Plateforme Level Extreme
Abonnement
Profil corporatif
Produits & Services
Support
Légal
English
QUAD fix for this vbscript virus
Message
De
05/05/2000 17:38:58
William Caputo
Thoughtworks
Chicago, Illinois, États-Unis
 
 
À
Tous
Information générale
Forum:
Visual FoxPro
Catégorie:
Autre
Titre:
QUAD fix for this vbscript virus
Divers
Thread ID:
00366830
Message ID:
00366830
Vues:
54
Hi all,

I spent today cleaning out a client's infestation with this virus, and I just wanted to share a couple of things, espcially since .sct files are included, so vfp is vunerable.

First off, the only reason we got a call is that this customer uses SBT and some custom software we wrote for them, and they couldn't run SBT (because the virus deleted all the .sct files on the system).

I am guessing this is just an unfortunate side effect, since in the code of the virus, in the conditional that affects .sct files, all the other clauses are scripting extensions (e.g. .js OR .js OR .css, etc.), so I am guessing this one is too?.

So this stupid virus (and it is kinda klunky, there are several bugs in it, and it is very unsubtle) just whacks all of these files, writes some registry keys, and mails itself out.

A simple QUAD fix (the anti-virus updates won't be available from the company's IT dept until next week) was to make all of the .sct files read only.

The result of this was the virus, made a copy of every .sct on the system, gave it a vbs extension, but was unable to write itself into the file, so the result was a bunch of sct memo files with vbs extensions. The original sct files were still there too. So, the accounting department can still work, even if they get re-infected later. I didn't do this, but it stands to reason that this could be done for all .jpg and any other files in the hit list.

Also, an easy way to check if a machine has the virus is to look for this Regisry Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
It will have a value that points to a MSKernel32.vbs in the Windows directory. If its there, the virus ran on that machine, if not it didn't.

To be fair, the read-only workaround may be corrected in one of the virus alternates--since you can change a file's attributes from the wscript.fileSystemObject, it would be a simple change to do this first--in fact it does set the attributes for mp3's after changing them.

In short, this will work for now, but may not for long, so I wouldn't rely on it as a permanent solution.

Just thought someone might find this interesting and/or useful.

Later,
Bill
Suivant
Répondre
Fil
Voir

Click here to load this message in the networking platform