[Openvas-commits] r5535 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Wed Oct 14 10:39:13 CEST 2009
Author: mime
Date: 2009-10-14 10:39:10 +0200 (Wed, 14 Oct 2009)
New Revision: 5535
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/freebsd_clamav15.nasl
trunk/openvas-plugins/scripts/kiwi_cattools_tftpd_dir_traversal.nasl
trunk/openvas-plugins/scripts/nav_installed.nasl
trunk/openvas-plugins/scripts/patchlink_detection.nasl
trunk/openvas-plugins/scripts/savce_installed.nasl
trunk/openvas-plugins/scripts/smb_nt.inc
trunk/openvas-plugins/scripts/smb_suspicious_files.nasl
trunk/openvas-plugins/scripts/smb_virii.nasl
trunk/openvas-plugins/scripts/spysweeper_corp_installed.nasl
trunk/openvas-plugins/scripts/xot_detect.nasl
Log:
Modified scripts so that they don't need smb_func.inc anymore.
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/ChangeLog 2009-10-14 08:39:10 UTC (rev 5535)
@@ -1,3 +1,28 @@
+2009-10-14 Michael Meyer <michael.meyer at intevation.de>
+
+ * scripts/savce_installed.nasl,
+ scripts/patchlink_detection.nasl,
+ scripts/smb_virii.nasl,
+ scripts/smb_suspicious_files.nasl,
+ scripts/spysweeper_corp_installed.nasl,
+ scripts/nav_installed.nasl:
+ Modified so that they don't need smb_func.inc
+ anymore.
+
+ * scripts/smb_nt.inc:
+ Added function smb_get_systemroot().
+
+ * scripts/xot_detect.nasl:
+ Removed call of a nonexistent function which is not needed for
+ the script to work.
+
+ * scripts/freebsd_clamav15.nasl:
+ Bugfix.
+
+ * scripts/kiwi_cattools_tftpd_dir_traversal.nasl:
+ Removed call of a nonexistent function which is not needed for
+ the script to work.
+
2009-10-13 Thomas Reinke <reinke at securityspace.com>
* scripts/deb_1902_1.nasl,
Modified: trunk/openvas-plugins/scripts/freebsd_clamav15.nasl
===================================================================
--- trunk/openvas-plugins/scripts/freebsd_clamav15.nasl 2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/freebsd_clamav15.nasl 2009-10-14 08:39:10 UTC (rev 5535)
@@ -84,7 +84,7 @@
vuln = 1;
}
bver = portver(pkg:"clamav-devel");
-if(!isnull(bver) && ssvercheck(a:bver, b:"20080902")<0) {
+if(!isnull(bver) && revcomp(a:bver, b:"20080902")<0) {
security_note(0, data:"Package clamav-devel version " + bver + " is installed which is known to be vulnerable.");
vuln = 1;
}
Modified: trunk/openvas-plugins/scripts/kiwi_cattools_tftpd_dir_traversal.nasl
===================================================================
--- trunk/openvas-plugins/scripts/kiwi_cattools_tftpd_dir_traversal.nasl 2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/kiwi_cattools_tftpd_dir_traversal.nasl 2009-10-14 08:39:10 UTC (rev 5535)
@@ -74,7 +74,7 @@
get = tftp_get(port:port, path:"z//..//..//..//..//..//boot.ini");
if (isnull(get)) exit(0);
# In case the backdoor was missed by tftpd_backdoor.nasl (UDP is not reliable)
-tftp_ms_backdoor(file: 'boot.ini', data: get, port: port);
+#tftp_ms_backdoor(file: 'boot.ini', data: get, port: port);
if (
("ECHO" >< get) || ("SET " >< get) ||
Modified: trunk/openvas-plugins/scripts/nav_installed.nasl
===================================================================
--- trunk/openvas-plugins/scripts/nav_installed.nasl 2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/nav_installed.nasl 2009-10-14 08:39:10 UTC (rev 5535)
@@ -3,15 +3,13 @@
# Original script was written by Jeff Adams <jeffadams at comcast.net>;
#
# This script is released under GPLv2
-#
-# kst-depend-smb
+# Modified by Michael Meyer <michael.meyer at intevation.de>
if(description)
{
script_id(80038);
script_version("$Revision: 1.497 $");
name = "Norton Anti Virus Check";
-
script_name(name);
desc = "
This plugin checks that the remote host has Norton Antivirus installed and
@@ -27,14 +25,22 @@
script_copyright("This script is Copyright (C) 2004-2005 Jeff Adams / Tenable Network Security");
family = "Windows";
script_family(family);
- script_dependencies("netbios_name_get.nasl", "smb_login.nasl", "smb_registry_access.nasl", "smb_enum_services.nasl");
- script_require_keys("SMB/name", "SMB/login", "SMB/password", "SMB/registry_full_access", "SMB/transport");
- script_require_ports(139, 445);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/Registry/Enumerated");
+ script_require_ports(139, 445);
exit(0);
}
-include("smb_func.inc");
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+
+if(get_kb_item("SMB/samba"))exit(0);
+
#==================================================================#
# Section 1. Utilities #
#==================================================================#
@@ -49,57 +55,56 @@
key = "SOFTWARE\Symantec\SharedDefs\";
item = "DEFWATCH_10";
- key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
- if ( ! isnull(key_h) )
+
+ if (registry_key_exists(key:key))
{
- value = RegQueryValue(handle:key_h, item:item);
- if (!isnull (value))
- vers = value[1];
+ value = registry_get_sz(item:item, key:key);
+ if (value)
+ vers = value;
else
{
item = "NAVCORP_70";
- value = RegQueryValue(handle:key_h, item:item);
- if (!isnull (value))
- vers = value[1];
+ value = registry_get_sz(item:item, key:key);
+ if (value)
+ vers = value;
else
{
item = "NAVNT_50_AP1";
- value = RegQueryValue(handle:key_h, item:item);
- if (!isnull (value))
- vers = value[1];
+ value = registry_get_sz(item:item, key:key);
+ if (value)
+ vers = value;
else
{
item = "AVDEFMGR";
- value = RegQueryValue(handle:key_h, item:item);
- if (isnull (value))
+ value = registry_get_sz(item:item, key:key);
+ if (!value)
{
- RegCloseKey (handle:key_h);
return NULL;
}
else
- vers = value[1];
+ vers = value;
}
}
}
-
- RegCloseKey (handle:key_h);
}
key = "SOFTWARE\Symantec\InstalledApps\";
item = "AVENGEDEFS";
- key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
- if ( ! isnull(key_h) )
+ if (registry_key_exists(key:key))
{
- value = RegQueryValue(handle:key_h, item:item);
- if (!isnull (value))
- path = value[1];
-
- RegCloseKey (handle:key_h);
+ value = registry_get_sz(item:item, key:key);
+ if (value)
+ path = value;
}
- vers = substr (vers, strlen(path) + 1 , strlen(vers)-5);
+ if(!path || !vers)return NULL;
- return vers;
+ vers = substr (vers, strlen(path) + 1 , strlen(vers)-5);
+ if(vers) {
+ return vers;
+ } else {
+ return NULL;
+ }
}
@@ -112,56 +117,16 @@
key = reg;
item = "version";
- key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
- if ( ! isnull(key_h) )
+ if (registry_key_exists(key:key))
{
- value = RegQueryValue(handle:key_h, item:item);
- RegCloseKey (handle:key_h);
-
- if (!isnull (value))
- return value[1];
+ value = registry_get_sz(item:item, key:key);
+ if (value)
+ return value;
}
return NULL;
}
-
-#==================================================================#
-# Section 2. Main code #
-#==================================================================#
-
-
-services = get_kb_item("SMB/svcs");
-#if ( ! services ) exit(0);
-
-access = get_kb_item("SMB/registry_full_access");
-if( ! access )exit(0);
-
-port = get_kb_item("SMB/transport");
-if(!port)port = 139;
-
-name = kb_smb_name(); if(!name)exit(0);
-login = kb_smb_login();
-pass = kb_smb_password();
-domain = kb_smb_domain();
-port = kb_smb_transport();
-
-if ( ! get_port_state(port) ) exit(0);
-soc = open_sock_tcp(port);
-if ( ! soc ) exit(0);
-
-session_init(socket:soc, hostname:name);
-r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
-if ( r != 1 ) exit(0);
-
-hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
-if ( isnull(hklm) )
-{
- NetUseDel();
- exit(0);
-}
-
-
#-------------------------------------------------------------#
# Checks if McAfee VirusScan is installed #
#-------------------------------------------------------------#
@@ -170,29 +135,21 @@
key = "SOFTWARE\Symantec\InstalledApps\";
item = "NAVNT";
-key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-if ( ! isnull(key_h) )
+if (registry_key_exists(key:key))
{
- value = RegQueryValue(handle:key_h, item:"SAVCE");
- if ( isnull (value) )
+ value = registry_get_sz(item:"SAVCE", key:key);
+ if (!value)
{
- value = RegQueryValue(handle:key_h, item:item);
- if ( isnull (value) )
+ value = registry_get_sz(item:item, key:key);
+ if (!value)
{
item = "SAVCE";
- value = RegQueryValue(handle:key_h, item:item);
+ value = registry_get_sz(item:item, key:key);
}
}
- else
- value = NULL;
-
- RegCloseKey (handle:key_h);
}
-
-if ( isnull ( value ) )
+if (!value || isnull(value))
{
- RegCloseKey(handle:hklm);
- NetUseDel();
exit(0);
}
@@ -211,6 +168,8 @@
# Checks if Antivirus is running #
#-------------------------------------------------------------#
+#services = get_kb_item("SMB/svcs"); # Waiting for smb_enum_services.nasl (LSS)
