天极网

移除相关扩展名关联,防范蠕虫病毒
2000-05-20 00:00:00· 不详·京九网联

erberus安全小组已经发布了一个工具来防止各种类型的蠕虫感染PC用户，例如著名的"I Love You"病毒。这些病毒一般在默认安装配置下的Windows系统下，能够很快的传播。一般在Windows系统中，99%都是采用末尾的三个字符作为扩展名。而系统根据不同的扩展名调以不同的方式进行调用。如如果双击.txt的文件名，默认将会调用notepad.exe（写字板应用程序）来打开该文件。目前流行的"I Love You" 蠕虫，就是利用了.vbs文件，系统默认调用wscript.exe来解析执行脚本。就像是command.com或者NT下的cmd.exe文件来解析执行批处理.bat文件一样。

下面是该安全组织提供的可执行程序：

http://202.96.168.51/download/other/vf.exe

该程序从注册表中移除扩展名为VBS,VBE,WSF,WSH, JS和JSE等与其默认解析程序的关联，这样就使得依靠该方法进行执行和传播的蠕虫病毒无法执行。在Windows 9x/NT 4/2000上测试通过。

下面是该程序的源程序：

////////////////////////////////////////////////////////////////////////////
////////
//
// compile with eg Visual C++ link with advapi32.lib
//
// Cerberus Information Security, Ltd
//
// 8th May 2000
//
////////////////////////////////////////////////////////////////////////////
/////////

#include $#@60;windows.h$#@62;
#include $#@60;stdio.h$#@62;
#include $#@60;winreg.h$#@62;

#define SUCCESS 1
#define FAILURE 0

HKEY KeyToChange = HKEY_CLASSES_ROOT;

int ChangeFileAssociations(void);
int ConnectToRemoteRegistry(char *);
LONG DoSetAKey(HKEY, char *, char *);

int main(int argc,char *argv[])
{
DWORD chk=0;
char hostname[260]="\\\\";
char *errors = "There were errors changing the file associations.\n";
char *noerrors = "VBS,VBE,WSF,WSH,JS and JSE file associations have been
changed.\n";

printf("\nCerberus Security Team\nhttp://www.cerberus-infosec.co.uk/\n8th
May 2000\n\n");

if(argc == 1)
{
chk = ChangeFileAssociations();
if(chk)
{
printf(noerr );
return SUCCESS;
}
else
{
printf(errors);
return FAILURE;
}
}
else
{
if

( stricmp( argv[1], "/?" ) == 0 ) ||
( stricmp( argv[1], "-?" ) == 0 ) ||
( stricmp( argv[1], "/h" ) == 0 ) ||
( stricmp( argv[1], "-h" ) == 0 ) ||
( stricmp( argv[1], "?" ) == 0 ) ||
( stricmp( argv[1], "help" ) == 0 ) ||
( stricmp( argv[1], "/help" ) == 0 ))
{
return 0;
}
else
{
strncat(hostname,argv[1],250);
chk = ConnectToRemoteRegistry(hostname);
if (!chk)
{
printf("Error connecting to %s\n",hostname);
return FAILURE;
}
else
{
chk = ChangeFileAssociations();
if(chk)
{
printf(noerrors);
return SUCCESS;
}
else
{
printf(errors);
return FAILURE;
}
}

}
}
}

int ConnectToRemoteRegistry(char *host)
{
HKEY hkcr = HKEY_CLASSES_ROOT;
LONG connect;

connect = RegConnectRegistry(host,hkcr,&KeyToChange);
if(connect == ERROR_SUCCESS)
{
return SUCCESS;
}
else
{
return FAILURE;
}
}

int ChangeFileAssociations()
{
LONG chk=0;

chk = DoSetAKey(KeyToChange,"VBSFile\\Shell\\Open\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"VBSFile\\Shell\\Open2\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"WSHFile\\Shell\\Open\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"WSHFile\\Shell\\Open2\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"VBEFile\\Shell\\Open\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"VBEFile\\Shell\\Open2\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"WSFFile\\Shell\\Open\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"WSFFile\\Shell\\Open2\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"JSEFile\\Shell\\Open\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"JSEFile\\Shell\\Open2\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}

chk = DoSetAKey(KeyToChange,"JSFile\\Shell\\Open\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}
chk = DoSetAKey(KeyToChange,"JSFile\\Shell\\Open2\\Command","Foobar");
if(chk != SUCCESS)
{
if(chk != ERROR_FILE_NOT_FOUND)
{
printf("Error %d\n",chk);
return FAILURE;
}
}

return SUCCESS;
}

LONG DoSetAKey(HKEY root, char *key, char *set)
{

HKEY hResult;
DWORD bufsize = MAX_PATH;
LONG nResult;

nResult = RegOpenKeyEx(root,key,0,KEY_WRITE,&hResult);
if(nResult != ERROR_SUCCESS)
{
if(nResult != ERROR_FILE_NOT_FOUND)
{
RegCloseKey(hResult);
return FAILURE;
}
else
{
return ERROR_FILE_NOT_FOUND;
}
}
nResult = RegSetValueEx(hResult,NULL,0,REG_MULTI_SZ,(CONST
BYTE*)set,strlen(set));

if(nResult != ERROR_SUCCESS)
{
RegCloseKey(hResult);
return FAILURE;
}
else
{
printf("Success\n");
RegCloseKey(hResult);
return SUCCESS;
}
}

【发表评论】【关闭窗口】

.分析一个linux下的蠕虫(10.06)

.“我爱你”的病毒手工解除方法