Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Simple Virus For Teaching?

samzenpus posted about 4 years ago | from the my-first-malware dept.

Education 366

ed1023 writes "Currently I am teaching a 101 class on computers. It is more of a 'demystifying the black box' type of class. The current topic is computer viruses; I am looking for a virus with which I can infect the lab computers (only connected to local network, no outside network connection) that would be easy for the students to remove by hand. Can the Slashdot community point me in any directions? Is there an executable out there that would work, or do I try to write one myself, or is there one that is written that I can compile myself?"

Sorry! There are no comments related to the filter you selected.

Obligatory (0)

Anonymous Coward | about 4 years ago | (#33818742)

Well, they're probably infected with one, and you can pass out Live CDs [wikipedia.org] for removal of it.

What OS? And how annoying? (3, Informative)

canyon289 (848746) | about 4 years ago | (#33818752)

What OS are you running? You could create a simple bat script that pops up an annoying message every 20 or 30 minutes to show your students an "infected' machine.

Re:What OS? And how annoying? (2, Interesting)

celardore (844933) | about 4 years ago | (#33818866)

That reminds me of something I did when I was a bit younger. I was leaving the company that day anyway, and some dude had been bugging me for months. At some time previous I'd shoulder-surfed the IT departments "test" account, which I logged onto on an unused PC in the office. I created a simple .bat file

start:
net send annoyingguy "message i wanted"
goto start:

Or something along that vein. I can't remember exactly how I made it work, but possibly by leaving the PC on, monitor off, when I left work the last time.
The boss knew the people I went to work for so it didn't end well for me, but looking back it was incredibly funny and the couple weeks out of employment turned out to be very beneficial to my career in the long run.

I heard a couple months later from some old co-workers that it took IT about two days to figure out and in the meantime, old mateys account was unusable.

Live and learn I guess. Was still funny, and incredibly basic.

Re:What OS? And how annoying? (1, Troll)

tibit (1762298) | about 4 years ago | (#33819046)

Two days to run wireshark? LOL.

Re:What OS? And how annoying? (5, Informative)

crisco (4669) | about 4 years ago | (#33819130)

Back in the late 80s we had a bunch of 10MHz XT clones in a computer lab networked together using Novel and 10BASE2 or maybe even TokenRing. Some of the games we had ran timing loops for the original 4.77 MHz PC so we had some simple TSR that sat on the interrupt timer and ran some NOPs to slow the computers down. I thought it would be a funny prank to add this to the AUTOEXEC.BAT file on most of the boot floppies in the lab, sadly I didn't test it on more than one computer.

The interrupts and NOPs interfered greatly with the network cards, causing the whole thing to come crashing down when more than a couple of the computers were running at a time. It took at least a couple of days for the sysadmin to sort it out.

RIP George, thanks for introducing me to the Internet and I'm sorry that you didn't get to stick around for Linux and /. I should have taken your Minix class when I had the chance.

Re:What OS? And how annoying? (1)

Some1too (1242900) | about 4 years ago | (#33819314)

I had some mod points but i'll waive using them to tell this funny story:

I worked at a head office for a large oil and gas company in their call centre. One day a net send message popped up on all the computer screens in the office: (I've changed the wording to protect the guilty) "I'm XXX and I like licorice".

I laughed to myself, clicked ok to the message and then suddenly the phones began to ring off the hook. The amount of callers waiting on hold kept increasing to unimaginable numbers. A few minutes later one of our second level guys walked in and we asked him to sit down and help us with the call volumes due to some idiot who had sent a net send message to the complete company (50 floors of employee's).

The guy turned completly red sat down and started taking calls after calls. It was then that we immediately knew who the guilty party was. He wanted to send a net send message to one of the other tech guys in the building but had sent it to the whole domain instead.

Needless to say he was known as the licorice guy from there on out.

I've always wondered if he stopped using net send....

Some1too

Stuxnet (1, Funny)

Anonymous Coward | about 4 years ago | (#33818754)

Simple worm for beginners!

Sure (3, Funny)

Peach Rings (1782482) | about 4 years ago | (#33818758)

Here, let me link you to an executable file so you can download it and run it on an entire lab of computers. It's safe, don't worry.

EICAR (5, Informative)

Anonymous Coward | about 4 years ago | (#33818760)

http://en.wikipedia.org/wiki/EICAR_test_file

Re:EICAR (0)

Anonymous Coward | about 4 years ago | (#33818894)

He wants a live virus to train removal from the system, not a dummy virus to test the AV software.

Re:EICAR (4, Insightful)

timothyf (615594) | about 4 years ago | (#33819016)

Then he's pretty stupid for wanting that. This'll look exactly the same as a real virus, and it will be easy to clean off, but it won't propagate or do nasty things like a real virus. For a computers 101 class, anything more than something like this is just asking for trouble.

Re:EICAR (1)

timothyf (615594) | about 4 years ago | (#33819040)

Sorry, exactly the same as a real virus to scanning software.

