Slashdot Mirror

← Back to Stories (view on slashdot.org)

Simple Virus For Teaching?

Posted by samzenpus on from the my-first-malware dept.

ed1023 writes "Currently I am teaching a 101 class on computers. It is more of a 'demystifying the black box' type of class. The current topic is computer viruses; I am looking for a virus with which I can infect the lab computers (only connected to local network, no outside network connection) that would be easy for the students to remove by hand. Can the Slashdot community point me in any directions? Is there an executable out there that would work, or do I try to write one myself, or is there one that is written that I can compile myself?"

18 of 366 comments (clear)

  1. What OS? And how annoying? by canyon289 · · Score: 3, Informative

    What OS are you running? You could create a simple bat script that pops up an annoying message every 20 or 30 minutes to show your students an "infected' machine.

    1. Re:What OS? And how annoying? by crisco · · Score: 5, Informative
      Back in the late 80s we had a bunch of 10MHz XT clones in a computer lab networked together using Novel and 10BASE2 or maybe even TokenRing. Some of the games we had ran timing loops for the original 4.77 MHz PC so we had some simple TSR that sat on the interrupt timer and ran some NOPs to slow the computers down. I thought it would be a funny prank to add this to the AUTOEXEC.BAT file on most of the boot floppies in the lab, sadly I didn't test it on more than one computer.

      The interrupts and NOPs interfered greatly with the network cards, causing the whole thing to come crashing down when more than a couple of the computers were running at a time. It took at least a couple of days for the sysadmin to sort it out.

      RIP George, thanks for introducing me to the Internet and I'm sorry that you didn't get to stick around for Linux and /. I should have taken your Minix class when I had the chance.

      --

      Bleh!

    2. Re:What OS? And how annoying? by Anonymous Coward · · Score: 1, Informative

      even worse; two days to go to the "victims" computer and type "net stop messenger". If it really took two days, they weren't the sharpest IT folks around. Of course, it sounds apocryphal because the messenger service only shows 1 dialog at a time so a user can position it off to one side of the screen and leave it there and not get bothered. I guess this was a long time back, because modern versions of Windows don't have the messenger service enabled anyway.

    3. Re:What OS? And how annoying? by xandercash · · Score: 3, Informative

      I'm having a similar problem right now. An app I'm working on which does some low level socket networking keeps being flagged by Symantec's active scan as a virus. I'm not sure why, yet, but IT keeps telling me my computer is infected (as discovered by their nightly scans). I've explained more than once that it's an innocuous program that I wrote myself, and have assured them many times that it is NOT a virus. But they believe Symantec over me. It's VERY annoying when I compile the app and Symantec decides to delete it an hour later. Or when it's running and suddenly stops because Symantec suspended the process. It was funny the first time. (where'd the exe go? I know it was here somewhere...) but it's gotten quite tiresome. Then there's the OTHER conversation. "Why did you disable your antivirus? That's against company policy" "It keeps flagging my project as a virus" "Well, then don't write a virus...."

  2. EICAR by Anonymous Coward · · Score: 5, Informative

    http://en.wikipedia.org/wiki/EICAR_test_file

    1. Re:EICAR by yuna49 · · Score: 4, Informative

      EICAR is detected by all AV products including ClamAV.

      I'd put it in a zip file, then attach the zip to an email message. Show how real viruses propagate by mail. How about putting a copy on a USB pendrive then running eicar.com from Autostart? Any Windows AV product with a decent autoscanner should detect both of these and pop up a warning.

      If you want to get really fancy you can set up a Linux box running MailScanner with ClamAV and send an "EICAR-infected" e-mail message through it. You'll see MailScanner detect the virus, put it in a quarantine, and send notices to the admin and, optionally, the sender.

      For a lay audience I think it's more important to stress the vectors than to concentrate on the payload itself.

      Now if you could only find a site distributing Antivirus 2010. If you do, make sure you're using a Linux machine when you visit the site. If your class understands that there's more to the world than Windows, see how long it takes them to understand why there can't really be an AV program "scanning the C: drive."

  3. EICAR? by Anonymous Coward · · Score: 1, Informative

    This has been around forever. http://www.eicar.org/anti_virus_test_file.htm

  4. Go fish... by clone53421 · · Score: 2, Informative

    Just pick any of the scores of .exe files masquerading as cracks on LimeWire. You’ll have to turn off the AV and executable file filter to download it, of course...

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  5. Re:Fake it. by Missing.Matter · · Score: 4, Informative

    The plural of virus is viruses. Just like the plural of abacus is abacuses, not abacai. Viri (or even worse, virii) annoys the hell out of me.

  6. Write your own? by rwa2 · · Score: 5, Informative

    It's Windows, so it's easy... just create a CD or USB drive with two files:

    autorun.inf :
    [autorun]
                open=installpopup.bat

    installpopup.bat :
    cmd.exe /k echo "Hi I am a virus"
    copy installpopup.bat "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"

    Bonus is that it has plenty of legitimate uses for system automation for your little script kiddies as well.