+
# Thanks to Jeff Adams for Symantec service.
if ( services )
{
@@ -226,11 +185,10 @@
#-------------------------------------------------------------#
product_version = check_product_version (reg:"SOFTWARE\Symantec\Norton AntiVirus");
+if(!product_version || isnull(product_version)) {
+ exit(0);
+}
-
-RegCloseKey (handle:hklm);
-NetUseDel();
-
#==================================================================#
# Section 3. Final Report #
#==================================================================#
@@ -258,17 +216,17 @@
# Last Database Version
virus = "20080923";
+if(current_database_version && current_database_version>0) {
+ if ( int(current_database_version) < ( int(virus) - 1 ) )
+ {
+ report += "The remote host has an out-dated version of the Norton
+ virus database. Last version is " + virus + "
-if ( int(current_database_version) < ( int(virus) - 1 ) )
-{
- report += "The remote host has an out-dated version of the Norton
-virus database. Last version is " + virus + "
-
-";
- warning = 1;
+ ";
+ warning = 1;
+ }
}
-
#
# Check if antivirus is running
#
@@ -281,11 +239,9 @@
warning = 1;
}
-
#
# Create the final report
#
-
if (warning)
{
report += "As a result, the remote host might be infected by viruses received by
Modified: trunk/openvas-plugins/scripts/patchlink_detection.nasl
===================================================================
--- trunk/openvas-plugins/scripts/patchlink_detection.nasl 2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/patchlink_detection.nasl 2009-10-14 08:39:10 UTC (rev 5535)
@@ -1,12 +1,7 @@
#
# Josh Zlatin-Amishav (josh at ramat dot cc)
# GPLv2
-#
-# Tenable grants a special exception for this plugin to use the library
-# 'smb_func.inc'. This exception does not apply to any modified version of
-# this plugin.
-#
-# kst-depend-smb
+# Modified by Michael Meyer <michael.meyer at intevation.de>
desc = "
Synopsis :
@@ -22,84 +17,50 @@
patch management system.
See also :
-
http://www.patchlink.com/
Risk Factor:
-
None";
-
if(description)
{
script_id(80039);
script_version("$Revision: 1.2 $");
-
name = "Patchlink Detection";
-
script_name(name);
-
script_description(desc);
-
summary = "Checks for the presence of Patchlink";
-
script_summary(summary);
-
script_category(ACT_GATHER_INFO);
-
script_copyright("Copyright (C) 2005 Josh Zlatin-Amishav and Tenable Network Security");
family = "Windows";
script_family(family);
-
- script_dependencies("netbios_name_get.nasl",
- "smb_login.nasl","smb_registry_access.nasl");
- script_require_keys("SMB/name", "SMB/login", "SMB/password", "SMB/registry_access");
-
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
-
-include("smb_func.inc");
+include("smb_nt.inc");
include("secpod_reg.inc");
-if(! get_kb_item("SMB/registry_access")) exit(0);
+include("secpod_smb_func.inc");
-name = kb_smb_name();
-login = kb_smb_login();
-pass = kb_smb_password();
-domain = kb_smb_domain();
-port = kb_smb_transport();
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
-if ( ! get_port_state(port) ) exit(0);
-soc = open_sock_tcp(port);
-if ( ! soc ) exit(0);
+if(get_kb_item("SMB/samba"))exit(0);
-session_init(socket:soc, hostname:name);
-r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
-if ( r != 1 ) exit(0);
+key = "SOFTWARE\PatchLink\Agent Installer";
-hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
-if ( isnull(hklm) )
-{
- NetUseDel();
+if(!registry_key_exists(key:key)){
exit(0);
-}
+}
-key = "SOFTWARE\PatchLink\Agent Installer";
+version = registry_get_sz(item:"Version", key:key);
-key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-if ( isnull(key_h)) debug_print("no key");
-if ( ! isnull(key_h) )
+if (version)
{
- item = "Version";
- array = RegQueryValue(handle:key_h, item:item);
- version = array[1];
- debug_print(version );
- RegCloseKey(handle:key_h);
-}
-
-if ( ! isnull(version) )
-{
info = string("Patchlink version ", version, " is installed on the remote host.");
report = string (desc,
@@ -111,5 +72,4 @@
set_kb_item(name:"SMB/Patchlink/version", value:version);
}
-NetUseDel();
-
+exit(0);
Modified: trunk/openvas-plugins/scripts/savce_installed.nasl
===================================================================
--- trunk/openvas-plugins/scripts/savce_installed.nasl 2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/savce_installed.nasl 2009-10-14 08:39:10 UTC (rev 5535)
@@ -3,8 +3,7 @@
# Original script was written by Jeff Adams <jeffadams at comcast.net>
# and Tenable Network Security
# This script is released under GPLv2
-#
-# kst-depend-smb
+# Modified by Michael Meyer <michael.meyer at intevation.de>
if(description)
{
@@ -29,20 +28,24 @@
script_copyright("This script is Copyright (C) 2004-2005 Jeff Adams / Tenable Network Security");
family = "Windows";
script_family(family);
- script_dependencies("netbios_name_get.nasl", "smb_login.nasl", "smb_registry_access.nasl", "smb_enum_services.nasl");
- script_require_keys("SMB/name", "SMB/login", "SMB/password", "SMB/registry_full_access", "SMB/transport");
- script_require_ports(139, 445);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/Registry/Enumerated");
+ script_require_ports(139, 445);
exit(0);
}
-include("smb_func.inc");
-global_var hklm, soft_path;
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
-#==================================================================#
-# Section 1. Utilities #
-#==================================================================#
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+if(get_kb_item("SMB/samba"))exit(0);
+global_var soft_path;
+
#-------------------------------------------------------------#
# Checks the virus signature version #
#-------------------------------------------------------------#
@@ -50,25 +53,23 @@
{
local_var key, item, items, key_h, val, value, path, vers;
- path = NULL;
- vers = NULL;
-
key = soft_path + "Symantec\InstalledApps\";
- key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
- if ( ! isnull(key_h) )
- {
- value = RegQueryValue(handle:key_h, item:"AVENGEDEFS");
- if (!isnull (value)) path = value[1];
- RegCloseKey (handle:key_h);
- }
- if (isnull(path)) return NULL;
+ if(!registry_key_exists(key:key)){
+ return NULL;
+ }
- key = soft_path + "Symantec\SharedDefs\";
- key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
- if ( ! isnull(key_h) )
- {
- items = make_list(
+ value = registry_get_sz(item:"AVENGEDEFS", key:key);
+ if (value) path = value;
+ if (isnull(path)) return NULL;
+
+ key = soft_path + "Symantec\SharedDefs\";
+
+ if(!registry_key_exists(key:key)){
+ return 0;
+ }
+
+ items = make_list(
"DEFWATCH_10",
"NAVCORP_72",
"NAVCORP_70",
@@ -77,22 +78,20 @@
foreach item (items)
{
- value = RegQueryValue(handle:key_h, item:item);
