"NAKEDWIFE" - Trojan Worm 3

[dsi]

A NEW MASS-MAILED Trojan worm called "NAKEDWIFE" is circulating and, if executed, can delete files necessary for everyday computer operation.

The Trojan, which was written in VBS (Visual Basic Script), sends out the same mail as an e-mail attachment. The mail has a subject line that reads "FW: Naked Wife." It has a message body that reads "My Wife never look like that , Best Regards." The attachment is named NakedWife.EXE.

http://www.infoworld.com/articles/hn/xml/01/03/06/010306hnworm.xml?0306alert

DimensionalSolutions@Core.com
While I welcome e-mail messages, please post all thread activity in these forums for the benefit of all members.

 

[Zelandakh]

This is a wonderful little virus that deletes dll files, exe files and com files.

Norton are covering it in their definitions as of today, so I advise everyone to get their virus checkers up to date!!!

 

[svanels]

I recently came across a tip for guarding against vb virus

check out at :

http://www.delphi32.com/info_facts/tips/vbscrsafe.asp

Regards S. van Els
SAvanEls@cq-link.sr

 

[jmarler]

Thanks for the info . . . I checked both CNET and CNN, and this one is real . . . here are the links if anyone is interested . . .

http://news.cnet.com/news/0-1003-201-5041693-0.html?tag=mn_hd

http://www.cnn.com/2001/TECH/internet/03/06/nakedwife.virus/index.html

By the way, is this VBS, or is it a real executable? - Jeff Marler

http://www.JeffMarler.com

(please note, that the page is under construction)

 

[dsi]

The InfoWorld article indicated that is was written in VBS yet the attachment is an EXE. I assume that they got the extension of the attachment correct since they explicitly refer to the name 'NakedWife.EXE'.

The McAfee site validated the attachment name:

http://vil.mcafee.com/dispVirus.asp?virus_k=99035&

DimensionalSolutions@Core.com
While I welcome e-mail messages, please post all thread activity in these forums for the benefit of all members.

 

[TomJinCA]

We have Antigen on our Exchange Server and do not allow any .exe file attachments - they get turned into a harmless .txt information message at the server. So we didn't have to be concerned about this one. Once again I'm very glad we have this set up. Here's the link if you;re interested:

http://www.sybarisoftware.com

Tom Jacobson ...
MS Exchange admin, NT admin, Intranet admin, Virus protection, Frontpage, VB5&6, Access, Crystal Reports

 

[fenris]

Alternatively, I do this. Create a text file *.txt.
Rename the text file to *.vbs then highlight the vbs file and hold the shift key down while right-clicking the file. This will yield an "Open with" option. Select it. This will bring up a window that allows you to choose which program to open it with, choose notepad, making sure to put a check in the checkbox marked always use this program to open this type of file.





Troy Williams B.Eng.
fenris@hotmail.com

 

[dsi]

fenris,

That works great until you install software that corrects the registry entry. We did that sometime last year to all of our machines. Although users are not supposed to install software without IT permission, it happened. The registry entry was changed back and a couple of users got hit by the Columbia Plan virus.

If you don't use scripting, there is a much easier way to fix this. Rename WScript.exe to MSWScript.exe and CScript.exe to MSCScript.exe. Then, copy notepad.exe twice to the same directory and rename them WScript.exe and CScript.exe. I wrote a program to do this at every login, just in case someone else decides to install software.

DimensionalSolutions@Core.com
While I welcome e-mail messages, please post all thread activity in these forums for the benefit of all members.

 

[fenris]

That is an interesting approach! It sounds to me like your users don't follow the rules

Wouldn't it be easier to write a program to write the association to the registry at each reboot? Now that I start to think about it, where in the registry is that file association set? I looked around and found a bunch of instances of VBS, but none with any real indication of what program is associated with it. I did notice a couple of subkeys that had a clsid. If one knew what string to write to the registry, it would be quite easy to write a small vb program that ran from the startup folder or the HKLM\software\microsoft\windows\currentversion\run
That would check the value of the key and make sure that it is not associated with WScript.exe. If the program detected that it had been changed back somehow it could popup a "critical" error and have the user alert the network admin.



Troy Williams B.Eng.
fenris@hotmail.com

 

[Zelandakh]

A little app like that posted for use by TT members would give you a silver star (i.e. nothing real, just a bunch of people grateful to you).

 

[dsi]

The association is defined in the key:

HKEY_CLASSES_ROOT\VBSFILE\Shell\Open\Command

I attempted to write a small application that changes the value
from: C:\WINNT\System32\WScript.exe "%1" %*
to: C:\WINNT\System32\Notepad.exe %1

Unfortunately, I was not able to write the new value. I posted this problem several months ago (thread222-46157) and no one was able to help me solve the problem. I am able to change the key manually manually, but the program could not write the new value. The code works for other root file definitions, but will not modify the VBS file.