  7. Re:How about... by X0563511 · · Score: 3, Informative

    Er, did you even read the damn post?

    Here, let me help you out with the first four fucking words:

    Currently I am teaching...

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  8. Re:Fake it. by blair1q · · Score: 4, Informative

    Well, if you want to get all prissy about the Latin, then it's incorrect to use the word to describe a single unit of the substance, in the way it's not correct to call a single water molecule "a water". Id est, since a viral program is itself a cell in the viral infection of many computers, there's no term for it other than "viral program" and no term for several of them other than "viral programs". The "virus" would be some arbitrarily bounded subset of the population of said viral programs infecting machines, which could devolve to a single program infecting a single machine, but would still not be the correct term for that program or, indeed, for the viral infection being suffered by that machine. It could correctly refer to the running program and its data (which in most computers includes its instructions) and the progress of its states, but I'm pretty sure nobody much thinks of it that clearly when using the word "virus". Nor is it correct to use "a virus" to refer to a type of virus (exempli gratia Stuxnet, Sasser, Hopper, et cetera) but only to an instance of that type of virus as it is spreading, or, again, some arbitrary subset thereof, wherein it has its physical expression and aggregate, fluid form.

    As for whether it annoys you for people to use a latinate word that is both convenient and apt despite its not being precisely Latin, well, tough titty, because apparently the Latin version of it is a mispronunciation of the Proto-Indo-European word for the same gooey mess, so insisting on going only as far back as Latin for the value of correctness of form is false cognitive closure, and that gives everyone else cause to be annoyed at you.

  9. That virus will fail on Vista/7 by Anonymous Coward · · Score: 4, Informative

    if UAC is enabled, Explorer is not running with privileges that can write to the All Users profile.

    For that matter, this will fail on any system where the profile directory isn't in "C:\Documents and Settings", which includes any non-English OS.

    Use

    copy installpopup.bat "%userprofile%\Start Menu\Programs\Startup" instead

  10. Maybe ask a clamav virus signature author... by mrflash818 · · Score: 3, Informative

    ...if they know of a good virus candidate?

    http://www.clamav.net/

    --
    Uh, Linux geek since 1999.
  11. Re:DON'T DO IT! You'll get fired by gringer · · Score: 3, Informative

    No where was it mentioned about creating one. Ever.... actually read the summary ffs.

    I think you may have missed this part of the summary:

    do I try to write one my self

    --
    Ask me about repetitive DNA
  12. Re:DON'T DO IT! You'll get fired by Delarth799 · · Score: 2, Informative

    He wants to infect some computers in a lab, that's why the virus cant be one that spreads to other computers so he doesn't infect the whole damn network. Now sure the best thing to do would be setup some computers on just a local LAN that doesn't have any access to the school network but that might not be an option.

  13. Re:Try this instead. by neiras · · Score: 2, Informative

    Better yet, email the .exe to the entire class.

    Are you insane?!? Absolutely DO NOT DO THIS!!

    The gap between my suggestion and what those researchers did is pretty wide. My idea:

      o Doesn't involve bilking people out of their private credentials;
      o Would be limited to a class studying malicious software (how's that for an appropriate context)
      o Involves a known-harmless teaching payload;
      o Would be fully understood and removed by students at the end of the class.

    Deception is inherently disrespectful, even if it is done with good intentions.

    What may seem like a "harmless infection" to you demeans the students, because you're encouraging the instructor to abuse the trust that their students have placed in him. In short, what you are proposing causes harm to the teaching profession.

    I have a hard time understanding why any real teacher in this fellow's position would abstain from imparting one of the most critical lessons a student can learn about security: that they themselves are the weakest link, no matter how smart and prepared they think they are, and no matter how much theory they can regurgitate at paper time.

    The burned hand teaches best, and understanding how and why you were burned is priceless.

    It's disrespectful, and even a little condescending, to 'protect' students from real lessons. Are we preparing them for the real world or not? And are students so fragile that they would run to the Dean's office to complain to about the teacher after such a simple and well-explained exercise?

  14. Re:DON'T DO IT! You'll get fired by L4t3r4lu5 · · Score: 4, Informative

    Yes, because he wants to make sure the "fake" virus he uses for the removal exercise doesn't contain some hidden, actually damaging, payload.

    Someone has already suggested the EICAR test file, which is ideal. It pops up a message box, and is easy to remove. He can add links the various windows startup files, the registry, he can go old school and call it from a batch file, and he's safe in the knowledge that he's in no danger of hosing his systems.

    Nowhere in the stub did he say he was going to teach the kids about actually writing the virus they were to remove. Reading comprehension fail.

    --
    Finally had enough. Come see us over at https://soylentnews.org/