Navigation
Install the app
How to install the app on iOS
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
More options
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
How do I stop Infected Client Systems from logging in?
Login Scripts
How do I stop Infected Client Systems from logging in?
by
jnicks
Posted
(Edited
)
Ordinary Login Script statements give you a 70% chance of rejecting logins from client systems with viruses.
You cannot run an A-V scan every login, they take too long by far. However simple Login Script Commands can detect and trap 69.9% of the last month's 'most popular virus' list from Sophos.
http://www.sophos.com/virusinfo/topten/
A Login Script that take about a tenth of a second to run, once per user login.
--------------------------------------------
The top ten viruses/worms and their percentages
[tt]
Virus per cent
------------------------
W32/Klez-H 17.7% *
W32/Frethem-Fam 17.0% *
W32/Yaha-E 16.8% *
W32/Badtrans-B 5.8% *
W32/ElKern-C 3.7%
W32/Magistr-B 2.5%
W32/Hybris-B 1.9%
W32/Klez-E 1.7% *
W32/Nimda-A 1.5%
W32/Magistr-A 1.3% *
Others 30.1%
[/tt]
The ones that can be detected by very simple tasks at NT Login time are marked with *
[ul]We have used %windows% to refer to the windows directory, \windows on w98 and so forth.[/ul]
------------ HOW TO ------------
Klez.H, Klez.E and Frethem all delete anti-virus files. One such file is C:\anti-vir.dat.
Ergo: If the file has been deleted the system is probably infected, if the file was there once. The user should not be let into the network.
--------------------------------------------
Stage one, get the file to all users:
Modify the server login script to include the code to create the file if it is not there. Let it run for several days, or a week.
Now all, or almost all, sytems have a file c:\anti-vir.dat.
Stage two, install the check.
Remove the statement that creates the file and replace it with:
Where BailOut is a section of the login script that does someething
like:
Most importantly the statment does NOT let the user into the network. YOu could show a screen, reboot the system, or use whatever your security policy decides is right.
--------------------------------------------
By eliminating Klez-E, Klez.H and Frethem we eliminate 27.4%. Remaining are
[tt]
W32/Yaha-E 16.8% *
W32/Badtrans-B 5.8% *
W32/ElKern-C 3.7%
W32/Magistr-B 2.5%
W32/Hybris-B 1.9%
W32/Nimda-A 1.5%
W32/Magistr-A 1.3% *
Others 30.1%
[/tt]
--------------------------------------------
Yaha-E and BadTrans_B create c:\%windows%\MSTASKMON.EXE
The Login Script addition should be obvious:
--------------------------------------------We are now down to
[tt]
Virus
W32/ElKern-C 3.7%
W32/Magistr-B 2.5%
W32/Hybris-B 1.9%
W32/Nimda-A 1.5%
W32/Magistr-A 1.3% *
[/tt]
ElKern-C, Magistr-B, Hybris-B, and Nimda-A are a little more sophistcated than the others and do not leave such obvious traces on the systems infected. That was only 9.6% of the infections in July, 2002.
--------------------------------------------
W32/Magistr-A creates filenames that use include:
[tt]
CFGWIZ32.EXE CHLINST.EXE DPLAYSVR.EXE MAKETAG.EXE
MKCOMPAT.EXE MLSET32.EXE MSOOBD.EXE MSOOBE.EXE
OEMRNCE.EXE SETMODD.EXE SUCATREG.EXE SULFNBK.EXE
UNREGASF.EXE
[/tt]
We could create a series of
statements for each of them. Not a problem. A better, faster, more maneageable way is to get a BlackList program that will look for a list of file names a lot faster than the Login Script can. Or, write your own, it is easy.
--------------------------------------------
We are now down to 9.6% of last months most 'popular' viruses.
[tt]
Virus
W32/ElKern-C 3.7%
W32/Magistr-B 2.5%
W32/Hybris-B 1.9%
W32/Nimda-A 1.5%
[/tt]
The thing is that we can trap systems with 69.9% of the virus infections with a Login Script which takes less than a tenth of a second, once per user login.
Where magista.dat has the list of blacklist files.
Below are brief notes on the individual viruses from Sophos.... Please see Sophos or F-secure for complete writeups of viruses.
http://www.sophos.com
http://www.f-secure.com
In the notes below, F-Secure sometimes has information suggesting additional tests. These are after "F-Secure says:".
--------------------------------------------
Klez.H
Deletes the files
ANTI-VIR.DAT
CHKLIST.DAT
CHKLIST.MS
CHKLIST.CPS
CHKLIST.TAV
IVB.NTZ
SMART CHK.MS
SMARTCHK.CPS
AVGQT.DAT
AGUARD.DAT
F-Secure says: Creates c:\%windows%\winkxxxx.exe where xxx is two to three characters.
--------------------------------------------
W32/Nimda-A No obvious traces.
F-Secure says it creates:
c:\%windows%\MMC.EXE and ADMIN.DLL
but where ADMIN.DLL is was not noted. I'd suggest adding
Searches through several directories are better done with a BlackList program.
--------------------------------------------
W32/Magistr-A
Filenames that the virus can use include:
CFGWIZ32.EXE
CHLINST.EXE
DPLAYSVR.EXE
MAKETAG.EXE
MKCOMPAT.EXE
MLSET32.EXE
MSOOBD.EXE
MSOOBE.EXE
OEMRNCE.EXE
SETMODD.EXE
SUCATREG.EXE
SULFNBK.EXE
UNREGASF.EXE
Another BlackList item.
