OT: [AccessD] Oops, wrote my own virus! <Grin>

Jim Lawrence (AccessD) accessd at shaw.ca
Fri Aug 29 14:11:28 CDT 2003 

No Archive:

Hi Drew:

Those users are such ingenious fools. I just wrote a bat file that turned
off the read-only attribute then deleted the msblast.exe from the system32
directory, deleted the run entry from the registry and then ran the MS
patch... The process was spawned by an entry added to the autoexec.bat,
initiated through some other application (a senior tech, who manages
government wide services) used the province wide SMS service. The same
service that allowed the distribution in the first place. Getting the patch
to run was a problem but the removal only took a few lines of batch
programming.

Do you know what process MS uses to update it's self through the reboot.
Where/how does it look for any upgrade processes to run.

TIA
Jim


-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com]On Behalf Of Drew Wutka
Sent: Friday, August 29, 2003 10:21 AM
To: 'AccessD '
Subject: [AccessD] Oops, wrote my own virus! <Grin>


We were hit by the MSBlast Virus on Monday.  It was a nightmare.  We had
been receiving emails for weeks containing that virus, and our email scanner
was working like a charm.  However, someone brought in an infected laptop,
and we didn't know our client scanner (Office Scan) hadn't been updating
clients, so it ripped through our network, using the RPC port, like wild
fire.  In fact, both my co-worker and I setup a new machine (one each), and
as soon as the OS was loaded, they were immediately infected.  Lots of fun.

Anyhow, after getting it mostly under control, OfficeScan was continuously
kicking out virus warnings, because the infected file was still there, since
it couldn't be removed unless the cleaner was run in safe mode.

So being an enterprising programmer, I wrote a VB program that edited the
boot.ini file, so that the machine automatically booted into safemode with
network.  I then wrote two batch files.  One that caused every Win2k machine
to boot into safe mode, and one that caused all of those machines to run the
virus scanner, then reboot into normal mode.  I goofed though.  I ran the
first process, ran fine.  Ran the second process......and the machines still
booted into safemode.  I had made a slight change in the VB program, which
caused the 'set back to normal' routine to not work right.  So I fixed the
.exe and sent it back out to all of the W2k machines.  Ran the cleaning
process again, and whalla, they were all cleaned, and booted back into
normal mode.  (Did this on about 100 machines...saved a LOT of time).

Unfortunately, some of the machines were laptops, and they had gone into
standby after the first clean run, so they never got the new .exe, and thus,
they were forever stuck in safemode.  I left work that night at about 4 in
the morning, so I didn't get back in until about 2 in the afternoon.  My
boss was the only one in, and he was completely clueless since he had
several laptop users complaining that they were stuck in safemode.

So, I wrote my own virus, one that boots a machine in safemode, and prevents
them from booting into normal mode (cause they ALL tried, VERY HARD, mind
you.....<evilgrin>).

Oh well, it's not my fault my co-worker and I weren't there, and that our
boss doesn't know how NT works! <grin>

Drew
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

More information about the AccessD mailing list