smb_virii.nasl

来自「漏洞扫描源码,可以扫描linux,windows,交换机路由器」· NASL 代码 · 共 956 行 · 第 1/2 页

#
# (C) Tenable Network Security
#
# This script is released under the GPLv2
#
# kst-depend-smb

if(description)
{
 script_id(80043);

 script_version("$Revision: 1.71 $");

 name["english"] = "The remote host is infected by a virus";

 script_name(english:name["english"]);
 
 desc["english"] = "
This script checks for the presence of different virii on the remote
host, by using the SMB credentials you provide Nessus with.

- W32/Badtrans-B
- JS_GIGGER.A@mm
- W32/Vote-A
- W32/Vote-B
- CodeRed
- W32.Sircam.Worm@mm
- W32.HLLW.Fizzer@mm
- W32.Sobig.B@mm
- W32.Sobig.E@mm
- W32.Sobig.F@mm
- W32.Sobig.C@mm
- W32.Yaha.J@mm
- W32.mimail.a@mm
- W32.mimail.c@mm
- W32.mimail.e@mm
- W32.mimail.l@mm
- W32.mimail.p@mm
- W32.Welchia.Worm
- W32.Randex.Worm
- W32.Beagle.A
- W32.Novarg.A
- Vesser
- NetSky.C
- Doomran.a
- Beagle.m
- Beagle.j
- Agobot.FO
- NetSky.W
- Sasser
- W32.Wallon.A
- W32.MyDoom.M
- W32.MyDoom.AI
- W32.MyDoom.AX
- W32.Aimdes.B
- W32.Aimdes.C
- W32.ahker.D
- Hackarmy.i
- W32.Erkez.D/Zafi.d
- Winser-A
- Berbew.K
- Hotword.b
- W32.Backdoor.Ginwui.B
- W32.Wargbot
- W32.Randex.GEL
- W32.Fujacks.B
	
Risk factor : High
Solution : See the URLs which will appear in the report";


 script_description(english:desc["english"]);
 
 summary["english"] = "Checks for the presence of different virii on the remote host";

 script_summary(english:summary["english"]);
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2005 Tenable Network Security");
 family["english"] = "Windows";
 script_family(english:family["english"]);
 
 script_dependencies("netbios_name_get.nasl",
 		     "smb_login.nasl","smb_registry_access.nasl");
 script_require_keys("SMB/name", "SMB/login", "SMB/password",  "SMB/registry_access");

 script_require_ports(139, 445);
 exit(0);
}

include("smb_func.inc");
include("smb_hotfixes.inc");
if ( get_kb_item("SMB/samba") ) exit(0);

global_var handle;

name = kb_smb_name();
if(!name)exit(0);

port = kb_smb_transport();
if(!port)exit(0);

if(!get_port_state(port))return(FALSE);
login = kb_smb_login();
pass  = kb_smb_password();
domain = kb_smb_domain();

if(!login)login = "";
if(!pass) pass = "";

	  
soc = open_sock_tcp(port);
if(!soc) exit(0);

session_init(socket:soc, hostname:name);
ret = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if ( ret != 1 ) exit(0);
handle = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if ( isnull(handle) ) exit(0);

run = "SOFTWARE\Microsoft\Windows\CurrentVersion";
key_h = RegOpenKey(handle:handle, key:run, mode:MAXIMUM_ALLOWED);
n = 0;

if ( ! isnull(key_h) ) 
{
 info = RegQueryInfoKey(handle:key_h);
 if ( ! isnull(info) ) 
 {
  for ( i = 0 ; i != info[0] ; i ++ )
  {
   value = RegEnumValue(handle:key_h, index:i);
   if ( isnull(value) ) break;

   content = RegQueryValue(handle:key_h, item:value[1]);
   run_content[n++] = value[1];
   run_content[n++] = content[1];
  }
 }
}

RegCloseKey(handle:key_h);

function check_reg(name, url, key, item, exp)
{
  local_var key_h, sz, i, report;

