home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / modules / nessus-2.2.8.mo / usr / lib / nessus / plugins / smb_virii.nasl < prev    next >
Encoding:
Text File  |  2005-01-14  |  14.9 KB  |  546 lines
  1. #
  2. # This script was written by Renaud Deraison
  3. #
  4. # See the Nessus Scripts License for details
  5. #
  6.  
  7. if(description)
  8. {
  9.  script_id(11329);
  10.  
  11.  script_version("$Revision: 1.42 $");
  12.  
  13.  name["english"] = "The remote host is infected by a virus";
  14.  
  15.  script_name(english:name["english"]);
  16.  
  17.  desc["english"] = "
  18. This script checks for the presence of different virii on the remote
  19. host, by using the SMB credentials you provide Nessus with.
  20.  
  21. - W32/Badtrans-B
  22. - JS_GIGGER.A@mm
  23. - W32/Vote-A
  24. - CodeRed
  25. - W32.Sircam.Worm@mm
  26. - W32.HLLW.Fizzer@mm
  27. - W32.Sobig.B@mm
  28. - W32.Sobig.E@mm
  29. - W32.Sobig.F@mm
  30. - W32.Sobig.C@mm
  31. - W32.Yaha.J@mm
  32. - W32.mimail.a@mm
  33. - W32.mimail.c@mm
  34. - W32.mimail.e@mm
  35. - W32.mimail.l@mm
  36. - W32.mimail.p@mm
  37. - W32.Welchia.Worm
  38. - W32.Randex.Worm
  39. - W32.Beagle.A
  40. - W32.Novarg.A
  41. - Vesser
  42. - NetSky.C
  43. - Doomran.a
  44. - Beagle.m
  45. - Beagle.j
  46. - Agobot.FO
  47. - NetSky.W
  48. - Sasser
  49. - W32.Wallon.A
  50. - W32.MyDoom.M
  51. - Hackarmy.i
  52. - W32.Erkez.D/Zafi.d
  53.  
  54.     
  55. Risk factor : High
  56. Solution : See the URLs which will appear in the report";
  57.  
  58.  
  59.  script_description(english:desc["english"]);
  60.  
  61.  summary["english"] = "Checks for the presence of different virii on the remote host";
  62.  
  63.  script_summary(english:summary["english"]);
  64.  
  65.  script_category(ACT_GATHER_INFO);
  66.  
  67.  script_copyright(english:"This script is Copyright (C) 2003 Renaud Deraison");
  68.  family["english"] = "Windows";
  69.  script_family(english:family["english"]);
  70.  
  71.  script_dependencies("netbios_name_get.nasl",
  72.               "smb_login.nasl","smb_registry_access.nasl");
  73.  script_require_keys("SMB/name", "SMB/login", "SMB/password",  "SMB/registry_access");
  74.  
  75.  script_require_ports(139, 445);
  76.  exit(0);
  77. }
  78.  
  79. include("smb_nt.inc");
  80. if ( get_kb_item("SMB/samba") ) exit(0);
  81.  
  82. global_var handle;
  83.  
  84. x_name = kb_smb_name();
  85. if(!x_name)exit(0);
  86.  
  87. _smb_port = kb_smb_transport();
  88. if(!_smb_port)exit(0);
  89.  
  90. if(!get_port_state(_smb_port))return(FALSE);
  91. login = kb_smb_login();
  92. pass  = kb_smb_password();
  93. domain = kb_smb_domain();
  94.  
  95. if(!login)login = "";
  96. if(!pass) pass = "";
  97.  
  98.       
  99. soc = open_sock_tcp(_smb_port);
  100. if(!soc)return(FALSE);
  101.  
  102. #
  103. # Request the session
  105. r = smb_session_request(soc:soc,  remote:x_name);
  106. if(!r) { close(soc); return(FALSE); }
  107.  
  108. #
  109. # Negociate the protocol
  110. #
  111. prot = smb_neg_prot(soc:soc);
  112. if(!prot){ close(soc); return(FALSE); }
  113.  