- if (!isnull (value))
- {
- val = value[1];
+ value = registry_get_sz(item:item, key:key);
+ if(!value)return NULL;
+
+ val = value;
if (stridx(val, path) == 0)
{
val = val - (path+"\");
if ("." >< val) val = val - strstr(val, ".");
if (isnull(vers) || int(vers) < int(val)) vers = val;
}
- }
+
}
- RegCloseKey (handle:key_h);
- }
- if (isnull(vers)) return NULL;
+ if (!vers) return NULL;
set_kb_item(name: "Antivirus/SAVCE/signature", value:vers);
return vers;
@@ -113,23 +112,21 @@
key = soft_path + "INTEL\LANDesk\VirusProtect6\CurrentVersion";
item = "ProductVersion";
- key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
- if ( isnull(key_h) )
- {
- key = soft_path + "Symantec\Symantec Endpoint Protection\AV";
- key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
+
+ if(!registry_key_exists(key:key)){
+ key = soft_path + "Symantec\Symantec Endpoint Protection\AV";
}
- if ( ! isnull(key_h) )
- {
- version = RegQueryValue(handle:key_h, item:item);
+ if(!registry_key_exists(key:key)){
+ return 0;
+ }
- RegCloseKey (handle:key_h);
+ version = registry_get_sz(item:item, key:key);
- if (!isnull (version))
+ if (version)
{
- vhigh = version[1] & 0xFFFF;
- vlow = (version[1] >>> 16);
+ vhigh = version & 0xFFFF;
+ vlow = (version >>> 16);
v1 = vhigh / 100;
v2 = (vhigh%100)/10;
@@ -146,48 +143,10 @@
set_kb_item(name: "Antivirus/SAVCE/version", value:version);
return version;
}
- }
return NULL;
}
-
-#==================================================================#
-# Section 2. Main code #
-#==================================================================#
-
-
-services = get_kb_item("SMB/svcs");
-#if ( ! services ) exit(0);
-
-access = get_kb_item("SMB/registry_full_access");
-if( ! access )exit(0);
-
-port = get_kb_item("SMB/transport");
-if(!port)port = 139;
-
-name = kb_smb_name(); if(!name)exit(0);
-login = kb_smb_login();
-pass = kb_smb_password();
-domain = kb_smb_domain();
-port = kb_smb_transport();
-
-if ( ! get_port_state(port) ) exit(0);
-soc = open_sock_tcp(port);
-if ( ! soc ) exit(0);
-
-session_init(socket:soc, hostname:name);
-r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
-if ( r != 1 ) exit(0);
-
-hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
-if ( isnull(hklm) )
-{
- NetUseDel();
- exit(0);
-}
-
-
#-------------------------------------------------------------#
# Checks if Symantec AntiVirus Corp is installed #
#-------------------------------------------------------------#
@@ -196,35 +155,30 @@
key = "SOFTWARE\Wow6432Node\Symantec\InstalledApps\";
item = "SAVCE";
-key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-if ( isnull(key_h) )
+
+if(registry_key_exists(key:key)){
+ soft_path = "SOFTWARE\Wow6432Node\";
+}
+
+if (!soft_path)
{
key = "SOFTWARE\Symantec\InstalledApps\";
- key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-
- soft_path = "SOFTWARE\";
+ if(registry_key_exists(key:key)){
+ soft_path = "SOFTWARE\";
+ }
}
-else
-{
- soft_path = "SOFTWARE\Wow6432Node\";
-}
-if ( ! isnull(key_h) )
+if (soft_path)
{
- value = RegQueryValue(handle:key_h, item:item);
- RegCloseKey (handle:key_h);
+ value = registry_get_sz(item:item, key:key);
}
else
{
- RegCloseKey(handle:hklm);
- NetUseDel();
exit(0);
}
-if ( isnull ( value ) )
+if (!value)
{
- RegCloseKey(handle:hklm);
- NetUseDel();
exit(0);
}
@@ -237,12 +191,13 @@
# Take the first signature version key
current_signature_version = check_signature_version ();
-
#-------------------------------------------------------------#
# Checks if Antivirus is running #
#-------------------------------------------------------------#
+#services = get_kb_item("SMB/svcs"); # Waiting for smb_enum_services.nasl (LSS)
+
# Thanks to Jeff Adams for Symantec service.
if ( services )
{
@@ -265,35 +220,21 @@
key = soft_path + "Intel\LANDesk\VirusProtect6\CurrentVersion\";
item = "Parent";
-key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-if ( ! isnull(key_h) )
+
+if (registry_key_exists(key:key))
{
- parent = RegQueryValue(handle:key_h, item:item);
- RegCloseKey (handle:key_h);
+ parent = registry_get_sz(item:item, key:key);
}
-if ( strlen (parent[1]) <=1 )
+if ( strlen(parent)<=1 )
{
set_kb_item(name: "Antivirus/SAVCE/noparent", value:TRUE);
- RegCloseKey(handle:hklm);
}
else
{
- set_kb_item(name: "Antivirus/SAVCE/parent", value:parent[1]);
+ set_kb_item(name: "Antivirus/SAVCE/parent", value:parent);
}
-
-#==================================================================#
-# Section 3. Clean Up #
-#==================================================================#
-
-RegCloseKey (handle:hklm);
-NetUseDel();
-
-#==================================================================#
-# Section 4. Final Report #
-#==================================================================#
-
# var initialization
warning = 0;
@@ -317,17 +258,17 @@
# Last Database Version
virus = "20080923";
-
-if ( int(current_signature_version) < ( int(virus) - 1 ) )
-{
- report += "The remote host has an out-dated version of the Symantec
+if(current_signature_version>0) {
+ if ( int(current_signature_version) < ( int(virus) - 1 ) )
+ {
+ report += "The remote host has an out-dated version of the Symantec
Corporate virus signatures. Last version is " + virus + "
-";
- warning = 1;
+ ";
+ warning = 1;
+ }
}
-
#
# Check if antivirus is running
#
@@ -364,3 +305,5 @@
{
set_kb_item (name:"Antivirus/SAVCE/description", value:report);
}
+
+exit(0);
Modified: trunk/openvas-plugins/scripts/smb_nt.inc
===================================================================
--- trunk/openvas-plugins/scripts/smb_nt.inc 2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/smb_nt.inc 2009-10-14 08:39:10 UTC (rev 5535)
@@ -3656,3 +3656,26 @@
}
return NULL;
}
+
+function smb_get_systemroot() {
+
+ local_var sroot, key, item;
+
+ if(sroot = get_kb_item("SMB/SystemRoot"))return sroot;
+
+ key = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\";
+
+ if(!registry_key_exists(key:key)){
+ return FALSE;
+ }
+
+ item = "SystemRoot";
+ sroot = registry_get_sz(item:item, key:key);
+
+ if(!isnull(sroot)) {
+ set_kb_item(name:"SMB/SystemRoot", value: sroot);
+ return sroot;
+ } else {
+ return FALSE;
+ }
+}
Modified: trunk/openvas-plugins/scripts/smb_suspicious_files.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smb_suspicious_files.nasl 2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/smb_suspicious_files.nasl 2009-10-14 08:39:10 UTC (rev 5535)
@@ -3,13 +3,7 @@
# This script is released under the GNU GPL v2
#
# BHO X http://computercops.biz/clsid.php?type=5 update 27012005
-#
-#
-# Tenable grants a special exception for this plugin to use the library
-# 'smb_func.inc'. This exception does not apply to any modified version of
-# this plugin.