  # Look in our local "cache" first
  if ( key == "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" )
  {
    for ( i = 0 ; run_content[i]; i += 2 )
	{
	  if ( run_content[i] == item )
		{
		 if ( exp == NULL ) return TRUE;
		 else if ( tolower(exp) >< tolower(run_content[i+1]) ) return TRUE;
		 else return FALSE;
		}
	} 
    return FALSE;
  }

  key_h = RegOpenKey(handle:handle, key:key, mode:MAXIMUM_ALLOWED);
  if  ( ! isnull(key_h) )
  {
    value = RegQueryValue(handle:key_h, item:item);
    RegCloseKey(handle:key_h);
    if ( isnull(value) ) return 0;
  }
  else return 0;
  
 if(exp == NULL || tolower(exp) >< tolower(value))
 {
  report = string(
"The virus '", name, "' is present on the remote host\n",
"Solution : ", url, "\n",
"Risk factor : High");
 
  security_hole(port:kb_smb_transport(), data:report);
 }
}




i = 0;
name = NULL;

# http://www.infos3000.com/infosvirus/badtransb.htm
name[i] 	= "W32/Badtrans-B";
url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html";
key[i] 		= "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce";
item[i] 	= "kernel32";
exp[i]		= "kernel32.exe";

i++;

# http://www.infos3000.com/infosvirus/jsgiggera.htm
name[i] 	= "JS_GIGGER.A@mm";
url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/js.gigger.a@mm.html";
key[i] 		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i] 	= "NAV DefAlert";
exp[i]		= NULL;

i ++;

# http://www.infos3000.com/infosvirus/vote%20a.htm
name[i]		= "W32/Vote-A";
url[i]		= "http://www.sophos.com/virusinfo/analyses/w32vote-a.html";
key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]		= "Norton.Thar";
exp[i]		= "zacker.vbs";

i++ ;

name[i]         = "W32/Vote-B";
url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.vote.b@mm.html";
key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]         = "ZaCker";
exp[i]          = "DaLaL.vbs";

i ++;

# http://www.infos3000.com/infosvirus/codered.htm
name[i]		= "CodeRed";
url[i]		= "http://www.symantec.com/avcenter/venc/data/codered.worm.html";
key[i]		= "SYSTEM\CurrentControlSet\Services\W3SVC\Parameters";
item[i]		= "VirtualRootsVC";
exp[i]		= "c:\,,217";

i ++;

# http://www.infos3000.com/infosvirus/w32sircam.htm
name[i]		= "W32.Sircam.Worm@mm";
url[i]		= "http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html";
key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices";
item[i]		= "Driver32";
exp[i] 		= "scam32.exe";

i++;

name[i]  	= "W32.HLLW.Fizzer@mm";
url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizzer@mm.html";
key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]		= "SystemInit";
exp[i]		= "iservc.exe";

i++;

name[i]  	= "W32.Sobig.B@mm";
url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.b@mm.html";
key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]		= "SystemTray";
exp[i]		= "msccn32.exe";

i ++;

name[i]		= "W32.Sobig.E@mm";
url[i]		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html";
key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]		= "SSK Service";
exp[i]		= "winssk32.exe";

i ++;

name[i]		= "W32.Sobig.F@mm";
url[i]		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html";
key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]		= "TrayX";
exp[i]		= "winppr32.exe";

i ++;

name[i]		= "W32.Sobig.C@mm";
url[i]		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.c@mm.html";
key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]		= "System MScvb";
exp[i]		= "mscvb32.exe";

i ++;

name[i] 	= "W32.Yaha.J@mm";
url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.j@mm.html";
key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]		= "winreg";
exp[i]		= "winReg.exe";


i++;

name[i] 	= "W32.mimail.a@mm";
url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html";
key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]		= "VideoDriver";
exp[i]		= "videodrv.exe";


i++;

