smb_virii.nasl

来自「漏洞扫描源码,可以扫描linux,windows,交换机路由器」· NASL 代码 · 共 956 行 · 第 1/2 页

i++;
name[i]       = "W32.aimdes.b / W32.aimdes.c";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.aimdes.c@mm.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "MsVBdll";
exp[i]        = "sys32dll.exe";


i++;
name[i]       = "W32.ahker.d";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.ahker.d@mm.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "Norton Auto-Protect";
exp[i]        = "ccApp.exe";

i++;
name[i]       = "Trojan.Ascetic.C";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/trojan.ascetic.c.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "SystemBoot";
exp[i]        = "Help\services.exe";

i++;
name[i]       = "W32.Alcra.A";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "p2pnetwork";
exp[i]        = "p2pnetwork.exe";

i++;
name[i]       = "W32.Shelp";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.shelp.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "explorer";
exp[i]        = "explorer.exe";


# Submitted by David Maciejak
i++;
name[i]       = "Winser-A";
url[i]        = "http://www.sophos.com/virusinfo/analyses/trojwinsera.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "nortonsantivirus";
exp[i]        = NULL;

i++;
name[i]         = "Backdoor.Berbew.O";
url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/backdoor.berbew.o.html";
key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad";
item[i]         = "Web Event Logger";
exp[i]          = "{7CFBACFF-EE01-1231-ABDD-416592E5D639}";

i++;
name[i]         = "w32.beagle.az";
url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.az@mm.html";
key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]         = "Sysformat";
exp[i]          = "sysformat.exe";

i++;
name[i]       = "Hackarmy.i";
url[i]        = "http://www.zone-h.org/en/news/read/id=4404/";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "putil";
exp[i]        = "%windir%";


i++;
name[i]       = "W32.Assiral@mm";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.assiral@mm.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "MS_LARISSA";
exp[i]        = "MS_LARISSA.exe";

i++;
name[i]       = "Backdoor.Netshadow";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/backdoor.netshadow.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "Windows Logger";
exp[i]        = "winlog.exe";

i++;
name[i]       = "W32.Ahker.E@mm";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.ahker.e@mm.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "Generic Host Process for Win32 Services";
exp[i]        = "bazzi.exe";

i++;
name[i]       = "W32.Bropia.R";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.bropia.r.html";
key[i]        = "Microsoft\Windows\CurrentVersion\Run";
item[i]       = "Wins32 Online";
exp[i]        = "cfgpwnz.exe";

i++;
name[i]       = "Trojan.Prevert";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/trojan.prevert.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "Service Controller";
exp[i]        = "%System%\service.exe";

i++;
name[i]       = "W32.AllocUp.A";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.allocup.a.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = ".msfupdate";
exp[i]        = "%System%\msveup.exe";

i++;
name[i]       = "W32.Kelvir.M";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.kelvir.m.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "LSASS32";
exp[i]        = "Isass32.exe";

i++;
name[i]       = "VBS.Ypsan.B@mm";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/vbs.ypsan.b@mm.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "BootsCfg";
exp[i]        = "wscript.exe C:\WINDOWS\System\Back ups\Bkupinstall.vbs";

i++;
name[i]       = "W32.Mytob.AA@mm";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.aa@mm.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "MSN MESSENGER";
exp[i]        = "msnmsgs.exe";

i++;
name[i]       = "Dialer.Asdplug";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/dialer.asdplug.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "ASDPLUGIN";
exp[i]        = "exe -N";



# Submitted by Jeff Adams
i++;
name[i]       = "W32.Erkez.D/Zafi.D";
url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.erkez.d@mm.html";
key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]       = "Wxp4";
exp[i]        = "Norton Update";

i ++;

name[i]         = "W32.blackmal.e@mm (CME-24)";
url[i]          = "http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html";
key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]         = "ScanRegistry";
exp[i]          = "scanregw.exe";

i ++;

name[i]         = "W32.Randex.GEL";
url[i]          = "http://www.symantec.com/security_response/writeup.jsp?docid=2006-081910-4849-99&tabid=2";
key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices";
item[i]         = "MS Java for Windows XP & NT";
exp[i]          = "javanet.exe";

i ++;

