Friday, April 06, 2007

View Certificates

I have written a small tool ShowCert (88KB) to view certificate content without importing it in to the personal certificate store. Get it here .


Currently it supports

X.509 files (*.cer;*.crt)

PKCS #7 files (*.p7b)

ASN raw certificate files (*.bin)

and password protected PFX files. (*.pfx,*.p12)

(Update Oct07)
File open dialog box and
Base64 encoded pfx/cer files (*.txt) support

e.g. Save following text in a txt file and open with ShowCert.

-----BEGIN CERTIFICATE-----
MIIDAjCCAmsCEB9CKF88iA+OPImzhLOrHxwwDQYJKoZIhvcNAQEFBQAwgcExCzAJ
BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh
c3MgMiBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy
MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X
DTk4MDUxODAwMDAwMFoXDTE4MDUxODIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw
FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMiBQdWJsaWMg
UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo
YykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5
MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCniAEhdCznGgPwmOGXPA8hCPGc25fpmvzCBAYTvl9SyMwe
LBJWLLgBaSzMmR+tsJaueQTyEznBe5i6CCzowoQTLKpp6Qn0x6kCpELCI09K2PAO
ovsxbMnmb5knB/Xm9Ex4nm3rRob6uYbJVPKyxK/URhxayRUw/w1s9S0Obc5/dwID
AQABMA0GCSqGSIb3DQEBBQUAA4GBABFFqKR/8eNzIMq97t/1hyORPY2sR0Ua3m3b
VCHODoMO+NzlQ9XrLmGRI+JyADRV98TPETPdweQiI1xQUxn4ZOf3CQ9FUaBXK9+8
Imb+MXB7JToPxYp+w7tyAczwvU1SgaQbWFhT1VM69Q5q2umvxOFY80JvVGJHrDGU
0Q3O7x0x
-----END CERTIFICATE-----








Labels:

posted by GNUlihd @ 4:41 AM 0 comments

Monday, April 02, 2007

Hacked By GNUlihd???

One day I was analyzing code of a simple worm “VBS/Solow-A” for educational purpose. I had explained to my friends that how it was exploiting the VB script host to spread itself from removable drive. I was surprised to be informed that same thing was modified to include my email address. I noticed that only when my brother’s friend informed me about that.


I told them not to worry as it simply modifies some common registry keys and nothing more. I am not that stupid to put my email address that way anyway. Who wants to help spammers ;-)

What it does.

1) Copies itself (MFC32DLL.dll.vbs) to windows directory and all drives root path

2) Modifies registry value “Window Title” at HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ with value “Hacked by GNUl..@...”

3) Adds registry entry “MS32DLL” at HKEY_LOCAL_MACHINE\Software\Microsoft\W indows\ CurrentVersion\Run\ with value “\MFC32DLL.dll.vbs” which is an autorun entry that executes the script each time windows starts.

Here is how to remove it. If you find following instructions difficult to understand you can read this one (http://www.icimod.org.np/icimodwiki/images/8/87/Mfc32dll.pdf). Thanks Anjesh. I gave a thought of writing a removal tool but the instructions are more educational.

1) Open taskmanager and end process “wscript.exe”. “wscript.exe” is a Microsoft VB script host application which is running the script in the background. Mark’s ProcessExplorer is the best replacement of simple taskmanager.

2) Delete “autorun.inf” and “MFC32DLL.dll.vbs” files from following directories. (you may need to check “Show hidden files and folders” and uncheck “Hide protected operating system files” at Folder Options->View which you can restore after removal)

a. All Drives root paths. i.e. C:\autorun.inf; C:\ MFC32DLL.dll.vbs; D:\autorun.inf; D:\ MFC32DLL.dll.vbs etc.

b. Only “MFC32DLL.dll.vbs” from Windows directory. e.g. C:\Windows

3) Delete registry value “MS32DLL” from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. (For those who don’t know: type “regedit.exe” at run and navigate to path HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run to get the entry “MS32DLL” for deletion. There might be other entries too which are the autorun entries for each windows start.)

4) This one is interesting one if you already don’t know. Navigate in regedit.exe to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main and find “Window Title” value in the other pane. Double click to edit its value to anything you like (“My IE” to “IE Sucks”). Re-Open internet explorer and enjoy. (No thing to do with Firefox fans like me)

posted by GNUlihd @ 4:28 AM 3 comments