If we could get this to work in a second round of discussion, it would be free to all!

 

[Zelandakh]

Have you tried recruiting Alt255 on this? He's an expert with the registry...

 

[jmarler]

I'll write one and post it tonight(have to go to work now%-( ) - Jeff Marler

http://www.JeffMarler.com

(please note, that the page is under construction)

 

[jmarler]

OK, as promised, here is the code that you can use to automaticall update the registry by checking the HKEY_CLASSES_ROOT\VBSFILE\Shell\Open\Command key of an instance of C:\WINNT\System32\WScript.exe "%1" %*
and changing it to C:\WINNT\System32\Notepad.exe %1.
The first thing to remember is, that despite all other rumors, THE REGISTRY IS NOT THAT HARD TO WORK WITH . . . but you do need to be careful. The following code was run on WINNT40 - SP6a. The actual code that does the checking and updating uses passed in values . . . this was done so that the same piece of code could be used over again elsewhere (remember that oft spoken phrase, "Code Reuse&quot. When the application want to check and possible update the key, it simply passes in the key location, the search string that will trigger a replacement, the string that will replace the data in the key, and a message that will be displayed when a replacement occurs.

AND NOW . . . THE CODE . . .


First off, declare your APIs in the general declaration

Private Const HKEY_CLASSES_ROOT = &H80000000
Private Const HKEY_CURRENT_CONFIG = &H80000005
Private Const HKEY_CURRENT_USER = &H80000001
Private Const HKEY_DYN_DATA = &H80000006
Private Const HKEY_LOCAL_MACHINE = &H80000002
Private Const HKEY_PERFORMANCE_DATA = &H80000004
Private Const HKEY_USERS = &H80000003
Private Const READ_CONTROL = &H20000
Private Const STANDARD_RIGHTS_READ = (READ_CONTROL)
Private Const STANDARD_RIGHTS_WRITE = (READ_CONTROL)
Private Const STANDARD_RIGHTS_ALL = &H1F0000
Private Const SYNCHRONIZE = &H100000
Private Const KEY_CREATE_LINK = &H20
Private Const KEY_CREATE_SUB_KEY = &H4
Private Const KEY_ENUMERATE_SUB_KEYS = &H8
Private Const KEY_EVENT = &H1
Private Const KEY_NOTIFY = &H10
Private Const KEY_QUERY_VALUE = &H1
Private Const KEY_SET_VALUE = &H2
Private Const KEY_WRITE = ((STANDARD_RIGHTS_WRITE Or KEY_SET_VALUE Or KEY_CREATE_SUB_KEY) And (Not SYNCHRONIZE))
Private Const KEY_ALL_ACCESS = ((STANDARD_RIGHTS_ALL Or KEY_QUERY_VALUE Or KEY_SET_VALUE Or KEY_CREATE_SUB_KEY Or KEY_ENUMERATE_SUB_KEYS Or KEY_NOTIFY Or KEY_CREATE_LINK) And (Not SYNCHRONIZE))
Private Const KEY_READ = ((STANDARD_RIGHTS_READ Or KEY_QUERY_VALUE Or KEY_ENUMERATE_SUB_KEYS Or KEY_NOTIFY) And (Not SYNCHRONIZE))
Private Const KEY_EXECUTE = ((KEY_READ) And (Not SYNCHRONIZE))

Private Const REG_SZ = 1

Private Const ERROR_SUCCESS = 0&

Private Type SECURITY_ATTRIBUTES
nLength As Long
lpSecurityDescriptor As Long
bInheritHandle As Long
End Type

Private Declare Function RegCreateKeyEx Lib "advapi32.dll" Alias "RegCreateKeyExA" (ByVal lngKeyHandle As Long, ByVal lpSubKey As String, ByVal Reserved As Long, ByVal lpClass As String, ByVal dwOptions As Long, ByVal samDesired As Long, lpSecurityAttributes As SECURITY_ATTRIBUTES, phkResult As Long, lpdwDisposition As Long) As Long
Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Private Declare Function RegQueryValueEx Lib "advapi32.dll" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, lpType As Long, lpData As Any, lpcbData As Long) As Long ' Note that if you declare the lpData parameter as String, you must pass it By Value
Private Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long ' Note that if you declare the lpData parameter as String, you must pass it By Value


This routine simply sets the desired search parameters and calls the registry update code.

