Home | Shorter Path | About Me
Home
About Me

Archive

2004

01

02

03

04

05

06

07

08

09

10

11

12

 

2005

01

02

03

04

05

06

07

08

09

10

11

12

 

2006

01

02

03

04

05

06

07

08

09

10

11

12


Giving them cute names doesn't really help, you know

Sunday, March 21, 2004 06:08 PM

A new virus has been spreading around the last couple of days. The "Witty" virus, as it is affectionately called, is a real virus - not one of those script thingies. It targets computers running the BlackICE firewall, and basically pulverizes them by writing random data to their hard disks.

Personally, I don't get people who sit down, write a malicious piece of code designed to ruin computers and those who depend on computers (which includes pretty much everybody today), and unleash it on the world. I know I'm not alone on this. To me, this is the digital equivalent of terrorist activity. It has absolutely no positive value.

Fortunately, most virus writers are either lazy, or stupid, or both. They write their nasty little programs, then e-mail them to every living thing in the known universe, hoping that some of the recipients would install the virus on their system and commit virtual suicide. Unfortunately, other computer users are not much smarter, so it actually works.

Anyway, last week I was working at a customer's site, and the system administrator was trying to figure out why users couldn't get their e-mail. Although the problem turned out to be something completely different (the messages were stuck in the incoming queue of a spam blocker - restarting the right server solved it), he found some traffic that indicated that one of the machines on the network was infected with a variant of the NetSky virus. He was trying to figure out which machine was the infected one by checking the registry - the virus registers itself under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run key, so Windows automatically runs it on startup. It occurred to me that a lot of viruses do this, and checking the relevant registry keys could be a very simple way of detecting them. A program could get the list of all the computers on the network, then check each one to see if a specified value exists in the registry.

So I sat down and wrote this program, and I'm giving it away for free. The program starts by enumerating the computers on the network, using the same API functions Windows uses to display the "Network Neighborhood" ("My Network Places" in recent versions of Windows). When you run a search, it connects to each of these computers and checks for the requested data. It took me a couple of seconds to check 75 machines. It could take longer if some of the machines are disconnected but still listed in Windows' network browser, but that's still a lot faster than manually checking each machine.

Copyright 2004 Yorai Aminov