Search Multi-String Regkey W32.SillyFDC.BDP

system · May 15, 2012, 4:35pm

(imported topic written by SystemAdmin)

We are interested in searching for the existence of the value srv

THREE RANDOM CHARACTERS

in a multi-string regkey (to identify endpoints that may be infected with W32.SillyFDC.BDP). We would accept a Boolean return, but if the actual value could be returned in our analysis, much the better. For example, if a value of “srv4CS” existed, we would want it return “True” or “srv4CS”; which ever is easier.

We have the following relevance so far, which lists the values neatly.

substrings separated by “%00” whose (it!="") of (value “netsvcs” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost” of registry as string)

Any ideas would be very appreciated!

system · May 15, 2012, 7:58pm

(imported comment written by SystemAdmin)

We came up with the following which seems to work.

(if exist (substrings separated by “%00” of (value “netsvcs” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost” of registry as string)) whose (it starts with “srv”) then (substrings separated by “%00” of (value “netsvcs” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost” of registry as string)) whose (it starts with “srv”) else “False”)