Cover | Table of Contents | Colophon
Ctrl-Alt-Del
to see what program processes were running. There were a few that I
didn't recognize, but that by itself is not surprising. Then I
used the
SYSEDIT.EXE
command to examine the system startup
files. The
SYSTEM.INI
file definitely had something
suspicious. There was a line under the [boot]
section, shell=explorer.exe
Netlog1.exe
,
that was loading a strange file into memory every time Windows
started. First, I used the Task menu to remove
Netlog1.exe from memory, and then I examined it
using a file text editor.
Ctrl-Alt-Del
to see what program processes were running. There were a few that I
didn't recognize, but that by itself is not surprising. Then I
used the
SYSEDIT.EXE
command to examine the system startup
files. The
SYSTEM.INI
file definitely had something
suspicious. There was a line under the [boot]
section, shell=explorer.exe
Netlog1.exe
,
that was loading a strange file into memory every time Windows
started. First, I used the Task menu to remove
Netlog1.exe from memory, and then I examined it
using a file text editor.
variant
)
from the older exploit or maybe even something completely different.
In either case, the maliciousness occurs again with the same results.
The defense steps most of us are taking are not enough.
I had played a trick on a classmate by altering a disk with a hot new pirated game to self destruct after a few boots. I gave him the disk, which he eagerly accepted, and he got to play [it] a few times before my booby trap sprung and the game erased itself. I enjoyed the success of this trick, but clearly it couldn't be repeated, since he would be wary of my gifts from that point.It then occurred to me that I could load something into a booted Apple II in the school, which would hide in the background, and then alter the next disk that was put in and used. The point was to get my booby trap onto a disk that a classmate wouldn't let me handle. Even though I couldn't handle his disk, I could leave behind code that could get its "hands" on it.At this point I made the jump that if the booby trap was the infection code itself, it could be self-propagating. The tricked classmate would be unwittingly brought into service infecting others with the self-propagating booby trap. There was no telling how far it could go.
Ctrl-Break). Others lie in wait for the user to
unknowingly type in a particular keyword to set off some sort of
damage routine. Computer viruses can taunt people and display
questions the end user must answer in some twisted form of a quiz
show. If you answer incorrectly, they do more damage.
Ctrl-Alt-Del
to warm boot. There are dozens of viruses, like
Fish
,
Ugly
,
Joshi
, and
Aircop
, which have no problem
"living" through a warm boot, and thriving in memory when
the PC restarts. These types of viruses monitor the keyboard input
buffer or check the "warm-boot flag" in the BIOS data
area waiting for the Ctrl-Alt-Del key sequence.
They can then fake the normal reboot process and remain in control.
The Ugly virus family tries to manipulate
CMOS memory into
thinking there is no floppy disk drive. Thus, when the PC reboots, it
boots to the hard drive first, runs the infected virus code, and then
the virus reenables the floppy disk drive and runs the floppy-based
boot process. The PC appears as if it has booted up on the floppy
diskette, but the virus is already in memory. Sneaky buggers,
aren't they?
Start
→
Programs
→
Accessories
→
System
Tools
→
System
Restore) can be used to automate recovery from
many malicious code attacks, instead of the manual methods we rely on
in the older versions.