  114.  
  115. #
  116. # Set up our session
  117. #
  118. r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain, prot:prot);
  119. if(!r){ close(soc); return(FALSE); }
  120. # and extract our uid
  121. uid = session_extract_uid(reply:r);
  122.  
  123. #
  124. # Connect to the remote IPC and extract the TID
  125. # we are attributed
  126. #      
  127. r = smb_tconx(soc:soc, name:x_name, uid:uid, share:"IPC$");
  128. # and extract our tree id
  129. tid = tconx_extract_tid(reply:r);
  130. if(!tid){ close(soc); return(FALSE); }
  131.  
  132. #
  133. # Create a pipe to \winreg
  134. #
  135. r = smbntcreatex(soc:soc, uid:uid, tid:tid, name:"\winreg");
  136. if(!r){ close(soc); return(FALSE);}
  137. # and extract its ID
  138. pipe = smbntcreatex_extract_pipe(reply:r);
  139.  
  140. #
  141. # Setup things
  142. #
  143. r = pipe_accessible_registry(soc:soc, uid:uid, tid:tid, pipe:pipe);
  144. if(!r){ close(soc); return(FALSE); }
  145. handle = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe);
  146.  
  147.  
  148. function check_reg(name, url, key, item, exp)
  149. {
  150.   local_var key_h, sz;
  151.  
  152.   key_h = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe, key:key, reply:handle);
  153.   if(strlen(key_h) > 92)
  154.   {
  155.     sz =  registry_get_item_sz(soc:soc, uid:uid, tid:tid, pipe:pipe, item:item, reply:key_h);
  156.     registry_close(soc:soc, uid:uid, tid:tid, pipe:pipe, reply:key_h); 
  157.     if ( strlen(sz) <= 92 ) return 0;
  158.     value = registry_decode_sz(data:sz);
  159.     if ( ! value ) return 0;
  160.   }
  161.   else return 0;
  162.   
  163.  if(exp == NULL || tolower(exp) >< tolower(value))
  164.  {
  165.   report = string(
  166. "The virus '", name, "' is present on the remote host\n",
  167. "Solution : ", url, "\n",
  168. "Risk factor : High");
  169.  
  170.   security_hole(port:kb_smb_transport(), data:report);
  171.  }
  172. }
  173.  
  174.  
  175.  
  176.  
  177. i = 0;
  178.  
  179. # http://www.infos3000.com/infosvirus/badtransb.htm
  180. name[i]     = "W32/Badtrans-B";
  181. url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html";
  182. key[i]         = "Software\Microsoft\Windows\CurrentVersion\RunOnce";
  183. item[i]     = "kernel32";
  184. exp[i]        = "kernel32.exe";
  185.  
  186. i++;
  187.  
  188. # http://www.infos3000.com/infosvirus/jsgiggera.htm
  189. name[i]     = "JS_GIGGER.A@mm";
  190. url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/js.gigger.a@mm.html";
  191. key[i]         = "Software\Microsoft\Windows\CurrentVersion\Run";
  192. item[i]     = "NAV DefAlert";
  193. exp[i]        = NULL;
  194.  
  195. i ++;
  196.  
  197. # http://www.infos3000.com/infosvirus/vote%20a.htm
  198. name[i]        = "W32/Vote-A";
  199. url[i]        = "http://www.symantec.com/avcenter/venc/data/w32.vote.a@mm.html";
  200. key[i]        = "Software\Microsoft\Windows\CurrentVersion\Run";
  201. item[i]        = "Norton.Thar";
  202. exp[i]        = "zacker.vbs";
  203.  
  204. i++ ;
  205.  
  206. # http://www.infos3000.com/infosvirus/codered.htm
  207. name[i]        = "CodeRed";
  208. url[i]        = "http://www.symantec.com/avcenter/venc/data/codered.worm.html";
  209. key[i]        = "SYSTEM\CurrentControlSet\Services\W3SVC\Parameters";
  210. item[i]        = "VirtualRootsVC";
  211. exp[i]        = "c:\,,217";
  212.  