Re:EICAR (3, Interesting)

moonbender (547943) | about 4 years ago | (#33819320)

The file is simply a text file of either 68 or 70 bytes that is a legitimate executable file called a COM file that can be run by Microsoft operating systems and some work-alikes (except for 64-bit due to 16-bit limitations), including OS/2. When executed, it will print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" and then stop. The test string was specifically engineered to consist of ASCII human-readable characters, easily created using a standard computer keyboard. It makes use of self-modifying code to work around technical issues that this constraint makes on the execution of the test string.

Wow, that's pretty cool. Here's the string: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Re:EICAR (5, Funny)

rpresser (610529) | about 4 years ago | (#33819410)

Thanks, dude. My virus scanner just started complaining about my browser cache.

You may already have one (2, Funny)

Anonymous Coward | about 4 years ago | (#33818770)

Windows? Fairly easy to remove.

Re:You may already have one (1)

monkyyy (1901940) | about 4 years ago | (#33819372)

troll? no this should get +5 insightful

Norton (3, Insightful)

cjfs (1253208) | about 4 years ago | (#33818786)

I don't even know if I'm joking.

Re:Norton (4, Insightful)

frosty_tsm (933163) | about 4 years ago | (#33818824)

I don't even know if I'm joking.

You missed a requirement: easy for the students to remove by hand

Re:Norton (1)

syousef (465911) | about 4 years ago | (#33818890)

I don't even know if I'm joking.

You missed a requirement: easy for the students to remove by hand

All computer viruses are easy to remove by hand. Just rip the computer out of the electrical and network sockets and throw the computer out the window. Use your hands to do this.

Re:Norton (1)

cjfs (1253208) | about 4 years ago | (#33818896)

You missed a requirement: easy for the students to remove by hand

He didn't say what that hand was holding...

Re:Norton (0, Redundant)

offrdbandit (1331649) | about 4 years ago | (#33818836)

That's not gonna work. The OP wants the students to be able to remove it.

Re:Norton (1)

Dogbertius (1333565) | about 4 years ago | (#33818838)

Don't feel bad. I've been tricked into installing Norton as well :(

Re:Norton (1, Redundant)

Cipher13 (229685) | about 4 years ago | (#33818844)

He did specify that it should be "easy to remove by hand"...

EICAR? (1, Informative)

Anonymous Coward | about 4 years ago | (#33818790)

This has been around forever. http://www.eicar.org/anti_virus_test_file.htm

CIH (0)

Anonymous Coward | about 4 years ago | (#33818812)

This [wikipedia.org] looks like a good candidate. The good ol' times...
  When you caught one, well, that was a lesson learned. Viruses are not what they used to be, but that's just the old fart in me talking.

IP/Login? (0)

Anonymous Coward | about 4 years ago | (#33818820)

What's your IP address/login? I can help with a sample virus.

Note to self... (3, Insightful)

tool462 (677306) | about 4 years ago | (#33818826)

Do NOT click on any links posted in the comments on this article.

Re:Note to self... (5, Funny)

h4rr4r (612664) | about 4 years ago | (#33819204)

Note to tool462, stop using windows.

Re:Note to self... (-1, Flamebait)

Anonymous Coward | about 4 years ago | (#33819296)

Note to h4rr4r, 5t0p b3in6 a D1cK Y0!

Not a virus (0)

Anonymous Coward | about 4 years ago | (#33818842)

but how about the love bug? ok so you'd have to have the machines setup with vulnerable a vulnerable version of outlook or something but not only do you have an easily hand-removed candidate, your students can look at the script contents afterwards.

Simple (-1, Troll)

antifoidulus (807088) | about 4 years ago | (#33818850)

Windows! It pretty much acts like a virus and is crazy easy to remove by hand. Torrent your favorite distro, burn it to disk or just put it on a USB stick and boom! virus gone.

Re:Simple (0)

Anonymous Coward | about 4 years ago | (#33818930)

hurrr durrr ur hilerius

Re:Simple (1)

Speeddymon (1666423) | about 4 years ago | (#33819132)

Someone that is asking a question such as the OP isn't going to know what a distro is dude, you have to break it down for them. Regardless, your post wasn't even remotely funny. It was redundant and boring, the kind of thing that a 13 year old posts these days.

Re:Simple (-1, Flamebait)

antifoidulus (807088) | about 4 years ago | (#33819434)

It wasn't intended to be funny, Windows is a virus on humanity and you won't have to worry about viruses if you get rid of the Worlds Worst Operating System. I manage 100 mac workstations, 10 mac servers, and about 50 Linux servers and 4 windows boxes(plus a couple of virtual machines) and Windows causes more issues, despite being used less, than all the other machines combined. It's a virus on the ass of humanity and the sooner it's eliminated the better.

Sneeze on them (1)

airfoobar (1853132) | about 4 years ago | (#33818854)

Works on the students, too.

Michelangelo (1)

extremescholar (714216) | about 4 years ago | (#33818856)

Use Michelangelo, you're favorite Ninja Turtle and March 6th event!

