[thelist] [Fwd: Contemplations : Melissa, I love you - not!]
Anthony Baratta
Anthony at Baratta.com
Mon May 8 18:09:34 2000
Cerberus Security Team wrote:
>
> The Cerberus Security Team have written a tool that will prevent PC users
> from being infected by such viral worms as the now infamous "I Love You" and
> its many variants and any others that are still only a gleam in the eye of
> the budding virus writer. These rely on basic default configurations of a
> standard Microsoft box to be able to spread - and also a little help from
> the user by actually opening the attachment! As many will be aware 99% of
> files on a Windows machine have a three letter extension. This extension
> tells Windows Explorer how to deal with each file. For example, if you
> double click on a file with the .txt extension Explorer will look in the
> Registry to see what application to use to open it - notepad.exe in this
> case.
>
> As far as the "I Love You" worm is concerned it has a .vbs extension and so,
> when opened by the person it has been sent to, Windows looks in the Regsitry
> to see what application it should use to deal with the file - in this case
> wscript.exe. wscript.exe is script interpreter and when passed the file it
> executes the code it finds there - very much like what command.com or
> cmd.exe does for batch (.bat) files.
>
> The tool the Cerberus Security Team has written goes through the registry
> and removes these application / file extention associations for
> VBS,VBE,WSF,WSH, JS and JSE and any viruses or worms that rely on these
> associations will therefore fail. These are all "dangerous" mappings and to
> be perfectly frank most computers users never use the functionality provided
> by these.
>
> We provide the source code at the end of this mail and also make the binary
> version available from our website:
> http://www.cerberus-infosec.co.uk/vf.exe
>
> It has been tested on Windows 98, Windows NT 4 and Windows 2000. Though not
> yet tested on Windows 95 it should still work.
>
> Cheers,
> The Cerberus Security Team
> http://www.cerberus-infosec.co.uk/
> +44(0)208 395 4980
>
> ////////////////////////////////////////////////////////////////////////////
> ////////
> //
> // compile with eg Visual C++ link with advapi32.lib
> //
> // Cerberus Information Security, Ltd
> //
> // 8th May 2000
> //
> ////////////////////////////////////////////////////////////////////////////
> /////////
>
> #include <windows.h>
> #include <stdio.h>
> #include <winreg.h>
>
> #define SUCCESS 1
> #define FAILURE 0
>
> HKEY KeyToChange = HKEY_CLASSES_ROOT;
>
> int ChangeFileAssociations(void);
> int ConnectToRemoteRegistry(char *);
> LONG DoSetAKey(HKEY, char *, char *);
>
> int main(int argc,char *argv[])
> {
> DWORD chk=0;
> char hostname[260]="\\\\";
> char *errors = "There were errors changing the file associations.\n";
> char *noerrors = "VBS,VBE,WSF,WSH,JS and JSE file associations have been
> changed.\n";
>
> printf("\nCerberus Security Team\nhttp://www.cerberus-infosec.co.uk/\n8th
> May 2000\n\n");
>
> if(argc == 1)
> {
> chk = ChangeFileAssociations();
> if(chk)
> {
> printf(noerrors);
> return SUCCESS;
> }
> else
> {
> printf(errors);
> return FAILURE;
> }
> }
> else
> {
> if
>
> ( stricmp( argv[1], "/?" ) == 0 ) ||
> ( stricmp( argv[1], "-?" ) == 0 ) ||
> ( stricmp( argv[1], "/h" ) == 0 ) ||
> ( stricmp( argv[1], "-h" ) == 0 ) ||
> ( stricmp( argv[1], "?" ) == 0 ) ||
> ( stricmp( argv[1], "help" ) == 0 ) ||
> ( stricmp( argv[1], "/help" ) == 0 ))
> {
> return 0;
> }
> else
> {