  213. i ++;
  214.  
  215. # http://www.infos3000.com/infosvirus/w32sircam.htm
  216. name[i]        = "W32.Sircam.Worm@mm";
  217. url[i]        = "http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html";
  218. key[i]        = "Software\Microsoft\Windows\CurrentVersion\RunServices";
  219. item[i]        = "Driver32";
  220. exp[i]         = "scam32.exe";
  221.  
  222. i++;
  223.  
  224. name[i]      = "W32.HLLW.Fizzer@mm";
  225. url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizzer@mm.html";
  226. key[i]        = "Software\Microsoft\Windows\CurrentVersion\Run";
  227. item[i]        = "SystemInit";
  228. exp[i]        = "iservc.exe";
  229.  
  230. i++;
  231.  
  232. name[i]      = "W32.Sobig.B@mm";
  233. url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.b@mm.html";
  234. key[i]        = "Software\Microsoft\Windows\CurrentVersion\Run";
  235. item[i]        = "SystemTray";
  236. exp[i]        = "msccn32.exe";
  237.  
  238. i ++;
  239.  
  240. name[i]        = "W32.Sobig.E@mm";
  241. url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html";
  242. key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  243. item[i]        = "SSK Service";
  244. exp[i]        = "winssk32.exe";
  245.  
  246. i ++;
  247.  
  248. name[i]        = "W32.Sobig.F@mm";
  249. url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html";
  250. key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  251. item[i]        = "TrayX";
  252. exp[i]        = "winppr32.exe";
  253.  
  254. i ++;
  255.  
  256. name[i]        = "W32.Sobig.C@mm";
  257. url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.c@mm.html";
  258. key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  259. item[i]        = "System MScvb";
  260. exp[i]        = "mscvb32.exe";
  261.  
  262. i ++;
  263.  
  264. name[i]     = "W32.Yaha.J@mm";
  265. url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.j@mm.html";
  266. key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  267. item[i]        = "winreg";
  268. exp[i]        = "winReg.exe";
  269.  
  270.  
  271. i++;
  272.  
  273. name[i]     = "W32.mimail.a@mm";
  274. url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html";
  275. key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  276. item[i]        = "VideoDriver";
  277. exp[i]        = "videodrv.exe";
  278.  
  279.  
  280. i++;
  281.  
  282. name[i]     = "W32.mimail.c@mm";
  283. url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.c@mm.html";
  284. key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  285. item[i]        = "NetWatch32";
  286. exp[i]        = "netwatch.exe";
  287.  
  288. i++;
  289.  
  290. name[i]     = "W32.mimail.e@mm";
  291. url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.e@mm.html";
  292. key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  293. item[i]        = "SystemLoad32";
  294. exp[i]        = "sysload32.exe";
  295.  
  296. i++;
  297. name[i]     = "W32.mimail.l@mm";
  298. url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.l@mm.html";
  299. key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  300. item[i]        = "France";
  301. exp[i]        = "svchost.exe";
  302.  
  303. i++;
  304. name[i]     = "W32.mimail.p@mm";
  305. url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.p@mm.html";
  306. key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  307. item[i]        = "WinMgr32";
  308. exp[i]        = "winmgr32.exe";
  309.  
  310. i++;
  311.  
  312. name[i]        = "W32.Welchia.Worm";
  313. url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html";
  314. key[i]         = "SYSTEM\CurrentControlSet\Services\RpcTftpd";
  315. item[i]        = "ImagePath";
  316. exp[i]         = "%System%\wins\svchost.exe";
  317.  
  318.  
  319. i++;
  320.  
  321. name[i]        = "W32.Randex.Worm";
  322. url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.b.html";
  323. key[i]         = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  324. item[i]        = "superslut";
  325. exp[i]         = "msslut32.exe";
  326.  
  327. i++;
  328.  
