Killbit anyone?

Okay so we’re going to reuse this blog post:

And we’re then going to add this blog post:

And let’s see what we come up with shall we?

Remember our killbits we want to substitute in that blog post per CERT are


And we first begin by downloading the script

And stealing the steps from the blog post….

  1. Copy the script above (everything between the begin and end tags) and paste it into a new text document. Save the document as “SlayOCX.vbs”. Alternatively, just download and expand the file attached to this post.

  2. Copy the SlayOCX.vbs file to \\<your domain>\sysvol\<your domain>\scripts. where you replace “<your domain>” with the full DNS name of your domain.

  3. Open the GPMC (if you do not have the Group Policy Management Console, you need to get it. Strictly speaking you can manage GPOs without it, but you really don’t want to)

  4. Right-click the domain or OU where you want to link the GPO – you may as well do it at the domain level – and select “Create and Link a GPO Here…” Name your new GPO “name of GPO”

  5. Right-click the GPO “name of GPO” and select “Edit…”

  6. Expand “Computer Configuration:Windows Settings” and click on “Scripts (Startup/Shutdown).

  7. Double-click “Startup” in the right-hand pane
  8. Click “Add…”
  9. Browse to \\<your domain>\sysvol\<your domain>\scripts and select “SlayOCX.vbs”. Click “Open”
  10. In the “Script Parameters:” box type “-k 02BF25D5-8C17-4B23-BC80-D3488ABDDC6B -l” without the quotes. Click “OK.”
  11. Repeat steps 8-10, but this time, type “-k 4063BE15-3B08-470D-A0D5-B37161CFFD69 -l” in the parameters box.
  12. Click “OK” again.

  13. Close the GPO editor and go back to the GPMC

  14. In the “Security Filtering” pane remove “Authenticated Users” and click Add…

  15. In the text box called “Enter the object name…” type “Domain Computers” or some other relevant group that you want to apply the policy to. Click OK.

The script should be run as a startup script, not as a logon script. Unregistering an ActiveX control is an administrative action, and as users should not be administrators, the script will not work properly as a logon script. Needless to say, this also means you have to restart the computer for the script to take effect if you run it from a GPO.


Okay let’s see if this works…

I unzipped the zip file and named it SlayOCX.vbs

I copied the file to \\nameofserver\sysvol\domainname\scripts

I opened the GMPC, and at the domain level I right mouse clicked and clicked on “Create and Link a GPO Here”

I named it EnableKillbitQT1 so I’d know it’s the first Quicktime Killbit

I then clicked on Edit, and drilled to “Computer configuration:  Windows Settings” and then on “Scripts” (Startup/Shutdown)

I clicked add

I browsed to the \scripts folder and added the SlayOCX.vbs

In the script parameters box I typed in  -k 02BF25D5-8C17-4B23-BC80-D3488ABDDC6B -l

I changed the authenticated users to domain’ll need to click on the objects and add computers in order to get domain computers in the list

I did it all over again, this time typing in -k 4063BE15-3B08-470D-A0D5-B37161CFFD69 -l in the script parameters box

While I’m in the neighborhood.. let’s build two more group policy settings to reregister the activeX once Apple gets their act together for a patch.

-r 02BF25D5-8C17-4B23-BC80-D3488ABDDC6B -l

-r 4063BE15-3B08-470D-A0D5-B37161CFFD69 -l

This time putting “r”s in front of the Script parameters.

Ensure that the group policy’s “Link enabled” is not checked so that they don’t kick in. (you’ll enable and disable the other ones when you need to put them back)

Type in gpupdate /force to kick in the policy… and now let me reboot and see if it worked (if you don’t hear back from me in a few minutes I probably just blew up the network)

P.S.  survived…. and the apple Leopard demo small movie won’t run now so I guess it’s working as expected 😉

Comments are closed.

Post Navigation