-#
-# kst-depend-smb
+# Modified by Michael Meyer <michael.meyer at intevation.de>
if(description)
{
@@ -50,59 +44,48 @@
exit(0);
}
-
-include("smb_func.inc");
+include("smb_nt.inc");
include("secpod_reg.inc");
-if ( get_kb_item("SMB/samba") ) exit(0);
+include("secpod_smb_func.inc");
-global_var handle, name, url, key, exp, items;
+local_var nname, url, key, item, exp;
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
-port = kb_smb_transport();
-if(!port)exit(0);
+if ( get_kb_item("SMB/samba") ) exit(0);
-if(!get_port_state(port))return(FALSE);
-login = kb_smb_login();
-pass = kb_smb_password();
-domain = kb_smb_domain();
-
-soc = open_sock_tcp(port);
-if(!soc)exit(0);
-
-session_init(socket:soc, hostname:kb_smb_name());
-ret = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
-if ( ret != 1 ) exit(0);
-
-handle = RegConnectRegistry(hkey:HKEY_CLASS_ROOT);
-if ( isnull(handle) ) exit(0);
-
-
-function check_reg(name, url, key, item, exp)
+function check_reg(nname, url, key, item, exp)
{
local_var key_h, value, sz, report;
+ key = "SOFTWARE\Classes\" + key;
+ if(!registry_key_exists(key:key)){
+ return 0;
+ }
+
+ foreach value (registry_enum_values(key:key)) {
- key_h = RegOpenKey(handle:handle, key:key, mode:MAXIMUM_ALLOWED);
- if( ! isnull(key_h) )
- {
- value = RegQueryValue(handle:key_h, item:item);
- RegCloseKey(handle:key_h);
- if ( ! isnull(value) ) sz = value[1];
- else return 0;
- }
- else return 0;
-
- if(exp == NULL || tolower(exp) >< tolower(sz))
- {
- report = string(
-"'", name, "' is installed on the remote host.\n",
+ if ( ! isnull(value) ) {
+ sz = value;
+ } else {
+ continue;
+ }
+
+ if(exp == NULL || tolower(exp) >< tolower(sz))
+ {
+
+report = string(
+"'", nname, "' is installed on the remote host.\n",
"Make sure that the user of the remote host intended to install
this software and that its use matches your corporate security
policy.\n\n",
"Solution : ", url, "\n",
"Risk factor : High");
- security_hole(port:kb_smb_transport(), data:report);
+ security_hole(port:kb_smb_transport(), data:report);
+ }
}
}
@@ -114,58 +97,39 @@
{
local_var files, n, i, j;
- name = make_list();
+ nname = make_list();
url = make_list();
key = make_list();
items = make_list();
exp = make_list();
-files = split(keep:FALSE, _FCT_ANON_ARGS[0]);
+ files = split(keep:FALSE, _FCT_ANON_ARGS[0]);
-n = max_index(files);
-i = 0;
-for ( j = 0 ; j < n ; i ++ )
-{
- if ( !(files[j] =~ "^NAME" &&
- files[j+1] =~ "^URL" &&
- files[j+2] =~ "^KEY" &&
- files[j+3] =~ "^ITEM" &&
- files[j+4] =~ "^EXP") )
- {
- display("Error at line ", j,"\n");
- break;
+ n = max_index(files);
+ i = 0;
+ for ( j = 0 ; j < n ; i ++ )
+ {
+ if ( !(files[j] =~ "^NAME" &&
+ files[j+1] =~ "^URL" &&
+ files[j+2] =~ "^KEY" &&
+ files[j+3] =~ "^ITEM" &&
+ files[j+4] =~ "^EXP") )
+ {
+ display("Error at line ", j,"\n");
+ break;
}
- name[i] = files[j++] - "NAME=";
- url[i] = files[j++] - "URL=";
- key[i] = files[j++] - "KEY=";
- items[i] = files[j++] - "ITEM=";
- exp[i] = files[j++] - "EXP=";
+ nname[i] = files[j++] - "NAME=";
+ url[i] = files[j++] - "URL=";
+ key[i] = files[j++] - "KEY=";
+ items[i] = files[j++] - "ITEM=";
+ exp[i] = files[j++] - "EXP=";
}
}
-
-
-
-
##################################################
-
-RegCloseKey(handle:handle);
-
-
-rootfile = hotfix_get_systemroot();
+rootfile = smb_get_systemroot();
if ( ! rootfile ) exit(0);
-NetUseDel(close:FALSE);
-share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:rootfile);
-r = NetUseAdd(login:login, password:pass, domain:domain, share:share);
-if ( r != 1 )
-{
- NetUseDel();
- exit(1);
-}
-
-
-
fill_names("NAME=Commonname toolbar
URL=http://www.doxdesk.com/parasite/CommonName.html
KEY=CLSID\{00000000-0000-0000-0000-000000000000}\InprocServer32
@@ -3647,15 +3611,11 @@
ITEM=
EXP=bin376.dll");
-
-
-for(i=0;name[i];i++)
+for(i=0;nname[i];i++)
{
- if (DEBUG) display("clsid ",i,": ",name[i],"\n");
- check_reg(name:name[i], url:url[i], key:key[i], item:items[i], exp:exp[i]);
+ check_reg(nname:nname[i], url:url[i], key:key[i], item:items[i], exp:exp[i]);
}
-
fill_names("NAME=NetNucleus/Mirar webband
URL=http://www.kephyr.com/spywarescanner/library/mirartoolbar.winnb42/index.phtml
KEY=
@@ -3712,26 +3672,19 @@
ITEM=
EXP=aclui.dll");
+for(i=0;nname[i];i++)
+{
+ my_file = string(rootfile, "\",exp[i]);
+ file = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:my_file);
+ share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:my_file);
+ myread = read_file(file:file, share:share, offset:0, count:8);
-if (DEBUG) display("start main for detection from hardrive\n");
-for(i=0;name[i];i++)
-{
- if (DEBUG) display("file ",i,": ",name[i],"\n");
-
- file = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\" + exp[i], string:rootfile);
- handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
- if( ! isnull(handle) )
+ if(myread)
{
- report = string(
- "The dll '"+name[i]+"' is present on the remote host\n",
- "Solution : "+url[i]+"\n",
- "Risk factor : High");
+ report = string("The dll ", nname[i], " (", my_file ,") is present on the remote host\nSolution: ", url[i], "\nRisk factor : High");
security_hole(port:port, data:report);
- CloseFile(handle:handle);
- }
+ }
}
-if (DEBUG) display("end main for detection from hardrive\n");
-NetUseDel();
+exit(0);
Modified: trunk/openvas-plugins/scripts/smb_virii.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smb_virii.nasl 2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/smb_virii.nasl 2009-10-14 08:39:10 UTC (rev 5535)
@@ -3,16 +3,13 @@
#
# This script is released under the GPLv2
#
-# kst-depend-smb
+# Modified by Michael Meyer <michael.meyer at intevation.de>
if(description)
{
script_id(80043);
-
script_version("$Revision: 1.71 $");
-
name = "The remote host is infected by a virus";
-
script_name(name);
desc = "
@@ -68,112 +65,44 @@
Risk factor : High
Solution : See the URLs which will appear in the report";
-
script_description(desc);
-
summary = "Checks for the presence of different virii on the remote host";
-
script_summary(summary);
-
script_category(ACT_GATHER_INFO);
-
script_copyright("This script is Copyright (C) 2005 Tenable Network Security");
family = "Windows";
script_family(family);
-
- script_dependencies("netbios_name_get.nasl",
- "smb_login.nasl","smb_registry_access.nasl");
- script_require_keys("SMB/name", "SMB/login", "SMB/password", "SMB/registry_access");
-
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
-include("smb_func.inc");
+include("smb_nt.inc");
include("secpod_reg.inc");
-if ( get_kb_item("SMB/samba") ) exit(0);
+include("secpod_smb_func.inc");
-global_var handle;
+local_var nname, url, key, item, exp;
-name = kb_smb_name();
-if(!name)exit(0);
-
-port = kb_smb_transport();
-if(!port)exit(0);
-
-if(!get_port_state(port))return(FALSE);
-login = kb_smb_login();
-pass = kb_smb_password();
-domain = kb_smb_domain();
-
-if(!login)login = "";
-if(!pass) pass = "";
-
-
-soc = open_sock_tcp(port);
-if(!soc) exit(0);
-
-session_init(socket:soc, hostname:name);
-ret = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
-if ( ret != 1 ) exit(0);
-handle = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
-if ( isnull(handle) ) exit(0);
-
-run = "SOFTWARE\Microsoft\Windows\CurrentVersion";
-key_h = RegOpenKey(handle:handle, key:run, mode:MAXIMUM_ALLOWED);
-n = 0;
-
-if ( ! isnull(key_h) )
-{
- info = RegQueryInfoKey(handle:key_h);
- if ( ! isnull(info) )
- {
- for ( i = 0 ; i != info[0] ; i ++ )
- {
- value = RegEnumValue(handle:key_h, index:i);
- if ( isnull(value) ) break;
-
- content = RegQueryValue(handle:key_h, item:value[1]);
- run_content[n++] = value[1];
- run_content[n++] = content[1];
- }
- }
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
}
-RegCloseKey(handle:key_h);
+if(get_kb_item("SMB/samba"))exit(0);
-function check_reg(name, url, key, item, exp)
+function check_reg(nname, url, key, item, exp)
{
- local_var key_h, sz, i, report;
+ if(!registry_key_exists(key:key)){
+ return 0;
+ }
- # Look in our local "cache" first
- if ( key == "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" )
- {
- for ( i = 0 ; run_content[i]; i += 2 )
- {
- if ( run_content[i] == item )
- {
- if ( exp == NULL ) return TRUE;
- else if ( tolower(exp) >< tolower(run_content[i+1]) ) return TRUE;
- else return FALSE;
- }
- }
- return FALSE;
- }
+ value = registry_get_sz(item:item, key:key);
+ if(!value)return 0;
- key_h = RegOpenKey(handle:handle, key:key, mode:MAXIMUM_ALLOWED);
- if ( ! isnull(key_h) )
+ if(exp == NULL || tolower(exp) >< tolower(value))
{
- value = RegQueryValue(handle:key_h, item:item);
- RegCloseKey(handle:key_h);
- if ( isnull(value) ) return 0;
- }
- else return 0;
-
- if(exp == NULL || tolower(exp) >< tolower(value))
- {
- report = string(
-"The virus '", name, "' is present on the remote host\n",
+ report = string(
+"The virus '", nname, "' is present on the remote host\n",
"Solution : ", url, "\n",
"Risk factor : High");
@@ -181,14 +110,11 @@
}
}
-
-
-
i = 0;
-name = NULL;
+nname = NULL;
