×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

"NAKEDWIFE" - Trojan Worm
3

"NAKEDWIFE" - Trojan Worm

"NAKEDWIFE" - Trojan Worm

(OP)
A NEW MASS-MAILED Trojan worm called "NAKEDWIFE" is circulating and, if executed, can delete files necessary for everyday computer operation.

The Trojan, which was written in VBS (Visual Basic Script), sends out the same mail as an e-mail attachment. The mail has a subject line that reads "FW: Naked Wife." It has a message body that reads "My Wife never look like that :), Best Regards." The attachment is named NakedWife.EXE.

http://www.infoworld.com/articles/hn/xml/01/03/06/010306hnworm.xml?0306alert

DimensionalSolutions@Core.com
While I welcome e-mail messages, please post all thread activity in these forums for the benefit of all members.

RE: "NAKEDWIFE" - Trojan Worm

This is a wonderful little virus that deletes dll files, exe files and com files.

Norton are covering it in their definitions as of today, so I advise everyone to get their virus checkers up to date!!!

RE: "NAKEDWIFE" - Trojan Worm

(OP)
The InfoWorld article indicated that is was written in VBS yet the attachment is an EXE. I assume that they got the extension of the attachment correct since they explicitly refer to the name 'NakedWife.EXE'.

The McAfee site validated the attachment name:
http://vil.mcafee.com/dispVirus.asp?virus_k=99035&

DimensionalSolutions@Core.com
While I welcome e-mail messages, please post all thread activity in these forums for the benefit of all members.

RE: "NAKEDWIFE" - Trojan Worm

We have Antigen on our Exchange Server and do not allow any .exe file attachments - they get turned into a harmless .txt information message at the server.  So we didn't have to be concerned about this one.  Once again I'm very glad we have this set up.  Here's the link if you;re interested: www.sybarisoftware.com

Tom Jacobson ...
MS Exchange admin, NT admin, Intranet admin, Virus protection, Frontpage, VB5&6, Access, Crystal Reports

RE: "NAKEDWIFE" - Trojan Worm

Alternatively, I do this. Create a text file *.txt.
Rename the text file to *.vbs then highlight the vbs file and hold the shift key down while right-clicking the file. This will yield an "Open with" option. Select it. This will bring up a window that allows you to choose which program to open it with, choose notepad, making sure to put a check in the checkbox marked always use this program to open this type of file.





Troy Williams B.Eng.
fenris@hotmail.com
 
 

RE: "NAKEDWIFE" - Trojan Worm

(OP)
fenris,

That works great until you install software that corrects the registry entry. We did that sometime last year to all of our machines. Although users are not supposed to install software without IT permission, it happened. The registry entry was changed back and a couple of users got hit by the Columbia Plan virus.

If you don't use scripting, there is a much easier way to fix this. Rename WScript.exe to MSWScript.exe and CScript.exe to MSCScript.exe. Then, copy notepad.exe twice to the same directory and rename them WScript.exe and CScript.exe. I wrote a program to do this at every login, just in case someone else decides to install software.

DimensionalSolutions@Core.com
While I welcome e-mail messages, please post all thread activity in these forums for the benefit of all members.

RE: "NAKEDWIFE" - Trojan Worm

That is an interesting approach! It sounds to me like your users don't follow the rules ;)

Wouldn't it be easier to write a program to write the association to the registry at each reboot? Now that I start to think about it, where in the registry is that file association set? I looked around and found a bunch of instances of VBS, but none with any real indication of what program is associated with it. I did notice a couple of subkeys that had a clsid. If one knew what string to write to the registry, it would be quite easy to write a small vb program that ran from the startup folder or the HKLM\software\microsoft\windows\currentversion\run\

That would check the value of the key and make sure that it is not associated with WScript.exe. If the program detected that it had been changed back somehow it could popup a "critical" error and have the user alert the network admin.



Troy Williams B.Eng.
fenris@hotmail.com
 
 

RE: "NAKEDWIFE" - Trojan Worm

A little app like that posted for use by TT members would give you a silver star (i.e. nothing real, just a bunch of people grateful to you).

RE: "NAKEDWIFE" - Trojan Worm

(OP)
The association is defined in the key:

HKEY_CLASSES_ROOT\VBSFILE\Shell\Open\Command

I attempted to write a small application that changes the value
from: C:\WINNT\System32\WScript.exe "%1" %*
to: C:\WINNT\System32\Notepad.exe %1

Unfortunately, I was not able to write the new value. I posted this problem several months ago (Thread222-46157) and no one was able to help me solve the problem. I am able to change the key manually manually, but the program could not write the new value. The code works for other root file definitions, but will not modify the VBS file.