name[i]         = "W32.Randex.GEL";
url[i]          = "http://www.symantec.com/security_response/writeup.jsp?docid=2006-081910-4849-99&tabid=2";
key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices";
item[i]         = "MS Java for Windows NT";
exp[i]          = "msjava.exe";

i ++;

name[i]         = "W32.Randex.GEL";
url[i]          = "http://www.symantec.com/security_response/writeup.jsp?docid=2006-081910-4849-99&tabid=2";
key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices";
item[i]         = "MS Java Applets for Windows NT, ME & XP";
exp[i]          = "japaapplets.exe";

i ++;

name[i]         = "W32.Randex.GEL";
url[i]          = "http://www.symantec.com/security_response/writeup.jsp?docid=2006-081910-4849-99";
key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices";
item[i]         = "Sun Java Console for Windows NT & XP";
exp[i]          = "jconsole.exe";

i ++;

name[i]         = "W32.Fujacks.A";
url[i]          = "http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-111415-0546-99";
key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]         = "svohost";
exp[i]          = "FuckJacks.exe";


i ++;

name[i]         = "W32.Fujacks.B";
url[i]          = "http://www.symantec.com/security_response/writeup.jsp?docid=2006-112912-5601-99&tabid=2";
key[i]          = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
item[i]         = "svcshare";
exp[i]          = "spoclsv.exe";

for(i=0;name[i];i++)
{
  check_reg(name:name[i], url:url[i], key:key[i], item:item[i], exp:exp[i]);
}




RegCloseKey(handle:handle);
NetUseDel(close:FALSE);

rootfile = hotfix_get_systemroot();
if ( ! rootfile ) exit(0);

share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:rootfile);
file =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\system.ini", string:rootfile);


r = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if ( r != 1 )
{
 NetUseDel();
 exit(1);
}


handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
if( ! isnull(handle) )
{
 off = 0;
 resp = ReadFile(handle:handle, length:16384, offset:off);
 data = resp;
 while(strlen(resp) >= 16383)
 {
  off += strlen(resp);
  resp = ReadFile(handle:handle, length:16384, offset:off);
  data += resp;
  if(strlen(data) > 1024 * 1024)break;
 }


 CloseFile(handle:handle);


 if("shell=explorer.exe load.exe -dontrunold" >< data)
 {
  report = string(
"The virus 'W32.Nimda.A@mm' is present on the remote host\n",
"Solution : http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html\n",
"Risk factor : High");
 
  security_hole(port:port, data:report);
 }
}
 
file =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\goner.scr", string:rootfile); 

handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
if( ! isnull(handle) )
{
 report = string(
"The virus 'W32.Goner.A@mm' is present on the remote host\n",
"Solution : http://www.symantec.com/avcenter/venc/data/w32.goner.a@mm.html\n",
"Risk factor : High"); 
 security_hole(port:port, data:report);
 CloseFile(handle:handle);
}

file =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\winxp.exe", string:rootfile); 

handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
if( ! isnull(handle) )
{
 report = string(
"The virus 'W32.Bable.AG@mm' is present on the remote host\n",
"Solution : http://www.symantec.com/avcenter/venc/data/w32.beagle.ag@mm.html\n",
"Risk factor : High"); 
 security_hole(port:port, data:report);
 CloseFile(handle:handle);
}


file =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\System32\dnkkq.dll", string:rootfile); 

handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
if( ! isnull(handle) )
{
 report = string(
"The backdoor 'Backdoor.Berbew.K' is present on the remote host\n",
"Backdoor.Berbew.K is a backdoor which is designed to intercept the logins
and passwords used by the users of the remote host and send them to a 
third party. It usually saves the gathered data in :
	System32\dnkkq.dll
	System32\datakkq32.dll
	System32\kkq32.dll

Delete these files and make sure to disable IE's Autofill feature for important
data (ie: online banking, credit cart numbers, etc...)