  329. name[i]        = "W32.Randex.Worm";
  330. url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.c.html";
  331. key[i]         = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  332. item[i]        = "Microsoft Netview";
  333. exp[i]         = "gesfm32.exe";
  334.  
  335. i++;
  336.  
  337. name[i]        = "W32.Randex.Worm";
  338. url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.d.html";
  339. key[i]         = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  340. item[i]        = "mssyslanhelper";
  341. exp[i]         = "msmsgri32.exe";
  342.  
  343.  
  344. i++;
  345.  
  346. name[i]        = "W32.Randex.Worm";
  347. url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.d.html";
  348. key[i]         = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  349. item[i]        = "mslanhelper";
  350. exp[i]         = "msmsgri32.exe";
  351.  
  352. i ++;
  353. name[i]        = "W32.Beagle.A";
  354. url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html";
  355. key[i]         = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  356. item[i]        = "d3update.exe";
  357. exp[i]         = "bbeagle.exe";
  358.  
  359. i ++;
  360.  
  361. name[i]        = "W32.Novarg.A";
  362. url[i]         = "http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html";
  363. key[i]         = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  364. item[i]        = "TaskMon";
  365. exp[i]         = "taskmon.exe";
  366.  
  367. i++;
  368.  
  369. name[i]       = "Vesser";
  370. url[i]        = "http://www.f-secure.com/v-descs/vesser.shtml";
  371. key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  372. item[i]       = "KernelFaultChk";
  373. exp[i]        = "sms.exe";
  374.  
  375. i++;
  376.  
  377. name[i]       = "NetSky.C";
  378. url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.c@mm.html";
  379. key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  380. item[i]       = "ICQ Net";
  381. exp[i]        = "winlogon.exe";
  382.  
  383.  
  384. i++;
  385.  
  386. name[i]      = "Doomran.a";
  387. url[i]       = "http://es.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_DOOMRAN.A";
  388. key[i]       = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  389. item[i]      = "Antimydoom";
  390. exp[i]       = "PACKAGE.EXE";
  391.  
  392. i++;
  393.  
  394. name[i]      = "Beagle.m";
  395. url[i]       = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.m@mm.html";
  396. key[i]       = "software\microsoft\windows\currentversion\run";
  397. item[i]      = "winupd.exe";
  398. exp[i]       = "winupd.exe";
  399.  
  400. i++;
  401.  
  402. name[i]      = "Beagle.j";
  403. url[i]       = "http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@mm.html";
  404. key[i]       = "software\microsoft\windows\currentversion\run";
  405. item[i]      = "ssate.exe";
  406. exp[i]       = "irun4.exe";
  407.  
  408. i++;
  409.  
  410. name[i]      = "Agobot.FO";
  411. url[i]       = "http://www.f-secure.com/v-descs/agobot_fo.shtml";
  412. key[i]       = "software\microsoft\windows\currentversion\run";
  413. item[i]      = "nVidia Chip4";
  414. exp[i]       = "nvchip4.exe";
  415.  
  416. i ++;
  417. name[i]       = "NetSky.W";
  418. url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.w@mm.html";
  419. key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  420. item[i]       = "NetDy";
  421. exp[i]        = "VisualGuard.exe";
  422.  
  423.  
  424. i++;
  425. name[i]       = "Sasser";
  426. url[i]        = "http://www.lurhq.com/sasser.html";
  427. key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  428. item[i]       = "avserve.exe";
  429. exp[i]        = "avserve.exe";
  430.  
  431. i++;
  432. name[i]       = "W32.Wallon.A";
  433. url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.wallon.a@mm.html";
  434. key[i]        = "SOFTWARE\Microsoft\Internet Explorer\Extensions\{FE5A1910-F121-11d2-BE9E-01C04A7936B1}";
  435. item[i]       = "Icon";
  436. exp[i]        = NULL;
  437.  
  438.  
  439. i++;
  440. name[i]       = "W32.MyDoom.M";
  441. url[i]        = "http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=127033";
  442. key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  443. item[i]       = "JavaVM";
  444. exp[i]        = "JAVA.EXE";
  445.  