If we could get this to work in a second round of discussion, it would be free to all!

RE: "NAKEDWIFE" - Trojan Worm

Have you tried recruiting Alt255 on this? He's an expert with the registry...

RE: "NAKEDWIFE" - Trojan Worm

I'll write one and post it tonight(have to go to work now  )

- Jeff Marler
  www.JeffMarler.com
  (please note, that the page is under construction)

RE: "NAKEDWIFE" - Trojan Worm

     OK, as promised, here is the code that you can use to automaticall update the registry by checking the HKEY_CLASSES_ROOT\VBSFILE\Shell\Open\Command key of an instance of C:\WINNT\System32\WScript.exe "%1" %*
and changing it to C:\WINNT\System32\Notepad.exe %1.
    The first thing to remember is, that despite all other rumors, THE REGISTRY IS NOT THAT HARD TO WORK WITH . . . but you do need to be careful. The following code was run on WINNT40 - SP6a. The actual code that does the checking and updating uses passed in values . . . this was done so that the same piece of code could be used over again elsewhere (remember that oft spoken phrase, "Code Reuse"). When the application want to check and possible update the key, it simply passes in the key location, the search string that will trigger a replacement, the string that will replace the data in the key, and a message that will be displayed when a replacement occurs.

AND NOW . . . THE CODE . . .


First off, declare your APIs in the general declaration

Private Const HKEY_CLASSES_ROOT = &H80000000
Private Const HKEY_CURRENT_CONFIG = &H80000005
Private Const HKEY_CURRENT_USER = &H80000001
Private Const HKEY_DYN_DATA = &H80000006
Private Const HKEY_LOCAL_MACHINE = &H80000002
Private Const HKEY_PERFORMANCE_DATA = &H80000004
Private Const HKEY_USERS = &H80000003
Private Const READ_CONTROL = &H20000
Private Const STANDARD_RIGHTS_READ = (READ_CONTROL)
Private Const STANDARD_RIGHTS_WRITE = (READ_CONTROL)
Private Const STANDARD_RIGHTS_ALL = &H1F0000
Private Const SYNCHRONIZE = &H100000
Private Const KEY_CREATE_LINK = &H20
Private Const KEY_CREATE_SUB_KEY = &H4
Private Const KEY_ENUMERATE_SUB_KEYS = &H8
Private Const KEY_EVENT = &H1
Private Const KEY_NOTIFY = &H10
Private Const KEY_QUERY_VALUE = &H1
Private Const KEY_SET_VALUE = &H2
Private Const KEY_WRITE = ((STANDARD_RIGHTS_WRITE Or KEY_SET_VALUE Or KEY_CREATE_SUB_KEY) And (Not SYNCHRONIZE))
Private Const KEY_ALL_ACCESS = ((STANDARD_RIGHTS_ALL Or KEY_QUERY_VALUE Or KEY_SET_VALUE Or KEY_CREATE_SUB_KEY Or KEY_ENUMERATE_SUB_KEYS Or KEY_NOTIFY Or KEY_CREATE_LINK) And (Not SYNCHRONIZE))
Private Const KEY_READ = ((STANDARD_RIGHTS_READ Or KEY_QUERY_VALUE Or KEY_ENUMERATE_SUB_KEYS Or KEY_NOTIFY) And (Not SYNCHRONIZE))
Private Const KEY_EXECUTE = ((KEY_READ) And (Not SYNCHRONIZE))

Private Const REG_SZ = 1

Private Const ERROR_SUCCESS = 0&

Private Type SECURITY_ATTRIBUTES
        nLength As Long
        lpSecurityDescriptor As Long
        bInheritHandle As Long
End Type

Private Declare Function RegCreateKeyEx Lib "advapi32.dll" Alias "RegCreateKeyExA" (ByVal lngKeyHandle As Long, ByVal lpSubKey As String, ByVal Reserved As Long, ByVal lpClass As String, ByVal dwOptions As Long, ByVal samDesired As Long, lpSecurityAttributes As SECURITY_ATTRIBUTES, phkResult As Long, lpdwDisposition As Long) As Long
Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Private Declare Function RegQueryValueEx Lib "advapi32.dll" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, lpType As Long, lpData As Any, lpcbData As Long) As Long ' Note that if you declare the lpData parameter as String, you must pass it By Value
Private Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long ' Note that if you declare the lpData parameter as String, you must pass it By Value


This routine simply sets the desired search parameters and calls the registry update code.

