This code is not malicious or anything - just poorly documented (by my definition). Whatever characterset those strings are in is completely unreadable to my ISO-8859-1 fonts. That said it looks like a sort of "reset" for the author's Internet Explorer setup along with a few other unrelated things that were just included but aren't actually bad persay... You can break your Internet Explorer using this though.
- perl.exe reie.pl -help This is obvious - print unintelligible help
- perl.exe reie.pl -unlock / -lock This enables or disables the RegEdit.exe program from altering the registry. It shouldn't prevent this program from running. 'Lock' stops RegEdit from running, 'Unlock' allows it to go again.
- perl.exe reie.pl This is the program's main mode of operation. I'll just provide a list of it's actions
Delete all files matching these extensions per each directory listed: .html, .hta, .htt, .htw, .htx, .url, .vbs - your desktop
- your start menu
- your programs directory in your start menu
- your startup directory in your start menu
- your quick launch directory
- Now repeat but for the All Users account
Recursively delete some entries from your registry. I gather this is an attempt to somewhat protect against malicious scripts which might use these components. Or something.
- Windows Scripting Host Shell
- Scripting Filesystem object
- Internet Explorer
- something else I don't know
# Delete these registry entries but don't attempt recursion
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Internet Explorer\\Main\Window Title HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WinLogon\LegalNoticeCaption HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WinLogon\LegalNoticeText HKEY_LOCAL_MACHINE","SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Ratings\Key
Now rename some common desktop elements
recyle bin
control panel
scheduled tasks
printers
Network and dialup connections
Web Folders
And now set some other default settings (starting with this bitHKEY_CURRENT_USER","Control Panel\\International","sTimeFormat","H:mm:ss"], This is mostly harmless and just alters the search and homes pages and such.
Lastly . . . sigh....
# Attempt to match each of these regexes against HKCU\Software\Microso
+ft\Windows\CurrentVersion\Run's entries
# and if one matches, remove it. Repeat for HKLM as well.
@matchword = (
'IEXPLORE\.EXE',
'\.html?$',
'\.ht[atwx]$',
'\.url$',
'^http:\/\/',
'^www\.',
'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}',
'\.com$',
'\.net$',
'\.org$',
'\.cn$',
'\.biz$',
'\.info$'
);
Update I have no earthly idea why but I originally emphasized that first 'is'. I just made it plain. |