Solution : http://securityresponse.symantec.com/avcenter/venc/data/backdoor.berbew.k.html
Risk factor : High"); 
 security_hole(port:port, data:report);
 CloseFile(handle:handle);
}


file =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\Swen1.dat", string:rootfile); 

handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
if( ! isnull(handle) )
{
 report = string(
"The virus 'W32.Swen.A@mm' is present on the remote host\n",
"Solution : http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html\n",
"Risk factor : High"); 
 security_hole(port:port, data:report);
 CloseFile(handle:handle);
}


# Submitted by Josh Zlatin-Amishav

file =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:rootfile); 
#trojanname = raw_string(0xFF, 0x73, 0x76, 0x63, 0x68, 0x6F, 0x73, 0x74, 0x2E, 0x65,0x78, 0x65);
trojanname = raw_string(0xa0, 0x73, 0x76, 0x63, 0x68, 0x6F, 0x73, 0x74, 0x2E, 0x65,0x78, 0x65);

handle = CreateFile (file:string(file, "\\System32\\",trojanname),
                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_HIDDEN,
                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);

if ( isnull(handle) )
handle = CreateFile (file:string(file, "\\System32\\_svchost.exe"),
                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);

if ( isnull(handle) )
  handle = CreateFile (file:string(file, "\\System32\\Outlook Express"),
                       desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
                       share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);

if ( isnull(handle) )
handle = CreateFile (file:string(file, "\\System32\\CFXP.DRV"),
                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);

if ( isnull(handle) )
handle = CreateFile (file:string(file, "\\System32\\CHJO.DRV"),
                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);

if ( isnull(handle) )
handle = CreateFile (file:string(file, "\\System32\\MMSYSTEM.DLX"),
                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);

if ( isnull(handle) )
handle = CreateFile (file:string(file, "\\System32\\OLECLI.DLX"),
                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);

if ( isnull(handle) )
handle = CreateFile (file:string(file, "\\System32\\Windll.dlx"),
                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);

if ( isnull(handle) )
handle = CreateFile (file:string(file, "\\System32\\Activity.AVI"),
                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);

if ( isnull(handle) )
handle = CreateFile (file:string(file, "\\System32\\Upgrade.AVI"),
                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);

if ( isnull(handle) )
handle = CreateFile (file:string(file, "\\System32\\System.lst"),
                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);

if ( isnull(handle) )
handle = CreateFile (file:string(file, "\\System32\\PF30txt.dlx"),
                     desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);

if( ! isnull(handle) )
{
  report = string(
"The trojan 'hotword' is present on the remote host\n",
"See also : http://securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html\n",
"See also : http://securityresponse.symantec.com/avcenter/venc/data/trojan.rona.html\n",
"Solution :  Use latest anti-virus signatures to clean the machine.\n",
"Risk factor : High"); 
  security_hole(port:port, data:report);
}




# Submitted by David Maciejak

sober = make_list("nonzipsr.noz",
"clonzips.ssc",
"clsobern.isc",
"sb2run.dii",
"winsend32.dal",
"winroot64.dal",
"zippedsr.piz",
"winexerun.dal",
"winmprot.dal",
"dgssxy.yoi",
"cvqaikxt.apk",
"sysmms32.lla",
"Odin-Anon.Ger");

foreach f (sober)
{
 file =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\" + f, string:rootfile); 
 handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
                      share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
 if( ! isnull(handle) )
 {
  report = string(
"The virus 'Sober.i@mm' is present on the remote host\n",
"Solution : http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.i@mm.html\n",
"Risk factor : High"); 
  security_hole(port:port, data:report);
  CloseFile(handle:handle);
 }
}

file =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\System32\wgareg.exe", string:rootfile); 

handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
if( ! isnull(handle) )
{
 report = string(
"The virus 'W32.Wargbot@mm' is present on the remote host\n",
"Solution : http://www.symantec.com/security_response/writeup.jsp?docid=2006-081312-3302-99\n",
"Risk factor : High"); 
 security_hole(port:port, data:report);
 CloseFile(handle:handle);
}



# Submitted by Josh Zlatin-Amishav

foreach f (make_list("zsydll.dll", "zsyhide.dll"))
{
 file =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\System32\" + f, string:rootfile);

 handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL,
                      share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
 if( ! isnull(handle) )
 {
   report = string(
   "The backdoor 'W32.Backdoor.Ginwui.B' is present on the remote host\n",
   "See also : http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ginwui.b.html\n",
   "Solution :  Use latest anti-virus signatures to clean the machine.\n",
   "Risk factor : High");
   security_hole(port:port, data:report);
   CloseFile(handle:handle);
 }
} 

NetUseDel();