Public Sub CheckRegistry()


    Dim strKey As String    
    Dim strTargetString As String
    Dim strReplacementString As String
    Dim strErrorMessage As String

    '** Set the desired search parameters.
    strKey = "VBSFILE\Shell\Open\Command"
    strTargetString = "C:\WINNT\System32\WScript.exe ""%1"" %*"
    strReplacementString = "C:\WINNT\System32\Notepad.exe %1"
    strErrorMessage = "Disassociated VB Script from WScript.exe! VB Script will now open in notepad."

        
    '** Pass in the search parameters to the UpdateRegistry function.
    Call UpdateRegistry(strKey, strTargetString, strReplacementString, strErrorMessage)
    

End Sub

This routine does the actual work of opening the registry, searching for the target value, and - if found - replacing the data. NOTE THAT THIS CODE WILL ONLY WORK WITH REG DATA OF TYPE STRING  . . . although with a very simple modification, that could be changed.

Private Sub UpdateRegistry(strTargetKey As String, strTargetString As String, strReplacementString As String, strErrorMessage As String)

    Dim udtSec As SECURITY_ATTRIBUTES
    Dim lngKeyHandle As Long
    Dim lngDisposition As Long
    Dim lngRetCode As Long
    Dim strData As String
    Dim lngBufferLength As Long
    
    '** First off, open the desired key.
    lngRetCode = RegCreateKeyEx(HKEY_CLASSES_ROOT, strTargetKey, 0, "", 0, KEY_ALL_ACCESS, udtSec, lngKeyHandle, lngDisposition)
    
    '** IF the key was opened, then query the default value.
    If lngRetCode = ERROR_SUCCESS Then
        
        lngBufferLength = 1024
        strData = Space$(lngBufferLength)
        lngRetCode = RegQueryValueEx(lngKeyHandle, "", 0, REG_SZ, ByVal strData, lngBufferLength)
        
        If lngRetCode = ERROR_SUCCESS Then
            
            '** trim off the extra spaces in the buffer. Use lngBufferLength - 1 to account for the null space.
            If lngBufferLength > 1 Then
                strData = Left$(strData, lngBufferLength - 1)
            End If
            
            '** Check to see if the key matches the target key. If it does, then replace it and raise an error message.
            If UCase$(Trim$(strData)) = UCase$(Trim$(strTargetString)) Then
                lngBufferLength = Len(strReplacementString)
                lngRetCode = RegSetValueEx(lngKeyHandle, "", 0, REG_SZ, ByVal strReplacementString, lngBufferLength)
                MsgBox strErrorMessage, vbOKOnly + vbCritical, "Registry Update Warning!"
                HERE, IF YOU WANTED, YOU COULD SIGNAL A LAN ADMIN OF THE CHANGE
            End If

        End If
    End If
    
    '** Close the open handle.
    If RegCloseKey(lngKeyHandle) <> ERROR_SUCCESS Then
        MsgBox "Key not closed."
    End If

End Sub



     Is this what you guys were looking for? Just put an EXE with this in it in the RUN key for your users or in their LOGIN scripts, and you can always be sure that VBS IS NOT associated with the scriptiong host.
     Also, DSI, what problem were you having when you were trying to update the registry? Were you doing it the same way my code is?
     If anyone has any questions or comments regarding this code, please feel free to let me know and I will do what I can to further explain it.

    Also, I am working on a WebSite that will consist of a series of articles and examples for programming (with commented code examples) . . .anyone have any requests for information regarding advanced topics that they would like to see? Any feed back would be greatly appreciated. Thanks!


- Jeff Marler
  www.JeffMarler.com
  (please note, that the page is under construction)

RE: "NAKEDWIFE" - Trojan Worm

Good work, Jeff. For those without Visual Basic, this reg script seems to have the same effect:

REGEDIT4

[HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command]
@="C:\\WINNT\\System32\\Notepad.exe \"%1\" %*"


For those with Visual basic, the entry can be made in the registry with two lines of code... an API declaration and a call to ShellExecute.

Let's take the VB discussion back to the VB forum.

RE: "NAKEDWIFE" - Trojan Worm

    One quick note Alt255 and then I promise  . . . no more non-virus stuff in here . . . yes you are absolutly correct . . . your 2 lines of code would update the registry perfectly, but Fenris also mentioned that the application should pop up a warning message and then possibly notify the network admin which is why I did it in VB code rather than just merging an exported key . . .  
    OK as I promised . . . no more code in here.

- Jeff Marler
  www.JeffMarler.com
  (please note, that the page is under construction)

RE: "NAKEDWIFE" - Trojan Worm

Apols, I asked for the code here as I don't want to join the VB forum just for the code to do this.

Even better would be a hyperlink to a downloadable .exe that works under 95,98 and NT...

Nice piece of code Jeff!

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close