I suggest using a jpeg (-1, Troll)

Anonymous Coward | about 4 years ago | (#33818860)

of your mom's snatch.

Why dumb at down with only one example, when you can easily demonstrate an entire colony of viruses?

Another Option (0)

Anonymous Coward | about 4 years ago | (#33818880)

Might I suggest a tutorial and a simulator...maybe an LC-3 simulator and stack smashing exercise to demonstrate a method of exploiting poorly written code? See the well written document Smashing the Stack for Fun and Profit [insecure.org] .

Re:Another Option (1)

X0563511 (793323) | about 4 years ago | (#33819108)

Yea, er... did you miss the FIRST TWO FUCKING SENTENCES of the post?

Here, in case you really did:

Currently I am teaching a 101 class on computers. It is more of a demystifying the black box type of class.

Stoned (4, Interesting)

PacoSuarez (530275) | about 4 years ago | (#33818884)

Stoned [computerarcheology.com] is a classic and a pleasure to disassemble. It fits in a boot sector (512 bytes) and it's not particularly malicious, but it has all the elements that a virus needs. I don't know if it would still work on a modern computer, though: Some old viruses used funky instructions that became obsolete (like "POP CS"), and this one seems to have issues working on large-capacity disks.

Fake it. (1)

blair1q (305137) | about 4 years ago | (#33818898)

Virii all have different signatures, so it doesn't matter what signature you choose.

Just write a script that pokes something into the registry and adds a funny file to the Windows system directory, and use it on each computer before class.

Then write a script that pretends to find it and tell them where it is when they run it in class.

Ask them what they should do next.

Re:Fake it. (4, Informative)

Missing.Matter (1845576) | about 4 years ago | (#33818966)

The plural of virus is viruses [wikipedia.org] . Just like the plural of abacus is abacuses, not abacai. Viri (or even worse, virii) annoys the hell out of me.

Re:Fake it. (4, Informative)

blair1q (305137) | about 4 years ago | (#33819302)

Well, if you want to get all prissy about the Latin, then it's incorrect to use the word to describe a single unit of the substance, in the way it's not correct to call a single water molecule "a water". Id est, since a viral program is itself a cell in the viral infection of many computers, there's no term for it other than "viral program" and no term for several of them other than "viral programs". The "virus" would be some arbitrarily bounded subset of the population of said viral programs infecting machines, which could devolve to a single program infecting a single machine, but would still not be the correct term for that program or, indeed, for the viral infection being suffered by that machine. It could correctly refer to the running program and its data (which in most computers includes its instructions) and the progress of its states, but I'm pretty sure nobody much thinks of it that clearly when using the word "virus". Nor is it correct to use "a virus" to refer to a type of virus (exempli gratia Stuxnet, Sasser, Hopper, et cetera) but only to an instance of that type of virus as it is spreading, or, again, some arbitrary subset thereof, wherein it has its physical expression and aggregate, fluid form.

As for whether it annoys you for people to use a latinate word that is both convenient and apt despite its not being precisely Latin, well, tough titty, because apparently the Latin version of it is a mispronunciation of the Proto-Indo-European word for the same gooey mess, so insisting on going only as far back as Latin for the value of correctness of form is false cognitive closure, and that gives everyone else cause to be annoyed at you.

How about... (-1, Flamebait)

santax (1541065) | about 4 years ago | (#33818906)

You just follow the course and let your Prof decide when it's time to get the whole lab infected? Do your self a big favor. Get permission first. These sort of things have put very smart kids in a real jail.

Re:How about... (3, Informative)

X0563511 (793323) | about 4 years ago | (#33819126)

Er, did you even read the damn post?

Here, let me help you out with the first four fucking words:

Currently I am teaching...

Re:How about... (1)

santax (1541065) | about 4 years ago | (#33819196)

Dude this is slashdot. I skip the first 4 sentences and read the last line to sum it up for me. Besides, I wonder what he is doing teaching this if he has to ask this. Just install a damn virtual machine and play in there. Don't infect the lab that other teachers students need to use with a virus that you have to ask someone for.

DON'T DO IT! You'll get fired (5, Insightful)

CPE1704TKS (995414) | about 4 years ago | (#33818908)

It sounds instructive, but you will probably get fired for lacking good judgement.

There are plenty of stories where teachers do similar things that end up getting them fired. Teaching students how to write viruses, faking a classroom kidnapping, how to plan a terrorist attack, etc.

Teaching your students how to write a virus is a classic case of bad judgement. Your superiors will tell you "What were you thinking?" and you will get let go.

Teach them verbally how viruses are created, but don't assign anything as homework.

Re:DON'T DO IT! You'll get fired (0)

Anonymous Coward | about 4 years ago | (#33819000)

Mod parent up. It may be cool and the kids will love you for it, but when push comes to shove, the cow pies will hit the fan.

Re:DON'T DO IT! You'll get fired (3, Insightful)

jmottram08 (1886654) | about 4 years ago | (#33819010)

No where was it mentioned about creating one. Ever. It was mentioned about how to REMOVE one, and to illustrate how they spread.