> strncat(hostname,argv[1],250);
> chk = ConnectToRemoteRegistry(hostname);
> if (!chk)
> {
> printf("Error connecting to %s\n",hostname);
> return FAILURE;
> }
> else
> {
> chk = ChangeFileAssociations();
> if(chk)
> {
> printf(noerrors);
> return SUCCESS;
> }
> else
> {
> printf(errors);
> return FAILURE;
> }
> }
>
> }
> }
> }
>
> int ConnectToRemoteRegistry(char *host)
> {
> HKEY hkcr = HKEY_CLASSES_ROOT;
> LONG connect;
>
> connect = RegConnectRegistry(host,hkcr,&KeyToChange);
> if(connect == ERROR_SUCCESS)
> {
> return SUCCESS;
> }
> else
> {
> return FAILURE;
> }
> }
>
> int ChangeFileAssociations()
> {
> LONG chk=0;
>
> chk = DoSetAKey(KeyToChange,"VBSFile\\Shell\\Open\\Command","Foobar");
> if(chk != SUCCESS)
> {
> if(chk != ERROR_FILE_NOT_FOUND)
> {
> printf("Error %d\n",chk);
> return FAILURE;
> }
> }
> chk = DoSetAKey(KeyToChange,"VBSFile\\Shell\\Open2\\Command","Foobar");
> if(chk != SUCCESS)
> {
> if(chk != ERROR_FILE_NOT_FOUND)
> {
> printf("Error %d\n",chk);
> return FAILURE;
> }
> }
> chk = DoSetAKey(KeyToChange,"WSHFile\\Shell\\Open\\Command","Foobar");
> if(chk != SUCCESS)
> {
> if(chk != ERROR_FILE_NOT_FOUND)
> {
> printf("Error %d\n",chk);
> return FAILURE;
> }
> }
> chk = DoSetAKey(KeyToChange,"WSHFile\\Shell\\Open2\\Command","Foobar");
> if(chk != SUCCESS)
> {
> if(chk != ERROR_FILE_NOT_FOUND)
> {
> printf("Error %d\n",chk);
> return FAILURE;
> }
> }
> chk = DoSetAKey(KeyToChange,"VBEFile\\Shell\\Open\\Command","Foobar");
> if(chk != SUCCESS)
> {
> if(chk != ERROR_FILE_NOT_FOUND)
> {
> printf("Error %d\n",chk);
> return FAILURE;
> }
> }
> chk = DoSetAKey(KeyToChange,"VBEFile\\Shell\\Open2\\Command","Foobar");
> if(chk != SUCCESS)
> {
> if(chk != ERROR_FILE_NOT_FOUND)
> {
> printf("Error %d\n",chk);
> return FAILURE;
> }
> }
> chk = DoSetAKey(KeyToChange,"WSFFile\\Shell\\Open\\Command","Foobar");
> if(chk != SUCCESS)
> {
> if(chk != ERROR_FILE_NOT_FOUND)
> {
> printf("Error %d\n",chk);
> return FAILURE;
> }
> }
> chk = DoSetAKey(KeyToChange,"WSFFile\\Shell\\Open2\\Command","Foobar");
> if(chk != SUCCESS)
> {
> if(chk != ERROR_FILE_NOT_FOUND)
> {
> printf("Error %d\n",chk);
> return FAILURE;
> }
> }
> chk = DoSetAKey(KeyToChange,"JSEFile\\Shell\\Open\\Command","Foobar");
> if(chk != SUCCESS)
> {
> if(chk != ERROR_FILE_NOT_FOUND)
> {
> printf("Error %d\n",chk);
> return FAILURE;
> }
> }
> chk = DoSetAKey(KeyToChange,"JSEFile\\Shell\\Open2\\Command","Foobar");
> if(chk != SUCCESS)
> {
> if(chk != ERROR_FILE_NOT_FOUND)
> {
> printf("Error %d\n",chk);
> return FAILURE;
> }
> }
>
> chk = DoSetAKey(KeyToChange,"JSFile\\Shell\\Open\\Command","Foobar");
> if(chk != SUCCESS)
> {
> if(chk != ERROR_FILE_NOT_FOUND)
> {
> printf("Error %d\n",chk);
> return FAILURE;
> }
> }
> chk = DoSetAKey(KeyToChange,"JSFile\\Shell\\Open2\\Command","Foobar");
> if(chk != SUCCESS)
> {
> if(chk != ERROR_FILE_NOT_FOUND)
> {
> printf("Error %d\n",chk);
> return FAILURE;
> }
> }
>
> return SUCCESS;
> }
>
> LONG DoSetAKey(HKEY root, char *key, char *set)
> {
>
> HKEY hResult;
> DWORD bufsize = MAX_PATH;
> LONG nResult;
>
> nResult = RegOpenKeyEx(root,key,0,KEY_WRITE,&hResult);
> if(nResult != ERROR_SUCCESS)
> {
> if(nResult != ERROR_FILE_NOT_FOUND)
> {
> RegCloseKey(hResult);
> return FAILURE;
> }
> else
> {
> return ERROR_FILE_NOT_FOUND;
> }
> }
> nResult = RegSetValueEx(hResult,NULL,0,REG_MULTI_SZ,(CONST
> BYTE*)set,strlen(set));
>
> if(nResult != ERROR_SUCCESS)
> {
> RegCloseKey(hResult);
> return FAILURE;
> }
> else
> {
> printf("Success\n");
> RegCloseKey(hResult);
> return SUCCESS;
> }
> }
--
Anthony Baratta