# http://www.infos3000.com/infosvirus/badtransb.htm
-name[i] = "W32/Badtrans-B";
+nname[i] = "W32/Badtrans-B";
url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce";
item[i] = "kernel32";
@@ -197,7 +123,7 @@
i++;
# http://www.infos3000.com/infosvirus/jsgiggera.htm
-name[i] = "JS_GIGGER.A at mm";
+nname[i] = "JS_GIGGER.A at mm";
url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/js.gigger.a@mm.html";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i] = "NAV DefAlert";
@@ -206,7 +132,7 @@
i ++;
# http://www.infos3000.com/infosvirus/vote%20a.htm
-name[i] = "W32/Vote-A";
+nname[i] = "W32/Vote-A";
url[i] = "http://www.sophos.com/virusinfo/analyses/w32vote-a.html";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i] = "Norton.Thar";
@@ -214,7 +140,7 @@
i++ ;
-name[i] = "W32/Vote-B";
+nname[i] = "W32/Vote-B";
url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.vote.b@mm.html";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i] = "ZaCker";
@@ -223,7 +149,7 @@
i ++;
# http://www.infos3000.com/infosvirus/codered.htm
-name[i] = "CodeRed";
+nname[i] = "CodeRed";
url[i] = "http://www.symantec.com/avcenter/venc/data/codered.worm.html";
key[i] = "SYSTEM\CurrentControlSet\Services\W3SVC\Parameters";
item[i] = "VirtualRootsVC";
@@ -232,7 +158,7 @@
i ++;
# http://www.infos3000.com/infosvirus/w32sircam.htm
-name[i] = "W32.Sircam.Worm at mm";
+nname[i] = "W32.Sircam.Worm at mm";
url[i] = "http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices";
item[i] = "Driver32";
@@ -240,7 +166,7 @@
i++;
-name[i] = "W32.HLLW.Fizzer at mm";
+nname[i] = "W32.HLLW.Fizzer at mm";
url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizzer@mm.html";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i] = "SystemInit";
@@ -248,7 +174,7 @@
i++;
-name[i] = "W32.Sobig.B at mm";
+nname[i] = "W32.Sobig.B at mm";
url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.b@mm.html";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i] = "SystemTray";
@@ -256,7 +182,7 @@
i ++;
-name[i] = "W32.Sobig.E at mm";
+nname[i] = "W32.Sobig.E at mm";
url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i] = "SSK Service";
@@ -264,7 +190,7 @@
i ++;
-name[i] = "W32.Sobig.F at mm";
+nname[i] = "W32.Sobig.F at mm";
url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i] = "TrayX";
@@ -272,7 +198,7 @@
i ++;
-name[i] = "W32.Sobig.C at mm";
+nname[i] = "W32.Sobig.C at mm";
url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.c@mm.html";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i] = "System MScvb";
@@ -280,25 +206,23 @@
i ++;
-name[i] = "W32.Yaha.J at mm";
+nname[i] = "W32.Yaha.J at mm";
url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.j@mm.html";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i] = "winreg";
exp[i] = "winReg.exe";
-
i++;
-name[i] = "W32.mimail.a at mm";
+nname[i] = "W32.mimail.a at mm";
url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i] = "VideoDriver";
exp[i] = "videodrv.exe";
-
i++;
-name[i] = "W32.mimail.c at mm";
+nname[i] = "W32.mimail.c at mm";
url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.c@mm.html";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i] = "NetWatch32";
@@ -306,21 +230,21 @@
i++;
-name[i] = "W32.mimail.e at mm";
+nname[i] = "W32.mimail.e at mm";
url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.e@mm.html";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i] = "SystemLoad32";
exp[i] = "sysload32.exe";
i++;
-name[i] = "W32.mimail.l at mm";
+nname[i] = "W32.mimail.l at mm";
url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.l@mm.html";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i] = "France";
exp[i] = "svchost.exe";
i++;
-name[i] = "W32.mimail.p at mm";
+nname[i] = "W32.mimail.p at mm";
url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.p@mm.html";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i] = "WinMgr32";
@@ -328,304 +252,295 @@
i++;
-name[i] = "W32.Welchia.Worm";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html";
-key[i] = "SYSTEM\CurrentControlSet\Services\RpcTftpd";
-item[i] = "ImagePath";
-exp[i] = "%System%\wins\svchost.exe";
+nname[i] = "W32.Welchia.Worm";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html";
+key[i] = "SYSTEM\CurrentControlSet\Services\RpcTftpd";
+item[i] = "ImagePath";
+exp[i] = "%System%\wins\svchost.exe";
-
i++;
-name[i] = "W32.Randex.Worm";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.b.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "superslut";
-exp[i] = "msslut32.exe";
+nname[i] = "W32.Randex.Worm";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.b.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "superslut";
+exp[i] = "msslut32.exe";
i++;
-name[i] = "W32.Randex.Worm";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.c.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "Microsoft Netview";
-exp[i] = "gesfm32.exe";
+nname[i] = "W32.Randex.Worm";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.c.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "Microsoft Netview";
+exp[i] = "gesfm32.exe";
i++;
-name[i] = "W32.Randex.Worm";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.d.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "mssyslanhelper";
-exp[i] = "msmsgri32.exe";
+nname[i] = "W32.Randex.Worm";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.d.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "mssyslanhelper";
+exp[i] = "msmsgri32.exe";
-
i++;
-name[i] = "W32.Randex.Worm";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.d.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "mslanhelper";
-exp[i] = "msmsgri32.exe";
+nname[i] = "W32.Randex.Worm";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.d.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "mslanhelper";
+exp[i] = "msmsgri32.exe";
i ++;
-name[i] = "W32.Beagle.A";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "d3update.exe";
-exp[i] = "bbeagle.exe";
+nname[i] = "W32.Beagle.A";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "d3update.exe";
+exp[i] = "bbeagle.exe";
i ++;
-name[i] = "W32.Novarg.A";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "TaskMon";
-exp[i] = "taskmon.exe";
+nname[i] = "W32.Novarg.A";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "TaskMon";
+exp[i] = "taskmon.exe";
i++;
-name[i] = "Vesser";
-url[i] = "http://www.f-secure.com/v-descs/vesser.shtml";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "KernelFaultChk";
-exp[i] = "sms.exe";
+nname[i] = "Vesser";
+url[i] = "http://www.f-secure.com/v-descs/vesser.shtml";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "KernelFaultChk";
+exp[i] = "sms.exe";
i++;
-name[i] = "NetSky.C";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.c@mm.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "ICQ Net";
-exp[i] = "winlogon.exe";
+nname[i] = "NetSky.C";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.c@mm.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "ICQ Net";
+exp[i] = "winlogon.exe";
-
i++;
-name[i] = "Doomran.a";
-url[i] = "http://es.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_DOOMRAN.A";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "Antimydoom";
-exp[i] = "PACKAGE.EXE";
+nname[i] = "Doomran.a";
+url[i] = "http://es.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_DOOMRAN.A";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "Antimydoom";
+exp[i] = "PACKAGE.EXE";
i++;
-name[i] = "Beagle.m";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.m@mm.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "winupd.exe";
-exp[i] = "winupd.exe";
+nname[i] = "Beagle.m";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.m@mm.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "winupd.exe";
+exp[i] = "winupd.exe";
i++;
-name[i] = "Beagle.j";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@mm.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "ssate.exe";
-exp[i] = "irun4.exe";
+nname[i] = "Beagle.j";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@mm.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "ssate.exe";
+exp[i] = "irun4.exe";
i++;
-name[i] = "Agobot.FO";
-url[i] = "http://www.f-secure.com/v-descs/agobot_fo.shtml";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "nVidia Chip4";
-exp[i] = "nvchip4.exe";
+nname[i] = "Agobot.FO";
+url[i] = "http://www.f-secure.com/v-descs/agobot_fo.shtml";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "nVidia Chip4";
+exp[i] = "nvchip4.exe";
i ++;
-name[i] = "NetSky.W";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.w@mm.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "NetDy";
-exp[i] = "VisualGuard.exe";
+nname[i] = "NetSky.W";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.w@mm.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "NetDy";
+exp[i] = "VisualGuard.exe";
-
i++;
-name[i] = "Sasser";
-url[i] = "http://www.lurhq.com/sasser.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "avserve.exe";
-exp[i] = "avserve.exe";
+nname[i] = "Sasser";
