE\Webroot\Enterprise\Spy Sweeper\";
 item = "id";
-key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-if ( ! isnull(key_h) )
+
+if (registry_key_exists(key:key))
 {
- value = RegQueryValue(handle:key_h, item:item);
- RegCloseKey (handle:key_h);
+ value = registry_get_sz(item:item, key:key);
 }
 
-if ( isnull ( value ) )
+if (!value)
 {
-  RegCloseKey(handle:hklm);
-  NetUseDel();
   exit(0);  
 }
 
@@ -197,21 +143,19 @@
 
 key = "SOFTWARE\Webroot\Enterprise\CommAgent\";
 item = "su";
-key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-if ( ! isnull(key_h) )
+
+if (registry_key_exists(key:key))
 {
- value = RegQueryValue(handle:key_h, item:item);
- RegCloseKey (handle:key_h);
+ value = registry_get_sz(item:item, key:key);
 }
 
-if ( strlen (value[1]) <=1 )
+if ( strlen (value) <=1 )
 {
   set_kb_item(name: "Antivirus/SpySweeperEnt/noparent", value:TRUE);
-  RegCloseKey(handle:hklm);
 }
 else
 {
-  set_kb_item(name: "Antivirus/SpySweeperEnt/parent", value:value[1]);
+  set_kb_item(name: "Antivirus/SpySweeperEnt/parent", value:value);
 }
 
 #-------------------------------------------------------------#
@@ -219,13 +163,14 @@
 #-------------------------------------------------------------#
 current_signature_version = check_signature_version (); 
 
-
 #-------------------------------------------------------------#
 # Checks if Spy Sweeper is running                            #
 # Both of these need to running in order to ensure proper     #
 # operation.                                                  # 
 #-------------------------------------------------------------#
 
+#services = get_kb_item("SMB/svcs"); # Waiting for smb_enum_services.nasl (LSS)
+
 if ( services )
 {
   if (("WebrootSpySweeperService" >!< services) || ("Webroot CommAgent Service" >!< services))
@@ -234,20 +179,12 @@
     running = 1;
 }
 
-
 #-------------------------------------------------------------#
 # Checks the product version                                  #
 #-------------------------------------------------------------#
 product_version = check_product_version ();
+if(!product_version && !current_signature_version)exit(0);
 
-
-#-------------------------------------------------------------#
-# Section 3. Clean up                                         #
-#-------------------------------------------------------------#
-
-RegCloseKey (handle:hklm);
-NetUseDel();
-
 #==================================================================#
 # Section 4. Final Report                                          #
 #==================================================================#
@@ -277,17 +214,17 @@
 # Updates are located here:
 # http://www.webroot.com/entcenter/index.php
 virus = "";
-
-if ( int(current_signature_version) < int(virus) )
-{
-  report += "The remote host has an out-dated version of the Spy 
+if(current_signature_version && current_signature_version>0) {
+  if ( int(current_signature_version) < int(virus) )
+  {
+    report += "The remote host has an out-dated version of the Spy 
 Sweeper virus signatures. Last version is " + virus + "
 
-";
-  warning = 1;
+  ";
+    warning = 1;
+  }    
 }
 
-
 #
 # Check if antivirus is running
 #

Modified: trunk/openvas-plugins/scripts/xot_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/xot_detect.nasl	2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/xot_detect.nasl	2009-10-14 08:39:10 UTC (rev 5535)
@@ -44,7 +44,7 @@
 
 # XOT is not silent: it abruptly closes the connection when it receives
 # invalid data
-if (silent_service(port)) exit(0);
+#if (silent_service(port)) exit(0);
 
 # By the way, GET and HELP are definitely invalid. So...
 b = get_unknown_banner(port: port, dontfetch: 1);



More information about the Openvas-commits mailing list