From: Luke Kenneth Casson Leighton [lkcl@SAMBA.ORG]
Sent: Friday, May 19, 2000 3:01 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: ILY version 2.0 .. (fwd)

explanation.  after two years of research, there is now an MSDN-compatible
API available for unix.  during the development of this API, testing tools
were needed [rpcclient].  from this test tool have resulted in tools such
as regedit and samedit.  these are unix command-line tools that allow the
manipulation [98% complete functionality] of remote nt registry and nt
remote sam databases.

given that these tools are now available, and given that there is
significant damage being done to nt systems that cannot, in a simple
[scripted] automated fashion, using nt tools, this message describes the
work done by peter samuelson to help clean up large scale nt networks from
a unix command prompt.

to obtain samba source code in order to compile rpcclient or regedit on a
unix box, please follow these instructions:

http://samba.org/cvs.html - use a tag of SAMBA_CVS

cd samba/source
./configure
make bin/rpcclient
[or make bin/regedit]

you will now have a binary in which the script, below, and others, can
be used on unix boxes to clear up the damage done on potentially
thousands of nt client systems.

attached is some links to samba-ntdom archives where the ILYv1 cleanup
scripts can be found , plus an example of how to use regedit or
rpcclient to fix internet destroyer "zones".

as usual, any damage you decide to do using regedit and any variants is
your own problem: it's just a matter of deciding whether leaving the virus
amok outweighs any risks.

good luck,

luke

p.s thanks to peter samuelson very much for providing valuable example
usages of rpcclint / regedit.

p.p.s. rpcclient has a "shutdown" command.  if a virus is causing so much
damage that you need to get EVERYBODY's nt machine shut down immediately,
issue a rpcclient ... -c 'shutdown -m "network under attack message" -t
100 --force-close; quit' command in the for-loop below, this will shut
down everyone's nt machines in 100 seconds.

<a href=" mailto:lkcl@samba.org" > Luke Kenneth Casson Leighton    </a>
<a href=" http://cb1.com/~lkcl"  > Samba and Network Development   </a>
<a href=" http://samba.org"      > Samba Web site                  </a>

ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals

---------- Forwarded message ----------
Date: Sat, 20 May 2000 01:02:49 +1000
From: Peter Samuelson <peter@cadcamlab.org>
To: Multiple recipients of list SAMBA-NTDOM <samba-ntdom@samba.org>
Subject: ILY version 2.0 ..


Ho hum, another VBScript virus makes the rounds.

I just now looped through the output of a `smbclient -L PDC' with
something very like

  for m in `cat /tmp/ntboxes`; do
    rpcclient -S $m -U admin%pass -W mydomain -c \
      'regdeletekey "hkey_classes_root\.VBS"; quit'
  done > /tmp/nomoreVBS.log 2>&1

Does that sound too drastic?  Any better ideas?  I am *really* getting
tired of this stuff.

*sigh*

Peter