Public Sub CheckRegistry()


Dim strKey As String
Dim strTargetString As String
Dim strReplacementString As String
Dim strErrorMessage As String

'** Set the desired search parameters.
strKey = "VBSFILE\Shell\Open\Command"
strTargetString = "C:\WINNT\System32\WScript.exe ""%1"" %*"
strReplacementString = "C:\WINNT\System32\Notepad.exe %1"
strErrorMessage = "Disassociated VB Script from WScript.exe! VB Script will now open in notepad."


'** Pass in the search parameters to the UpdateRegistry function.
Call UpdateRegistry(strKey, strTargetString, strReplacementString, strErrorMessage)


End Sub

This routine does the actual work of opening the registry, searching for the target value, and - if found - replacing the data. NOTE THAT THIS CODE WILL ONLY WORK WITH REG DATA OF TYPE STRING . . . although with a very simple modification, that could be changed.

Private Sub UpdateRegistry(strTargetKey As String, strTargetString As String, strReplacementString As String, strErrorMessage As String)

Dim udtSec As SECURITY_ATTRIBUTES
Dim lngKeyHandle As Long
Dim lngDisposition As Long
Dim lngRetCode As Long
Dim strData As String
Dim lngBufferLength As Long

'** First off, open the desired key.
lngRetCode = RegCreateKeyEx(HKEY_CLASSES_ROOT, strTargetKey, 0, "", 0, KEY_ALL_ACCESS, udtSec, lngKeyHandle, lngDisposition)

'** IF the key was opened, then query the default value.
If lngRetCode = ERROR_SUCCESS Then

lngBufferLength = 1024
strData = Space$(lngBufferLength)
lngRetCode = RegQueryValueEx(lngKeyHandle, "", 0, REG_SZ, ByVal strData, lngBufferLength)

If lngRetCode = ERROR_SUCCESS Then

'** trim off the extra spaces in the buffer. Use lngBufferLength - 1 to account for the null space.
If lngBufferLength > 1 Then
strData = Left$(strData, lngBufferLength - 1)
End If

'** Check to see if the key matches the target key. If it does, then replace it and raise an error message.
If UCase$(Trim$(strData)) = UCase$(Trim$(strTargetString)) Then
lngBufferLength = Len(strReplacementString)
lngRetCode = RegSetValueEx(lngKeyHandle, "", 0, REG_SZ, ByVal strReplacementString, lngBufferLength)
MsgBox strErrorMessage, vbOKOnly + vbCritical, "Registry Update Warning!"
HERE, IF YOU WANTED, YOU COULD SIGNAL A LAN ADMIN OF THE CHANGE
End If

End If
End If

'** Close the open handle.
If RegCloseKey(lngKeyHandle) <> ERROR_SUCCESS Then
MsgBox &quot;Key not closed.&quot;
End If

End Sub



Is this what you guys were looking for? Just put an EXE with this in it in the RUN key for your users or in their LOGIN scripts, and you can always be sure that VBS IS NOT associated with the scriptiong host.
Also, DSI, what problem were you having when you were trying to update the registry? Were you doing it the same way my code is?
If anyone has any questions or comments regarding this code, please feel free to let me know and I will do what I can to further explain it.

Also, I am working on a WebSite that will consist of a series of articles and examples for programming (with commented code examples) . . .anyone have any requests for information regarding advanced topics that they would like to see? Any feed back would be greatly appreciated. Thanks!


- Jeff Marler

http://www.JeffMarler.com

(please note, that the page is under construction)

 

[Alt255]

Good work, Jeff. For those without Visual Basic, this reg script seems to have the same effect:
[tt]
REGEDIT4

[HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command]
@=&quot;C:\\WINNT\\System32\\Notepad.exe \&quot;%1\&quot; %*&quot;
[/tt]

For those with Visual basic, the entry can be made in the registry with two lines of code... an API declaration and a call to [tt]ShellExecute[/tt].

Let's take the VB discussion back to the VB forum.

Alt255@Vorpalcom.Intranets.com
​

 

[jmarler]

One quick note Alt255 and then I promise . . . no more non-virus stuff in here . . . yes you are absolutly correct . . . your 2 lines of code would update the registry perfectly, but Fenris also mentioned that the application should pop up a warning message and then possibly notify the network admin which is why I did it in VB code rather than just merging an exported key . . .
OK as I promised . . . no more code in here. - Jeff Marler

http://www.JeffMarler.com

(please note, that the page is under construction)

 

[Zelandakh]

Apols, I asked for the code here as I don't want to join the VB forum just for the code to do this.

Even better would be a hyperlink to a downloadable .exe that works under 95,98 and NT...

Nice piece of code Jeff!