+url[i] = "http://www.lurhq.com/sasser.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "avserve.exe";
+exp[i] = "avserve.exe";
i++;
-name[i] = "Sasser.C";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.c.worm.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "avserve2.exe";
-exp[i] = "avserve2.exe";
+nname[i] = "Sasser.C";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.c.worm.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "avserve2.exe";
+exp[i] = "avserve2.exe";
i++;
-name[i] = "W32.Wallon.A";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.wallon.a@mm.html";
-key[i] = "SOFTWARE\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B1}";
-item[i] = "Icon";
-exp[i] = NULL;
+nname[i] = "W32.Wallon.A";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.wallon.a@mm.html";
+key[i] = "SOFTWARE\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B1}";
+item[i] = "Icon";
+exp[i] = NULL;
-
i++;
-name[i] = "W32.MyDoom.M / W32.MyDoom.AX";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "JavaVM";
-exp[i] = "JAVA.EXE";
+nname[i] = "W32.MyDoom.M / W32.MyDoom.AX";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "JavaVM";
+exp[i] = "JAVA.EXE";
i++;
-name[i] = "W32.MyDoom.AI";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ai@mm.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "lsass";
-exp[i] = "lsasrv.exe";
+nname[i] = "W32.MyDoom.AI";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ai@mm.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "lsass";
+exp[i] = "lsasrv.exe";
i++;
-name[i] = "W32.aimdes.b / W32.aimdes.c";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.aimdes.c@mm.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "MsVBdll";
-exp[i] = "sys32dll.exe";
+nname[i] = "W32.aimdes.b / W32.aimdes.c";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.aimdes.c@mm.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "MsVBdll";
+exp[i] = "sys32dll.exe";
-
i++;
-name[i] = "W32.ahker.d";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.ahker.d@mm.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "Norton Auto-Protect";
-exp[i] = "ccApp.exe";
+nname[i] = "W32.ahker.d";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.ahker.d@mm.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "Norton Auto-Protect";
+exp[i] = "ccApp.exe";
i++;
-name[i] = "Trojan.Ascetic.C";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/trojan.ascetic.c.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "SystemBoot";
-exp[i] = "Help\services.exe";
+nname[i] = "Trojan.Ascetic.C";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/trojan.ascetic.c.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "SystemBoot";
+exp[i] = "Help\services.exe";
i++;
-name[i] = "W32.Alcra.A";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "p2pnetwork";
-exp[i] = "p2pnetwork.exe";
+nname[i] = "W32.Alcra.A";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "p2pnetwork";
+exp[i] = "p2pnetwork.exe";
i++;
-name[i] = "W32.Shelp";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.shelp.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "explorer";
-exp[i] = "explorer.exe";
+nname[i] = "W32.Shelp";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.shelp.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "explorer";
+exp[i] = "explorer.exe";
-
# Submitted by David Maciejak
i++;
-name[i] = "Winser-A";
-url[i] = "http://www.sophos.com/virusinfo/analyses/trojwinsera.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "nortonsantivirus";
-exp[i] = NULL;
+nname[i] = "Winser-A";
+url[i] = "http://www.sophos.com/virusinfo/analyses/trojwinsera.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "nortonsantivirus";
+exp[i] = NULL;
i++;
-name[i] = "Backdoor.Berbew.O";
+nname[i] = "Backdoor.Berbew.O";
url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/backdoor.berbew.o.html";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad";
item[i] = "Web Event Logger";
exp[i] = "{7CFBACFF-EE01-1231-ABDD-416592E5D639}";
i++;
-name[i] = "w32.beagle.az";
+nname[i] = "w32.beagle.az";
url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.az@mm.html";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i] = "Sysformat";
exp[i] = "sysformat.exe";
i++;
-name[i] = "Hackarmy.i";
-url[i] = "http://www.zone-h.org/en/news/read/id=4404/";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "putil";
-exp[i] = "%windir%";
+nname[i] = "Hackarmy.i";
+url[i] = "http://www.zone-h.org/en/news/read/id=4404/";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "putil";
+exp[i] = "%windir%";
i++;
-name[i] = "W32.Assiral at mm";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.assiral@mm.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "MS_LARISSA";
-exp[i] = "MS_LARISSA.exe";
+nname[i] = "W32.Assiral at mm";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.assiral@mm.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "MS_LARISSA";
+exp[i] = "MS_LARISSA.exe";
i++;
-name[i] = "Backdoor.Netshadow";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/backdoor.netshadow.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "Windows Logger";
-exp[i] = "winlog.exe";
+nname[i] = "Backdoor.Netshadow";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/backdoor.netshadow.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "Windows Logger";
+exp[i] = "winlog.exe";
i++;
-name[i] = "W32.Ahker.E at mm";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.ahker.e@mm.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "Generic Host Process for Win32 Services";
-exp[i] = "bazzi.exe";
+nname[i] = "W32.Ahker.E at mm";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.ahker.e@mm.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "Generic Host Process for Win32 Services";
+exp[i] = "bazzi.exe";
i++;
-name[i] = "W32.Bropia.R";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.bropia.r.html";
-key[i] = "Microsoft\Windows\CurrentVersion\Run";
-item[i] = "Wins32 Online";
-exp[i] = "cfgpwnz.exe";
+nname[i] = "W32.Bropia.R";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.bropia.r.html";
+key[i] = "Microsoft\Windows\CurrentVersion\Run";
+item[i] = "Wins32 Online";
+exp[i] = "cfgpwnz.exe";
i++;
-name[i] = "Trojan.Prevert";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/trojan.prevert.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "Service Controller";
-exp[i] = "%System%\service.exe";
+nname[i] = "Trojan.Prevert";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/trojan.prevert.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "Service Controller";
+exp[i] = "%System%\service.exe";
i++;
-name[i] = "W32.AllocUp.A";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.allocup.a.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = ".msfupdate";
-exp[i] = "%System%\msveup.exe";
+nname[i] = "W32.AllocUp.A";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.allocup.a.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = ".msfupdate";
+exp[i] = "%System%\msveup.exe";
i++;
-name[i] = "W32.Kelvir.M";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.kelvir.m.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "LSASS32";
-exp[i] = "Isass32.exe";
+nname[i] = "W32.Kelvir.M";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.kelvir.m.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "LSASS32";
+exp[i] = "Isass32.exe";
i++;
-name[i] = "VBS.Ypsan.B at mm";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/vbs.ypsan.b@mm.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "BootsCfg";
-exp[i] = "wscript.exe C:\WINDOWS\System\Back ups\Bkupinstall.vbs";
+nname[i] = "VBS.Ypsan.B at mm";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/vbs.ypsan.b@mm.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "BootsCfg";
+exp[i] = "wscript.exe C:\WINDOWS\System\Back ups\Bkupinstall.vbs";
i++;
-name[i] = "W32.Mytob.AA at mm";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.aa@mm.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "MSN MESSENGER";
-exp[i] = "msnmsgs.exe";
+nname[i] = "W32.Mytob.AA at mm";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.aa@mm.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "MSN MESSENGER";
+exp[i] = "msnmsgs.exe";
i++;
-name[i] = "Dialer.Asdplug";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/dialer.asdplug.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "ASDPLUGIN";
-exp[i] = "exe -N";
+nname[i] = "Dialer.Asdplug";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/dialer.asdplug.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "ASDPLUGIN";
+exp[i] = "exe -N";
-
-
# Submitted by Jeff Adams
i++;
-name[i] = "W32.Erkez.D/Zafi.D";
-url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.erkez.d@mm.html";
-key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
-item[i] = "Wxp4";
-exp[i] = "Norton Update";
+nname[i] = "W32.Erkez.D/Zafi.D";
+url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.erkez.d@mm.html";
+key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
