Home | Shorter Path | About Me
Home
About Me
RSS Feed

Planners (you know you want it)

Archive

2004

01

02

03

04

05

06

07

08

09

10

11

12

 

2005

01

02

03

04

05

06

07

08

09

10

11

12

 

2006

01

02

03

04

05

06

07

08

09

10

11

12


Blogroll
 
Borland
Allen Bauer
Anders Ohlsson
Chris Bensen
Malcolm Groves
Michael Swindell
Steve Trefethen
Borland Blogs
TeamB
TeamB Blog Server
Nick Hodges
Other
Algorithms for the Masses
Brad Abrams
Chris Brumme
Chris Pratley
Dan Miser
Don Box
Falafel Flogs
iunknown.com
Joel on Software
Matt Pietrek
Suzanne Cook
The Daily WTF
The New Old Thing
Wintellog

Giving them cute names doesn't really help, you know

Sunday, March 21, 2004 06:08 PM

A new virus has been spreading around the last couple of days. The "Witty" virus, as it is affectionately called, is a real virus - not one of those script thingies. It targets computers running the BlackICE firewall, and basically pulverizes them by writing random data to their hard disks.

Personally, I don't get people who sit down, write a malicious piece of code designed to ruin computers and those who depend on computers (which includes pretty much everybody today), and unleash it on the world. I know I'm not alone on this. To me, this is the digital equivalent of terrorist activity. It has absolutely no positive value.

Fortunately, most virus writers are either lazy, or stupid, or both. They write their nasty little programs, then e-mail them to every living thing in the known universe, hoping that some of the recipients would install the virus on their system and commit virtual suicide. Unfortunately, other computer users are not much smarter, so it actually works.

Anyway, last week I was working at a customer's site, and the system administrator was trying to figure out why users couldn't get their e-mail. Although the problem turned out to be something completely different (the messages were stuck in the incoming queue of a spam blocker - restarting the right server solved it), he found some traffic that indicated that one of the machines on the network was infected with a variant of the NetSky virus. He was trying to figure out which machine was the infected one by checking the registry - the virus registers itself under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run key, so Windows automatically runs it on startup. It occurred to me that a lot of viruses do this, and checking the relevant registry keys could be a very simple way of detecting them. A program could get the list of all the computers on the network, then check each one to see if a specified value exists in the registry.

So I sat down and wrote this program, and I'm giving it away for free. The program starts by enumerating the computers on the network, using the same API functions Windows uses to display the "Network Neighborhood" ("My Network Places" in recent versions of Windows). When you run a search, it connects to each of these computers and checks for the requested data. It took me a couple of seconds to check 75 machines. It could take longer if some of the machines are disconnected but still listed in Windows' network browser, but that's still a lot faster than manually checking each machine.

|

Copyright 2004 Yorai Aminov