[AccessD] Oops, wrote my own virus! <Grin>

Drew Wutka DWUTKA at marlow.com
Sat Aug 30 01:01:10 CDT 2003 

That patch has some command line arguments that let it install without a
gui.  Thus, just put a line in the Autoexec, or login script, to run the
patch in silent mode.  The only catch is that the patch requires SP2 or
greater for windows.

Drew

-----Original Message-----
From: Jim Lawrence (AccessD)
To: Access Developers discussion and problem solving
Sent: 8/29/03 2:11 PM
Subject: OT: [AccessD] Oops, wrote my own virus! <Grin>

No Archive:

Hi Drew:

Those users are such ingenious fools. I just wrote a bat file that
turned
off the read-only attribute then deleted the msblast.exe from the
system32
directory, deleted the run entry from the registry and then ran the MS
patch... The process was spawned by an entry added to the autoexec.bat,
initiated through some other application (a senior tech, who manages
government wide services) used the province wide SMS service. The same
service that allowed the distribution in the first place. Getting the
patch
to run was a problem but the removal only took a few lines of batch
programming.

Do you know what process MS uses to update it's self through the reboot.
Where/how does it look for any upgrade processes to run.

TIA
Jim


-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com]On Behalf Of Drew Wutka
Sent: Friday, August 29, 2003 10:21 AM
To: 'AccessD '
Subject: [AccessD] Oops, wrote my own virus! <Grin>


We were hit by the MSBlast Virus on Monday.  It was a nightmare.  We had
been receiving emails for weeks containing that virus, and our email
scanner
was working like a charm.  However, someone brought in an infected
laptop,
and we didn't know our client scanner (Office Scan) hadn't been updating
clients, so it ripped through our network, using the RPC port, like wild
fire.  In fact, both my co-worker and I setup a new machine (one each),
and
as soon as the OS was loaded, they were immediately infected.  Lots of
fun.

Anyhow, after getting it mostly under control, OfficeScan was
continuously
kicking out virus warnings, because the infected file was still there,
since
it couldn't be removed unless the cleaner was run in safe mode.

So being an enterprising programmer, I wrote a VB program that edited
the
boot.ini file, so that the machine automatically booted into safemode
with
network.  I then wrote two batch files.  One that caused every Win2k
machine
to boot into safe mode, and one that caused all of those machines to run
the
virus scanner, then reboot into normal mode.  I goofed though.  I ran
the
first process, ran fine.  Ran the second process......and the machines
still
booted into safemode.  I had made a slight change in the VB program,
which
caused the 'set back to normal' routine to not work right.  So I fixed
the
.exe and sent it back out to all of the W2k machines.  Ran the cleaning
process again, and whalla, they were all cleaned, and booted back into
normal mode.  (Did this on about 100 machines...saved a LOT of time).

Unfortunately, some of the machines were laptops, and they had gone into
standby after the first clean run, so they never got the new .exe, and
thus,
they were forever stuck in safemode.  I left work that night at about 4
in
the morning, so I didn't get back in until about 2 in the afternoon.  My
boss was the only one in, and he was completely clueless since he had
several laptop users complaining that they were stuck in safemode.

So, I wrote my own virus, one that boots a machine in safemode, and
prevents
them from booting into normal mode (cause they ALL tried, VERY HARD,
mind
you.....<evilgrin>).

Oh well, it's not my fault my co-worker and I weren't there, and that
our
boss doesn't know how NT works! <grin>

Drew
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

More information about the AccessD mailing list