It wasn't even mentioned that this is a coding class.

It is a class about computers, and he wants to teach virus removal.

Stop being such a lawyer and actually read the summary ffs.

Re:DON'T DO IT! You'll get fired (1)

Keith111 (1862190) | about 4 years ago | (#33819014)

Heh this is probably correct... Best would be to go get some virus CODE and display it on a screen and step through how it hooks itself into a system. A great thing to use here is the 0ldschool types that would infect the exe headers and plant itself at the end. Or some that do the code cave storage. Then move from there and show them rootkits, as they are pretty much just a way more advanced version of those. Plenty of resources online for that. One particular book that is somewhat old now but still really informative http://www.amazon.com/Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319 [amazon.com]

Re:DON'T DO IT! You'll get fired (1)

WitnessForTheOffense (1669778) | about 4 years ago | (#33819022)

RTFA again. He said he would install it and they would remove it. While your point about how doing this could possibly get him fired still stands, he's talking about only having the students remove it.

Re:DON'T DO IT! You'll get fired (1)

Tripp-phpBB (1912354) | about 4 years ago | (#33819038)

He asked for a simple virus the students can remove by hand, not how to create them. I think the point he's trying to make is using a computer safely and if you do get a virus, what to do and how to remove it. I suppose the reason he asked to compile it is so he can see the source code? Or maybe I'm just an insensitive clod!

Re:DON'T DO IT! You'll get fired (1)

Missing.Matter (1845576) | about 4 years ago | (#33819070)

At my university, we have a computer security lab just for this purpose. It's completely isolated from the internet and the campus network, with all computers, servers, switches, etc. available for student access.

As with all dangerous things, the key is to make everyone aware of the dangers and the consequences, and then closely supervise them. A lab course I took actually required us to use plutonium for neutron activation. As far as dangerous things go, that's on the top of the list. But we wore film badges and were supervised, and everything turned out okay.

Re:DON'T DO IT! You'll get fired (1)

vxice (1690200) | about 4 years ago | (#33819082)

actually in the article he makes it clear he wants to infect a computer to show students how to remove it. Still is risking it, especially since it is normally a simple procedure to remove a virus with an anti virus program.

Re:DON'T DO IT! You'll get fired (1)

X0563511 (793323) | about 4 years ago | (#33819134)

He's not asking how to teach them to write a virus...

Please (re?)read the post...

Re:DON'T DO IT! You'll get fired (2)

Stormscape (998750) | about 4 years ago | (#33819380)

RTFA, he's teaching them how viruses work and how to remove them, not how to write one.

Re:DON'T DO IT! You'll get fired (0)

Anonymous Coward | about 4 years ago | (#33819502)

Wow you have no reading comprehension do you. Re-read his question. He wants a virus that HE can infect computers with. He is teaching virus removal, not virus writing.
He says he already has a isolated lab just for this purpose.

Perhaps you should learn to understand what you read before you post and make yourself look stupid.

Two testing options and a removal tool (0)

Anonymous Coward | about 4 years ago | (#33818912)

There are a couple testing files and sites that exist for testing antiviruses that might be of interest. The one that I've used to ensure anti-virus software was functioning was EICAR which is a simple text file that virus definitions recognize but which does not actively do anything. This is useful for demonstrating that software is working, what a virus response looks like and how to remove a virus if it is found. Since it does nothing, it is only useful as a test and doesn't really get into how to deal with a fully compromised system.

An alternative is Spycar which will perform actions targeted in demonstrating browser exploits. It wouldn't be available in a non-internet lab, but you might be able to adapt the links there by putting the files up on an intranet.

http://www.spycar.org/Spycar.html [spycar.org] referenced at http://www.pcworld.com/article/125138/put_your_antispyware_apps_to_the_test.html [pcworld.com]

http://www.eicar.org/anti_virus_test_file.htm [eicar.org] referenced in a variety of places, including http://www.sophos.com/pressoffice/news/articles/2003/01/eicar.html [sophos.com]

Removal scenarios vary according to how messed up a machine is by an infection. I usually use Trinity Rescue Kit as a first test for computers I don't trust or know have virus issues.

TRK: http://trinityhome.org/ [trinityhome.org]

I use MalwareBytes from http://www.malwarebytes.org/ [malwarebytes.org] in some cases and found it to be more effective than many of the other solutions, even in the free version.

AOL 3.0 (1)

stevedmc (1065590) | about 4 years ago | (#33818916)

F-Prot used to detect AOL as a virus. Install an older version of AOL such as AOL 3.0 and see your students can remove it.

Stuxnet (0)

Anonymous Coward | about 4 years ago | (#33818922)

It certainly needs some demystification!

Go fish... (2, Informative)

clone53421 (1310749) | about 4 years ago | (#33818924)

Just pick any of the scores of .exe files masquerading as cracks on LimeWire. You’ll have to turn off the AV and executable file filter to download it, of course...