+item[i] = "Wxp4";
+exp[i] = "Norton Update";
i ++;
-name[i] = "W32.blackmal.e at mm (CME-24)";
+nname[i] = "W32.blackmal.e at mm (CME-24)";
url[i] = "http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i] = "ScanRegistry";
@@ -633,7 +548,7 @@
i ++;
-name[i] = "W32.Randex.GEL";
+nname[i] = "W32.Randex.GEL";
url[i] = "http://www.symantec.com/security_response/writeup.jsp?docid=2006-081910-4849-99&tabid=2";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices";
item[i] = "MS Java for Windows XP & NT";
@@ -641,7 +556,7 @@
i ++;
-name[i] = "W32.Randex.GEL";
+nname[i] = "W32.Randex.GEL";
url[i] = "http://www.symantec.com/security_response/writeup.jsp?docid=2006-081910-4849-99&tabid=2";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices";
item[i] = "MS Java for Windows NT";
@@ -649,7 +564,7 @@
i ++;
-name[i] = "W32.Randex.GEL";
+nname[i] = "W32.Randex.GEL";
url[i] = "http://www.symantec.com/security_response/writeup.jsp?docid=2006-081910-4849-99&tabid=2";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices";
item[i] = "MS Java Applets for Windows NT, ME & XP";
@@ -657,7 +572,7 @@
i ++;
-name[i] = "W32.Randex.GEL";
+nname[i] = "W32.Randex.GEL";
url[i] = "http://www.symantec.com/security_response/writeup.jsp?docid=2006-081910-4849-99";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices";
item[i] = "Sun Java Console for Windows NT & XP";
@@ -665,7 +580,7 @@
i ++;
-name[i] = "W32.Fujacks.A";
+nname[i] = "W32.Fujacks.A";
url[i] = "http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-111415-0546-99";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i] = "svohost";
@@ -674,59 +589,37 @@
i ++;
-name[i] = "W32.Fujacks.B";
+nname[i] = "W32.Fujacks.B";
url[i] = "http://www.symantec.com/security_response/writeup.jsp?docid=2006-112912-5601-99&tabid=2";
key[i] = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i] = "svcshare";
exp[i] = "spoclsv.exe";
-for(i=0;name[i];i++)
+for(i=0;nname[i];i++)
{
- check_reg(name:name[i], url:url[i], key:key[i], item:item[i], exp:exp[i]);
+ check_reg(nname:nname[i], url:url[i], key:key[i], item:item[i], exp:exp[i]);
}
-
-
-
-RegCloseKey(handle:handle);
-NetUseDel(close:FALSE);
-
-rootfile = hotfix_get_systemroot();
+rootfile = smb_get_systemroot();
if ( ! rootfile ) exit(0);
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:rootfile);
file = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\system.ini", string:rootfile);
+off = 0;
+resp = read_file(file:file, share:share, offset:off, count:16384);
+if(resp) {
+ data = resp;
+ while(strlen(resp) >= 16383)
+ {
+ off += strlen(resp);
+ resp = read_file(file:file, share:share, offset:off, count:16384);
+ data += resp;
+ if(strlen(data) > 1024 * 1024)break;
+ }
-r = NetUseAdd(login:login, password:pass, domain:domain, share:share);
-if ( r != 1 )
-{
- NetUseDel();
- exit(1);
-}
-
-
-handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
-if( ! isnull(handle) )
-{
- off = 0;
- resp = ReadFile(handle:handle, length:16384, offset:off);
- data = resp;
- while(strlen(resp) >= 16383)
- {
- off += strlen(resp);
- resp = ReadFile(handle:handle, length:16384, offset:off);
- data += resp;
- if(strlen(data) > 1024 * 1024)break;
- }
-
-
- CloseFile(handle:handle);
-
-
if("shell=explorer.exe load.exe -dontrunold" >< data)
- {
+ {
report = string(
"The virus 'W32.Nimda.A at mm' is present on the remote host\n",
"Solution : http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html\n",
@@ -737,39 +630,33 @@
}
file = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\goner.scr", string:rootfile);
+handle = read_file(file:file, share:share, offset:0, count:8);
-handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
-if( ! isnull(handle) )
+if(handle)
{
report = string(
"The virus 'W32.Goner.A at mm' is present on the remote host\n",
"Solution : http://www.symantec.com/avcenter/venc/data/w32.goner.a@mm.html\n",
"Risk factor : High");
security_hole(port:port, data:report);
- CloseFile(handle:handle);
}
file = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\winxp.exe", string:rootfile);
+handle = read_file(file:file, share:share, offset:0, count:8);
-handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
-if( ! isnull(handle) )
+if(handle)
{
report = string(
"The virus 'W32.Bable.AG at mm' is present on the remote host\n",
"Solution : http://www.symantec.com/avcenter/venc/data/w32.beagle.ag@mm.html\n",
"Risk factor : High");
security_hole(port:port, data:report);
- CloseFile(handle:handle);
}
-
file = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\System32\dnkkq.dll", string:rootfile);
+handle = read_file(file:file, share:share, offset:0, count:8);
-handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
-if( ! isnull(handle) )
+if(handle)
{
report = string(
"The backdoor 'Backdoor.Berbew.K' is present on the remote host\n",
@@ -786,91 +673,61 @@
Solution : http://securityresponse.symantec.com/avcenter/venc/data/backdoor.berbew.k.html
Risk factor : High");
security_hole(port:port, data:report);
- CloseFile(handle:handle);
}
-
file = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\Swen1.dat", string:rootfile);
+handle = read_file(file:file, share:share, offset:0, count:8);
-handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
-if( ! isnull(handle) )
+if(handle)
{
report = string(
"The virus 'W32.Swen.A at mm' is present on the remote host\n",
"Solution : http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html\n",
"Risk factor : High");
security_hole(port:port, data:report);
- CloseFile(handle:handle);
}
-
# Submitted by Josh Zlatin-Amishav
file = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:rootfile);
-#trojanname = raw_string(0xFF, 0x73, 0x76, 0x63, 0x68, 0x6F, 0x73, 0x74, 0x2E, 0x65,0x78, 0x65);
trojanname = raw_string(0xa0, 0x73, 0x76, 0x63, 0x68, 0x6F, 0x73, 0x74, 0x2E, 0x65,0x78, 0x65);
-handle = CreateFile (file:string(file, "\\System32\\",trojanname),
- desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_HIDDEN,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+handle = read_file(file:string(file, "\\System32\\",trojanname), share:share, offset:0, count:8);
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\_svchost.exe"),
- desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\_svchost.exe"), share:share, offset:0, count:8);
-if ( isnull(handle) )
- handle = CreateFile (file:string(file, "\\System32\\Outlook Express"),
- desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\Outlook Express"), share:share, offset:0, count:8);
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\CFXP.DRV"),
- desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\CFXP.DRV"), share:share, offset:0, count:8);
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\CHJO.DRV"),
- desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\CHJO.DRV"), share:share, offset:0, count:8);
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\MMSYSTEM.DLX"),
- desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\MMSYSTEM.DLX"), share:share, offset:0, count:8);
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\OLECLI.DLX"),
- desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\OLECLI.DLX"), share:share, offset:0, count:8);
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\Windll.dlx"),
- desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\Windll.dlx"), share:share, offset:0, count:8);
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\Activity.AVI"),
- desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\Activity.AVI"), share:share, offset:0, count:8);
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\Upgrade.AVI"),
- desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\Upgrade.AVI"), share:share, offset:0, count:8);
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\System.lst"),
- desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\System.lst"), share:share, offset:0, count:8);
-if ( isnull(handle) )
-handle = CreateFile (file:string(file, "\\System32\\PF30txt.dlx"),
- desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
+if (!handle)
+handle = read_file(file:string(file, "\\System32\\PF30txt.dlx"), share:share, offset:0, count:8);
-if( ! isnull(handle) )
+if(handle)
{
report = string(
"The trojan 'hotword' is present on the remote host\n",
@@ -881,9 +738,6 @@
security_hole(port:port, data:report);
}
-
-
-
# Submitted by David Maciejak
sober = make_list("nonzipsr.noz",
@@ -903,44 +757,36 @@
foreach f (sober)
{
file = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\" + f, string:rootfile);
- handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
- if( ! isnull(handle) )
+ handle = read_file(file:file, share:share, offset:0, count:8);
+ if(handle)
{
report = string(
"The virus 'Sober.i at mm' is present on the remote host\n",
"Solution : http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.i@mm.html\n",
"Risk factor : High");
security_hole(port:port, data:report);
- CloseFile(handle:handle);
+ break;
}
}
file = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\System32\wgareg.exe", string:rootfile);
-
-handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
-if( ! isnull(handle) )
+handle = read_file(file:file, share:share, offset:0, count:8);
+if(handle)
{
report = string(
"The virus 'W32.Wargbot at mm' is present on the remote host\n",
"Solution : http://www.symantec.com/security_response/writeup.jsp?docid=2006-081312-3302-99\n",
"Risk factor : High");
security_hole(port:port, data:report);
- CloseFile(handle:handle);
}
-
-
# Submitted by Josh Zlatin-Amishav
foreach f (make_list("zsydll.dll", "zsyhide.dll"))
{
file = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\System32\" + f, string:rootfile);
-
- handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
- if( ! isnull(handle) )
+ handle = read_file(file:file, share:share, offset:0, count:8);
+ if(handle)
{
report = string(
"The backdoor 'W32.Backdoor.Ginwui.B' is present on the remote host\n",
@@ -948,8 +794,8 @@
"Solution : Use latest anti-virus signatures to clean the machine.\n",
"Risk factor : High");
security_hole(port:port, data:report);
- CloseFile(handle:handle);
+ break;
}
-}
+}
-NetUseDel();
+exit(0);
Modified: trunk/openvas-plugins/scripts/spysweeper_corp_installed.nasl
===================================================================
--- trunk/openvas-plugins/scripts/spysweeper_corp_installed.nasl 2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/spysweeper_corp_installed.nasl 2009-10-14 08:39:10 UTC (rev 5535)
@@ -29,14 +29,22 @@
script_copyright("This script is Copyright (C) 2004-2005 Jeff Adams / Tenable Network Security");
family = "Windows";
script_family(family);
- script_dependencies("netbios_name_get.nasl", "smb_login.nasl", "smb_registry_access.nasl", "smb_enum_services.nasl");
- script_require_keys("SMB/name", "SMB/login", "SMB/password", "SMB/registry_full_access", "SMB/transport");
- script_require_ports(139, 445);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/Registry/Enumerated");
+ script_require_ports(139, 445);
exit(0);
}
-include("smb_func.inc");
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+
+if(get_kb_item("SMB/samba"))exit(0);
+
#==================================================================#
# Section 1. Utilities #
#==================================================================#
@@ -51,13 +59,18 @@
key = "SOFTWARE\Webroot\Enterprise\CommAgent\";
item = "sdfv";
- key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
- value = RegQueryValue(handle:key_h, item:item);
- RegCloseKey (handle:key_h);
+ if(!registry_key_exists(key:key)){
+ return NULL;
+ }
- set_kb_item(name: "Antivirus/SpySweeperEnt/signature", value:value[1]);
- return value[1];
+ value = registry_get_sz(item:item, key:key);
+ if(value) {
+ set_kb_item(name: "Antivirus/SpySweeperEnt/signature", value:value);
+ return value;
+ } else {
+ return NULL;
+ }
}
@@ -70,100 +83,36 @@
{
local_var key, item, key_h, value;
- key = "SOFTWARE\Webroot\Enterprise\Spy Sweeper";
- key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
- if (!isnull(key_h)) {
- value = RegQueryValue(handle:key_h, item:"id");
- if (!isnull(value)) path = value[1];
+ key = "SOFTWARE\Webroot\Enterprise\Spy Sweeper\";
+ if (registry_key_exists(key:key)) {
+ value = registry_get_sz(item:"id", key:key);
+ if (value) path = value;
else path = NULL;
-
- RegCloseKey(handle:key_h);
}
else path = NULL;
-
- RegCloseKey(handle:hklm);
-
if (isnull(path)) {
- NetUseDel();
exit(0);
}
- share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
- exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\SpySweeperUI.exe", string:path);
-
- conn = NetUseAdd(login:login, password:pass, domain:domain, share:share);
- if (conn != 1) {
- NetUseDel();
- exit(0);
- }
-
- fh = CreateFile(
- file:exe,
- desired_access:GENERIC_READ,
- file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ,
- create_disposition:OPEN_EXISTING
- );
-
- if (isnull(fh))
- {
- NetUseDel();
- exit(0);
- }
-
- version = GetFileVersion(handle:fh);
- CloseFile(handle:fh);
-
+ file = path + "\SpySweeperUI.exe";
+ version = GetVersionFromFile(file:file);
if (isnull(version))
{
ver = "Unable to determine version";
set_kb_item(name: "Antivirus/SpySweeperEnt/version", value:ver);
- NetUseDel();
exit(0);
}
- ver = string(version[0], ".", version[1], ".", version[2], ".", version[3]);
+ ver = string(version);
set_kb_item(name: "Antivirus/SpySweeperEnt/version", value:ver);
return ver;
}
-
#==================================================================#
# Section 2. Main code #
#==================================================================#
-
-services = get_kb_item("SMB/svcs");
-#if ( ! services ) exit(0);
-
-access = get_kb_item("SMB/registry_full_access");
-if( ! access )exit(0);
-
-port = get_kb_item("SMB/transport");
-if(!port)port = 139;
-
-name = kb_smb_name(); if(!name)exit(0);
-login = kb_smb_login();
-pass = kb_smb_password();
-domain = kb_smb_domain();
-port = kb_smb_transport();
-
-if ( ! get_port_state(port) ) exit(0);
-soc = open_sock_tcp(port);
-if ( ! soc ) exit(0);
-
-session_init(socket:soc, hostname:name);
-r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
-if ( r != 1 ) exit(0);
-
-hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
-if ( isnull(hklm) )
-{
- NetUseDel();
- exit(0);
-}
-
#-------------------------------------------------------------#
# Checks if Spy Sweeper Enterprise is installed #
#-------------------------------------------------------------#
@@ -172,17 +121,14 @@
key = "SOFTWARE\Webroot\Enterprise\Spy Sweeper\";
item = "id";
-key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-if ( ! isnull(key_h) )
+
+if (registry_key_exists(key:key))
{
- value = RegQueryValue(handle:key_h, item:item);
- RegCloseKey (handle:key_h);
+ value = registry_get_sz(item:item, key:key);
}
-if ( isnull ( value ) )
+if (!value)
{
- RegCloseKey(handle:hklm);
- NetUseDel();
exit(0);
}
@@ -197,21 +143,19 @@
key = "SOFTWARE\Webroot\Enterprise\CommAgent\";
item = "su";
-key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-if ( ! isnull(key_h) )
+
+if (registry_key_exists(key:key))
{
- value = RegQueryValue(handle:key_h, item:item);
- RegCloseKey (handle:key_h);
+ value = registry_get_sz(item:item, key:key);
}
-if ( strlen (value[1]) <=1 )
+if ( strlen (value) <=1 )
{
set_kb_item(name: "Antivirus/SpySweeperEnt/noparent", value:TRUE);
- RegCloseKey(handle:hklm);
}
else
{
- set_kb_item(name: "Antivirus/SpySweeperEnt/parent", value:value[1]);
+ set_kb_item(name: "Antivirus/SpySweeperEnt/parent", value:value);
}
#-------------------------------------------------------------#
@@ -219,13 +163,14 @@
#-------------------------------------------------------------#
current_signature_version = check_signature_version ();
-
#-------------------------------------------------------------#
# Checks if Spy Sweeper is running #
# Both of these need to running in order to ensure proper #
# operation. #
#-------------------------------------------------------------#
+#services = get_kb_item("SMB/svcs"); # Waiting for smb_enum_services.nasl (LSS)
+
if ( services )
{
if (("WebrootSpySweeperService" >!< services) || ("Webroot CommAgent Service" >!< services))
@@ -234,20 +179,12 @@
running = 1;
}
-
#-------------------------------------------------------------#
# Checks the product version #
#-------------------------------------------------------------#
product_version = check_product_version ();
+if(!product_version && !current_signature_version)exit(0);
-
-#-------------------------------------------------------------#
-# Section 3. Clean up #
-#-------------------------------------------------------------#
-
-RegCloseKey (handle:hklm);
-NetUseDel();
-
#==================================================================#
# Section 4. Final Report #
#==================================================================#
@@ -277,17 +214,17 @@
# Updates are located here:
# http://www.webroot.com/entcenter/index.php
virus = "";
-
-if ( int(current_signature_version) < int(virus) )
-{
- report += "The remote host has an out-dated version of the Spy
+if(current_signature_version && current_signature_version>0) {
+ if ( int(current_signature_version) < int(virus) )
+ {
+ report += "The remote host has an out-dated version of the Spy
Sweeper virus signatures. Last version is " + virus + "
-";
- warning = 1;
+ ";
+ warning = 1;
+ }
}
-
#
# Check if antivirus is running
#
Modified: trunk/openvas-plugins/scripts/xot_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/xot_detect.nasl 2009-10-14 07:54:12 UTC (rev 5534)
+++ trunk/openvas-plugins/scripts/xot_detect.nasl 2009-10-14 08:39:10 UTC (rev 5535)
@@ -44,7 +44,7 @@
# XOT is not silent: it abruptly closes the connection when it receives
# invalid data
-if (silent_service(port)) exit(0);
+#if (silent_service(port)) exit(0);
# By the way, GET and HELP are definitely invalid. So...
b = get_unknown_banner(port: port, dontfetch: 1);
More information about the Openvas-commits
mailing list