nachi/welchi plugin

[Anderson, Harry F]

   I have written a simple script to flag systems that have 
the nachi/welchi worm.  But when run against a known infected 
system with the registry keys it doesn't flag anything.  

   The worm installs two services, so I am checking for one of 
Service registry entries.  
The plug-in runs.  I have the correct smb username/password in 
I even get the warning about connecting to a remote registry 
to prove it. I have enable dependencies turned on. 

    Any ideas ? I know I am prob. missing something simple. 
The business part of the script is below.  

script_dependencies ("netbios_name_get.nasl",
		    "smb_login.nasl",
                    "smb_registry_access.nasl");

script_require_keys ("SMB/name",
                     "SMB/login",
                     "SMB/password",
                     "SMB/registry_access");
script_require_ports(139, 445);
exit(0);
} 

include("smb_nt.inc");

key = "SYSTEM\CurrentControlSet\Services\RpcTftpd";
item = "Network Connections Sharing";
a = registry_get_sz(key:key, item:item); 
if("%System%\wins\svchost.exe" >< a)security_hole(135); 

- Harry Anderson


-------------------------------
--  Even though this E-Mail has been scanned and found clean of  
--  known viruses, OPM can not guarantee this message is virus free.
-------------------------------
--  This message was automatically generated.
-------------------------------mo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.nessus.org/pipermail/nessus/attachments/20030903/dd2bd41c/attachment.html