Good times (1)

gmuslera (3436) | about 4 years ago | (#33818942)

No matter how safe is the OS they are using, or what antivirus they have to run there, the biggest risk is on the other side of the keyboard. Show them the Good Times "virus", a bit of social engineering is easier to be seen than abstract code.

do it wrong, do it in VBScript (0)

Anonymous Coward | about 4 years ago | (#33818944)

I'm going to assume you are using Windows, because the only classes that use Macs to teach are Art and OA. (FLAME ON! ;D)

Step 1. Make sure the lab you are going to infect with anything that self replicates is logically isolated from the rest of the world. I mean, punching out a self replicating VB script is fun when it goes to plan, less fun when the Feds knock on your door after your 'virus' accidently breaks loose...

Step 2. Learn yourself some VB Script. Piss easy to use. It'll take a few hours for you to knock up a script that is capable of copying itself to the "c$" on all the Windows machines on the subnet, then kick up the script remotely using WMI (providing the users have administrative access to all machines). http://gallery.technet.microsoft.com/ScriptCenter/en-us

Step 3. Make sure you get written permission from your supervisor to do this kind of thing. The last thing you need is a cranky boss coming down on your for 'teaching people about the virus, when you are supposed to be teaching them about the email!!"

Tips: Create a routine in your code that checks for "c:\stop.txt" or somesuch and kills itself if it finds it (we've got SkyNet by the balls now!). Use the "WScript.Sleep TIME_IN_MILLISECONDS" command so that your network isnt completely screwed over by all the traffic you are about to generate. Outside of this, get creative. Enjoy.

Simple... (0)

Anonymous Coward | about 4 years ago | (#33818960)

Watch porn on your windows laptop -> connect laptop to network -> ??? -> Sucess

There's virus source out there. Be careful. (1)

bersl2 (689221) | about 4 years ago | (#33818962)

Obviously, you should know exactly what it is that the virus is doing. No, not approximately: I mean all the way down to the machine instruction level. If it comes only in a binary, disassemble and figure out everything. Use virtual machines to add a layer of protection, and be aware that some malware knows it's being run in a VM and may behave differently under these conditions. Of course, those are much more than you need.

The safest bet is to write your own. That way, you know what it's doing.

If you have to ask... (1)

vipvop (34876) | about 4 years ago | (#33818972)

First of all, EICAR isn't helpful at all, it's simply a magic string that AV software is supposed to pick up. It won't teach anyone anything about how a virus actually works.

Second, if you have to ask /. about this, you probably shouldn't be playing with these things. There are a million virus writing guides out there, a simple search turns up pages like this:

http://vx.netlux.org/lib/static/vdat/tutorial.htm

Most of these tutorials were written a long time ago, with topics such as infecting .com files (not that anyone remembers what those are anymore). If you want a simple overwriting virus, that isn't hard to find examples of or make at all. Howeverm there won't be a way for the students to clean the infected files, as the information in the beginning of the file will have been lost. If you want something that infects .EXEs while still letting them run without problems, you're going to end up with complicated code that adds sections onto an executable, modifies the EXE header, etc. While none of this is too hard to understand if you have programming ability and time to sit there and look at how it works, what you're looking for won't exist at a Computers 101 level.

Re:If you have to ask... (1)

X0563511 (793323) | about 4 years ago | (#33819142)

... which is fine, because he's not teaching them how to write a virus, but how to recognize and respond to an infection!

Lots of words put down, when you didn't properly read the post. At least you noticed EICAR wasn't suitable :)

I would Recommend (0)

Anonymous Coward | about 4 years ago | (#33818974)

Stuxnet seems to be popular. And if any of the students have nuclear ambitions it'll soon put an end to that.

Try stuxnet (1)

velja27 (1427879) | about 4 years ago | (#33818982)

Try getting yourself one of those stuxnet worms, i hear they are pretty good.

Write Your Own (1)

PiAndWhippedCream (1566727) | about 4 years ago | (#33819032)

Just code your own virus. You'll know how to remove it. Alternatively, if you are teaching an advanced class as well, have those students write it.

A WONDERFUL teaching tool - master Michelangelo! (1)

Auroch (1403671) | about 4 years ago | (#33819044)

Something oldschool. So even when administration DOES try to fire you, you can say "REALLY? Over a virus that infects floppies, on a network that doesn't have a single floppy drive installed?". Just don't do it on the first week of May.

Pascal virus (1)

bigato (1909404) | about 4 years ago | (#33819054)

Here: http://members.rediff.com/eggo/viruspascal.htm [rediff.com] This is a really simple virus that you could use. Sorry the page is in portuguese, but the code itself is easy to understand.

Simple (-1, Troll)

Anonymous Coward | about 4 years ago | (#33819066)

Load on Windows 7, expose it to the internet for 5 minutes. You will have a virus to play with. If you need it quicker, then simply put a Chinese-made Camera, Mem Stick, Hard drive on your system.

Try this instead. (5, Interesting)

neiras (723124) | about 4 years ago | (#33819076)

What do you expect a student to learn from being told "there is a virus on this machine, remove it by hand"?