name[i] 	= "W32.mimail.c@mm";
url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.c@mm.html";
key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]		= "NetWatch32";
exp[i]		= "netwatch.exe";

i++;

name[i] 	= "W32.mimail.e@mm";
url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.e@mm.html";
key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]		= "SystemLoad32";
exp[i]		= "sysload32.exe";

i++;
name[i] 	= "W32.mimail.l@mm";
url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.l@mm.html";
key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]		= "France";
exp[i]		= "svchost.exe";

i++;
name[i] 	= "W32.mimail.p@mm";
url[i] 		= "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.p@mm.html";
key[i]		= "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]		= "WinMgr32";
exp[i]		= "winmgr32.exe";

i++;

name[i]        = "W32.Welchia.Worm";
url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html";
key[i]         = "SYSTEM\CurrentControlSet\Services\RpcTftpd";
item[i]        = "ImagePath";
exp[i]         = "%System%\wins\svchost.exe";


i++;

name[i]        = "W32.Randex.Worm";
url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.b.html";
key[i]         = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]        = "superslut";
exp[i]         = "msslut32.exe";

i++;

name[i]        = "W32.Randex.Worm";
url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.c.html";
key[i]         = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]        = "Microsoft Netview";
exp[i]         = "gesfm32.exe";

i++;

name[i]        = "W32.Randex.Worm";
url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.d.html";
key[i]         = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]        = "mssyslanhelper";
exp[i]         = "msmsgri32.exe";


i++;

name[i]        = "W32.Randex.Worm";
url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.d.html";
key[i]         = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]        = "mslanhelper";
exp[i]         = "msmsgri32.exe";

i ++;
name[i]        = "W32.Beagle.A";
url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html";
key[i]         = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]        = "d3update.exe";
exp[i]         = "bbeagle.exe";

i ++;

name[i]        = "W32.Novarg.A";
url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html";
key[i]         = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]        = "TaskMon";
exp[i]         = "taskmon.exe";

i++;

name[i]       = "Vesser";
url[i]        = "http://www.f-secure.com/v-descs/vesser.shtml";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "KernelFaultChk";
exp[i]        = "sms.exe";

i++;

name[i]       = "NetSky.C";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.c@mm.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "ICQ Net";
exp[i]        = "winlogon.exe";


i++;

name[i]      = "Doomran.a";
url[i]       = "http://es.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_DOOMRAN.A";
key[i]       = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]      = "Antimydoom";
exp[i]       = "PACKAGE.EXE";

i++;

name[i]      = "Beagle.m";
url[i]       = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.m@mm.html";
key[i]       = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]      = "winupd.exe";
exp[i]       = "winupd.exe";

i++;

name[i]      = "Beagle.j";
url[i]       = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@mm.html";
key[i]       = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]      = "ssate.exe";
exp[i]       = "irun4.exe";

i++;

name[i]      = "Agobot.FO";
url[i]       = "http://www.f-secure.com/v-descs/agobot_fo.shtml";
key[i]       = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]      = "nVidia Chip4";
exp[i]       = "nvchip4.exe";

i ++;
name[i]       = "NetSky.W";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.w@mm.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "NetDy";
exp[i]        = "VisualGuard.exe";


i++;
name[i]       = "Sasser";
url[i]        = "http://www.lurhq.com/sasser.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "avserve.exe";
exp[i]        = "avserve.exe";

i++;
name[i]       = "Sasser.C";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.c.worm.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "avserve2.exe";
exp[i]        = "avserve2.exe";

i++;
name[i]       = "W32.Wallon.A";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.wallon.a@mm.html";
key[i]        = "SOFTWARE\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B1}";
item[i]       = "Icon";
exp[i]        = NULL;


i++;
name[i]       = "W32.MyDoom.M / W32.MyDoom.AX";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "JavaVM";
exp[i]        = "JAVA.EXE";

i++;
name[i]       = "W32.MyDoom.AI";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ai@mm.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "lsass";
exp[i]        = "lsasrv.exe";