  446. i++;
  447. name[i]       = "Hackarmy.i";
  448. url[i]        = "http://www.zone-h.org/en/news/read/id=4404/";
  449. key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  450. item[i]       = "putil";
  451. exp[i]        = "%windir%";
  452.  
  453. # Submitted by Jeff Adams
  454. i++;
  455. name[i]       = "W32.Erkez.D/Zafi.D";
  456. url[i]        = "http://securityresponse.symantec.com/avcenter/venc/data/w32.erkez.d@mm.html";
  457. key[i]        = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  458. item[i]       = "Wxp4";
  459. exp[i]        = "Norton Update";
  460.  
  461. for(i=0;name[i];i++)
  462. {
  463.   check_reg(name:name[i], url:url[i], key:key[i], item:item[i], exp:exp[i]);
  464. }
  465.  
  466.  
  467.  
  468. key   = "SOFTWARE\Microsoft\Windows NT\CurrentVersion";
  469. item  = "SystemRoot";
  470.  
  471.  
  472. key_h = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe, key:key, reply:r);
  473. if(key_h)
  474.  {
  475.     sz =  registry_get_item_sz(soc:soc, uid:uid, tid:tid, pipe:pipe, item:item, reply:key_h);
  476.     if ( ! sz ) return 0;
  477.     rootfile = registry_decode_sz(data:sz);
  478.  }
  479.  
  480. if ( ! rootfile ) exit(0);
  481.  
  482. share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:rootfile);
  483. file =  ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1\system.ini", string:rootfile);
  484.  
  485.  
  486. r = smb_tconx(soc:soc, name:x_name, uid:uid, share:share);
  487. tid = tconx_extract_tid(reply:r);
  488. if(!tid)exit(0);
  489.  
  490. fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
  491. if(fid)
  492. {
  493. off = 0;
  494. resp = ReadAndX(socket:soc, uid:uid, tid:tid, fid:fid, count:16384, off:off);
  495. data = resp;
  496. while(strlen(resp) >= 16383)
  497. {
  498.  off += strlen(resp);
  499.  resp = ReadAndX(socket:soc, uid:uid, tid:tid, fid:fid, count:16384, off:off);
  500.  data += resp;
  501.  if(strlen(data) > 1024 * 1024)break;
  502. }
  503.  
  504. if("shell=explorer.exe load.exe -dontrunold" >< data)
  505. {
  506.   report = string(
  507. "The virus 'W32.Nimda.A@mm' is present on the remote host\n",
  508. "Solution : http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html\n",
  509. "Risk factor : High");
  510.  
  511.   security_hole(port:port, data:report);
  512.  }
  513. }
  514.  
  515. file =  ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1\goner.scr", string:rootfile); 
  516. fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
  517. if(fid){
  518.  report = string(
  519. "The virus 'W32.Goner.A@mm' is present on the remote host\n",
  520. "Solution : http://www.symantec.com/avcenter/venc/data/w32.goner.a@mm.html\n",
  521. "Risk factor : High"); 
  522. security_hole(port:port, data:report);
  523. }
  524.  
  525. file =  ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1\winxp.exe", string:rootfile); 
  526. fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
  527. if(fid){
  528.  report = string(
  529. "The virus 'W32.Bable.AG@mm' is present on the remote host\n",
  530. "Solution : http://www.symantec.com/avcenter/venc/data/w32.beagle.ag@mm.html\n",
  531. "Risk factor : High"); 
  532. security_hole(port:port, data:report);
  533. }
  534.  
  535.  
  536.  
  537. file =  ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1\Swen1.dat", string:rootfile); 
  538. fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
  539. if(fid){
  540.  report = string(
  541. "The virus 'W32.Swen.A@mm' is present on the remote host\n",
  542. "Solution : http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html\n",
  543. "Risk factor : High"); 
  544. security_hole(port:port, data:report);
  545. }
  546.