If they are in the "demystifying the black box" phase, they have no idea what you're talking about.

Teach them that viruses are just programs like Word or Excel, except with a specific malicious purpose. Give them an overview of how a machine or user might be tricked into running malicious software. Teach them about how malicious software might propagate. Use historical examples. Talk about privileges.

Virus is a slang term that brings up all kinds of scare reactions in ordinary people. They immediately assume that machines are vulnerable to bacteria floating around on the wind, or something similar. You need to de-emphasize the term "virus". It's just software. Then teach them that 99% of all malicious software runs on Windows, and that it's a reflection of the number of vulnerabilities in Windows code and market share.

Write a simple program that copies itself to the Windows folder and starts itself at boot. The program should show an alert box saying "HACKED BY PROFESSOR HANDSOME!!!!" if it sees it is being run from the Windows folder. Put it on a USB key with an autorun.ini, tell them you have placed a virus you wrote on there, and let them sort it out. Just be sure you're on an XP machine and that autorun is enabled.

Better yet, email the .exe to the entire class. Call it CS101-Example.exe, and use the harmless infection to talk about social engineering. Then take them through the 'infection' process, and show them how to remove the file by hand.

Write your own? (5, Informative)

rwa2 (4391) | about 4 years ago | (#33819078)

It's Windows, so it's easy... just create a CD or USB drive with two files:

autorun.inf :
[autorun]
            open=installpopup.bat

installpopup.bat :
cmd.exe /k echo "Hi I am a virus"
copy installpopup.bat "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"

Bonus is that it has plenty of legitimate uses for system automation for your little script kiddies as well.

That virus will fail on Vista/7 (4, Informative)

Anonymous Coward | about 4 years ago | (#33819422)

if UAC is enabled, Explorer is not running with privileges that can write to the All Users profile.

For that matter, this will fail on any system where the profile directory isn't in "C:\Documents and Settings", which includes any non-English OS.

Use

copy installpopup.bat "%userprofile%\Start Menu\Programs\Startup" instead

Re:That virus will fail on Vista/7 (1)

rwa2 (4391) | about 4 years ago | (#33819476)

if UAC is enabled, Explorer is not running with privileges that can write to the All Users profile.

For that matter, this will fail on any system where the profile directory isn't in "C:\Documents and Settings", which includes any non-English OS.

Use

copy installpopup.bat "%userprofile%\Start Menu\Programs\Startup" instead

Thanks! I'm by no means a Windows guru, nor have anything other than my corporate WinXP box to test on :P

Are you looking for an open source virus (1)

zlel (736107) | about 4 years ago | (#33819084)

or must it be GPL?

Batch hell (1)

William (Dthdealer) (1704286) | about 4 years ago | (#33819088)

My favourite batch file. It is a shame Windoze does not support a proper POSIX language, but only this crappy DOS batch stuff. AFAIK this script does not work on vista, but works on Windows 7 and XP.

:START
msg %username% Memory exception at 0x%RANDOM%
goto START

It loops, layering more and more pop-ups the longer it runs. As soon as one is closed or 60 seconds elapses another appears in the centre of the screen, de-focusing whatever the user was typing in or doing. Put it in allusers/startmenu/startup.

Now write a second batch file and hide it somewhere along with another copy of the above. It should check IF FILE EXIST for the above script, and if it does not exist then copy the above script back to the 'startup' directory. Make this IF FILE EXIST batch file execute on start-up via registry.

The benefits are that nothing harmful is done and other processes are piggybacked for the operation ( I believe explorer.exe perhaps stores the popup queue? ), so you won't spot anything out of the ordinary in taskmanager

Fixing can be done by simply deleting the files ( if the kids can find where they are located ).

AFAIK The pop-ups survive even into the login prompt if the user logs out.

We did the same thing in health class (1, Funny)

Anonymous Coward | about 4 years ago | (#33819110)

We did the same thing in health class. The first part of the tutorial was really fun, the latter part not so much.

Wrong class Should be a Graduate Studies Class (0)

Anonymous Coward | about 4 years ago | (#33819118)

This is the wrong class to show this type of Malware.

If this is a 101 class in Computers and in particular Computer Security, you would be better to teach Hardening of Systems.
Discuss what Malware is and the different types of Malware.

Reason is the students need to have an understanding of Operating Systems and Applications to do anything in this area.

If you are still interested then search on "Virus and University of Calgary" on what are the issues.

Better to focus on Back doors and Netcat being the tool. Much better then a Virus do to their nature to leave the computer lab.

   

Just write a program. (1)

sumdumass (711423) | about 4 years ago | (#33819124)

You are most likely going to be better off to just write a program or script that makes a few files called "lookatme" along with a few registry entries and have them remove that.

Most virus' that you will find will tip the AV software. Almost all easy virus' will be automatically removed by it too. If you are not running some AV software, then your in a little trouble to begin with as you shouldn't be teaching people to run windows boxen without AV software.. Sure, you could probably set the AV software to ignore the file itself, but it likely wouldn't ignore the execution if it wasn't a strait up program that just wrote files (memory injection and process hiding techniques will most likely cause issues as most AV clients nowadays rely more on heuristics then actual signatures).

If I was you, I would write a script that makes a text file in the windows directory, the system directory, temp directory and maybe adds a few registry entries in the run portions of the registry. Perhaps one of the text files could read something like- "you have been pawned by the elite text virus" or something and have it open on start up. Perhaps put it on every other computer and have them search for how to remove it on the one next to them while working in pairs. Make a simple instruction on how to remove it by looking in the appropriate start up areas, looking in the common file target areas, and then finally by downloading a reverse script and running it that removes all traces of it.

Oh yea, surf for porn/ something as shady on each computer before you load the fake virus so part of the removal.disinfection process can be getting freely available tools like Adaware or malwarebytes and so on and it will find something to remove. If they aren't connected to the internet, then make sure the free tools are something that doesn't need an internet connection to download. You might also want to remove the AV software and have them simulate installing it afterward to ensure/instill that there should be some level of protection at all times.

Why not a live virus? (1)

AgentPhunk (571249) | about 4 years ago | (#33819138)

Perhaps a better learning experience would be to connect the lab (or a handful of the students own computers) to the Internet, and stick a box running Snort (www.snort.org) with Emerging Threats (www.emergingthreats.net) signatures in between. If, by some miracle (or the fact that they're all Mac's) you don't have any immediate indicators of infection, then head on over to teh Googles and search for 'smiley tool bar' or 'free porn' with the I'm-Feeling-Lucky button. That ought to do the trick.

Get a full packet capture of the session so you can dissect how the virus was able to get on the machine, where it left hooks, how its similar and different to other types of malware, etc.

I agree that a review of a simple virus is a worthwhile endeavor, but perhaps that's best learned via a good book or whitepapers on the Internet. Save the demo for something that's relevant and 'live'.

And on second thought, maybe its best if you set up a demo machine to be infected. That way you can nuke it from space afterwards, just to be sure.

Virus Creation Laboratory? (1)

technos (73414) | about 4 years ago | (#33819140)

A friend of mine who taught at a community college actually did this back in the mid 90s. He took a copy of Nowhere Man's Virus Creation Lab and tossed together a couple annoying but non-destructive viruses and infected a few stand alone machines for the students to play with.

You can probably still find VCL out there, or a more modern DIY virus kit. Though with the new ones, I'm not sure I would trust they don't have any hidden functionality.

Simple way to get infected (0)

kelarius (947816) | about 4 years ago | (#33819154)

Just tell the students to go onto facebook or myspace an play every stupid little game or take every stupid little quiz in sight. Then, tell them to click on every stupid little "get a xxxxxxxx degree in weeks" advert they see, and download whatever is recommended on those sites. Find a suitably infected machine, create an image off that machine, and you're set.

I'm actually not joking, this is what I do when I want to play with whatever viruses are currently in the wild.

An answer for your OP: (1)

RMingin (985478) | about 4 years ago | (#33819218)

You don't want an actual virus. Viruses are becoming less common, they are now the delivery vector more than anything. Most of my badware experience in the last year or three has been exploits, generally server-hosted and browser-targetting. Malware is the payload and payday, that's where the action is. Malware is also typically the user-facing component as well.

Go find Antivirus 2009, or the most recent respin of that godawful thing. It's fairly straightforward to remove, fairly obvious when it's present, and just aggressive enough against removal operations to be realistic. It won't self-replicate and spread, but it will give you a removable and obvious "infection".

Windows is a virus (0, Offtopic)

isabellf (230363) | about 4 years ago | (#33819228)

As many slashdotters know Windows is a virus : http://www.annoyances.org/exec/show/article09-115 [annoyances.org] .

Teach them to boot up a linux CD and reformat the whole thing, this is virus erradication!

Spend 10 minutes downloading porn! (1)

colman77 (689696) | about 4 years ago | (#33819250)

you'll be all set! No, of course you won't get fired.

Easy web browser one (1)

zmaragdus (1686342) | about 4 years ago | (#33819254)

It might be caught by modern browsers, but if you turn off all the security features (or just load up IE5 or something like that), you might be able to pull the one where you open an html document (with embedded javascript for the "virus" portion) and it, in turn, opens up two copies of itself. Those two each open two copies, and so on and so forth, until you've brought your machine to a screeching halt with the glut of windows opening up.

Easy to fix, too. Just manually shut down the machine (either hard power off or yank the cord), then delete the offending file.

Defining Malware first? (1)

garompeta (1068578) | about 4 years ago | (#33819264)

I think that we should remember the original concept of a virus: self replicating code. A binary that continues self copying itself and infecting other programs by binding its own code to them.
A very simple conceptual and inoffensive "virus" could be a simple bat that copies itself with a >> to any bat file... something really annoying I made once was a file called: "glutton.bat" which had,
@echo off
echo Can't stop eating...
echo I just can't...
echo glutton.bat>>target.bat

As soon as glutton is ran, target gets "infected" with a new line... and when "target.bat" is ran, it will just keep increasing its size ad infinitum.
This is not executable and still explains the fundamental concept of how a virus behave.
Now, if you want to infect a network with a proper worm, that is another story and I think that explaining about exploits and autorooters is way out of the scope of a 101 class IMO.

Manual removal (0)

Anonymous Coward | about 4 years ago | (#33819268)

Since you're looking for something the students can manually remove, why not just create a "virus" file that is really just a small file full of random data. Tell them the file is located in /path/to/system/files/ is N bytes in size and has a random file name. Then they can find and delete it. Then there is no risk, no explaining what you were thinking to your boss and the students get the basic concept of seek and destroy.

simple and effective.... (1)

metalmaster (1005171) | about 4 years ago | (#33819292)

Create a batch file with a shady sort of name

You can use a simple command like >> start iexplore -k "error.htm"

Use http://download.cnet.com/Bat-To-Exe-Converter/3000-2069_4-10555897.html [cnet.com] to convert the file to an executable. Have your students run the file so that it opens the error page in IE kiosk mode.(Annoying enough to not have a "Close" button) Demonstrate how open windows can be tracked to their parent process(error.htm is opened by sh4dY.exe) from within task manager. Hunt down and terminate the offending process, delete the exe and maybe the offending web page.

Really Simple (1)

b4upoo (166390) | about 4 years ago | (#33819298)

If you wanted to teach students about viruses and had a Win 98 system or any system that has DOS you could do really simple demos. A nice sounding batch file with a format command would be a start. Once the students understand that even primitive programmers can create malware easily then you might show them some of the scripts that people plug into their own programs to cause devastation. Next might be to explain that advanced programmers and even governments can write really sinister viruses but that may involve years of learning. It might also involve years in prison.

So when students make a copy and it goes wild (1)

joeflies (529536) | about 4 years ago | (#33819306)

Who are they going to blame?

I can picture that bright, inquisitive kids (and maybe of the few bad apples too) get a hold of a virus and create a copy of it / upload it to a server / save it to a usb drive, and then it gets out and infects other school computers, then guess who's door they're going to knock on?

Yes, there's plenty of ways that kids can get virus code on their own. But there's a big difference between when a kid picks up a loaded gun from home, vs getting one from the teacher, and hoping that it doesn't go off in an unintended manner.

I once had such a class. (1)

cheekyjohnson (1873388) | about 4 years ago | (#33819326)

It was filled with people who barely knew how to work a television remote, let alone use a computer. I think you might be wasting your time...

You're a lousy teacher. (1)

tomhudson (43916) | about 4 years ago | (#33819332)

"Demystifying computers" - teaching them how to remove a virus isn't going to do that.

Teach them how a computer actually works - if they don't know what's normal, how the heck are they supposed to recognize when something is wrong?

Besides, if they're too stupid to recognize what's normal by now (like they've never really used a computer before), you're wasting your time "demystifying computers." If they're too old, or too young, you're again wasting your time. Perhaps we should send you to Soviet Russia and have a virus remove YOU!

The Giant Black Book of Computer Viruses (1)

equex (747231) | about 4 years ago | (#33819354)

Get 'The Giant Black Book of Computer Viruses' - old but I remember it had simple ASM viruses you could play with.

I Like it! (1)

jeeribaldi (995586) | about 4 years ago | (#33819414)

This is a great idea for a intro level course. Not only does it teach about viruses, but about social engineering viruses - the ones that do no harm unless you "buy in" and follow the malicious instructions. Leave a cheap USB stick on their desks, or on the floor. It just needs to contain the self written virus and autorun.ini, those who plug it in fail, those that don't, pass - at least the first stage of the test. Then let them develop their own break-out groups to remove it from those student's machines that fail the first part. Great lesson! Very inventive and engaging! Make the virus like the one (I cannot remember the exact name) that infects machines by displaying a Microsoft Security Essentials message saying IE is infected, then tries to get you to download anti-malware software that actually is malware. My two cents ( of course my 2 cents are valued at rates from the 1970's, so through devaluation and inflation... whatever)

My CSI teacher did something similar... (1, Funny)

Anonymous Coward | about 4 years ago | (#33819440)

Demonstrated how someone is murdered. I was glad I didn't draw the short straw to be the victim.

They're now serving life.

Use semi-current infection location to be worth it (1)

likuidkewl (634006) | about 4 years ago | (#33819490)

So with this type of example in today's computing world, I would suggest a simple program that is autorun at start say in the registry under windows/current version/run or the like. it could write a copy of itself to the temp folder and check every 5 seconds to see if the key or file has been modified/removed. This can all be done easily with say a vbs/batch/pshel script.

example location:
HKLM\software\microsoft\windows\current version\run\

Just keep say the main copy in %TEMP% and try to keep persistence in the %windir%.....The possibilities are endless

and using $ for variables was awful i will $variable any day!

If I effed up the Windows registry locales, sorry. I don't use windows much anymore.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?