You cannot run an A-V scan every login, they take too long by far. However simple Login Script Commands can detect and trap 69.9% of the last month's 'most popular virus' list from Sophos.
http://www.sophos.com/virusinfo/topten/
A Login Script that take about a tenth of a second to run, once per user login.
--------------------------------------------
The top ten viruses/worms and their percentages
[tt]
Virus per cent
------------------------
W32/Klez-H 17.7% *
W32/Frethem-Fam 17.0% *
W32/Yaha-E 16.8% *
W32/Badtrans-B 5.8% *
W32/ElKern-C 3.7%
W32/Magistr-B 2.5%
W32/Hybris-B 1.9%
W32/Klez-E 1.7% *
W32/Nimda-A 1.5%
W32/Magistr-A 1.3% *
Others 30.1%
[/tt]
The ones that can be detected by very simple tasks at NT Login time are marked with *
[ul]We have used %windows% to refer to the windows directory, \windows on w98 and so forth.[/ul]
------------ HOW TO ------------
Klez.H, Klez.E and Frethem all delete anti-virus files. One such file is C:\anti-vir.dat.
Ergo: If the file has been deleted the system is probably infected, if the file was there once. The user should not be let into the network.
--------------------------------------------
Stage one, get the file to all users:
Modify the server login script to include the code to create the file if it is not there. Let it run for several days, or a week.
Code:
If not exist c:\Anti-Vir.Dat echo x>c:\anti-vir.datNow all, or almost all, sytems have a file c:\anti-vir.dat.
Stage two, install the check.
Remove the statement that creates the file and replace it with:
Code:
If not exist c:\Anti-Vir.Dat goto BailOutWhere BailOut is a section of the login script that does someething
like:
Code:
BailOut:
cls
Echo You are not permitted to login, contact Tech Support
echo for further information. Ext 1234.
pause
goto BailOutMost importantly the statment does NOT let the user into the network. YOu could show a screen, reboot the system, or use whatever your security policy decides is right.
--------------------------------------------
By eliminating Klez-E, Klez.H and Frethem we eliminate 27.4%. Remaining are
[tt]
W32/Yaha-E 16.8% *
W32/Badtrans-B 5.8% *
W32/ElKern-C 3.7%
W32/Magistr-B 2.5%
W32/Hybris-B 1.9%
W32/Nimda-A 1.5%
W32/Magistr-A 1.3% *
Others 30.1%
[/tt]
--------------------------------------------
Yaha-E and BadTrans_B create c:\%windows%\MSTASKMON.EXE
The Login Script addition should be obvious:
Code:
If Exist c:\%windows%\mstaskmon.exe goto BailOut--------------------------------------------We are now down to
[tt]
Virus
W32/ElKern-C 3.7%
W32/Magistr-B 2.5%
W32/Hybris-B 1.9%
W32/Nimda-A 1.5%
W32/Magistr-A 1.3% *
[/tt]
ElKern-C, Magistr-B, Hybris-B, and Nimda-A are a little more sophistcated than the others and do not leave such obvious traces on the systems infected. That was only 9.6% of the infections in July, 2002.
--------------------------------------------
W32/Magistr-A creates filenames that use include:
[tt]
CFGWIZ32.EXE CHLINST.EXE DPLAYSVR.EXE MAKETAG.EXE
MKCOMPAT.EXE MLSET32.EXE MSOOBD.EXE MSOOBE.EXE
OEMRNCE.EXE SETMODD.EXE SUCATREG.EXE SULFNBK.EXE
UNREGASF.EXE
[/tt]
We could create a series of
Code:
If Exist--------------------------------------------
We are now down to 9.6% of last months most 'popular' viruses.
[tt]
Virus
W32/ElKern-C 3.7%
W32/Magistr-B 2.5%
W32/Hybris-B 1.9%
W32/Nimda-A 1.5%
[/tt]
The thing is that we can trap systems with 69.9% of the virus infections with a Login Script which takes less than a tenth of a second, once per user login.
Code:
If not exist c:\Anti-Vir.Dat goto BailOut
if exist c:\%windows%\mstaskmon.exe goto BailOut
blacklist magista.dat
if errorlevel 1 goto bailoutWhere magista.dat has the list of blacklist files.
Below are brief notes on the individual viruses from Sophos.... Please see Sophos or F-secure for complete writeups of viruses.
http://www.sophos.com
http://www.f-secure.com
In the notes below, F-Secure sometimes has information suggesting additional tests. These are after "F-Secure says:".
--------------------------------------------
Klez.H
Deletes the files
ANTI-VIR.DAT
CHKLIST.DAT
CHKLIST.MS
CHKLIST.CPS
CHKLIST.TAV
IVB.NTZ
SMART CHK.MS
SMARTCHK.CPS
AVGQT.DAT
AGUARD.DAT
F-Secure says: Creates c:\%windows%\winkxxxx.exe where xxx is two to three characters.
Code:
If exist c:\%windows%\wink*.exe goto BailOut
--------------------------------------------
W32/Frethem-Fam
C:\%windows%\Start Menu\Programs\Startup\setup.exe
Alternatively, for a computer with multi-user setting enabled, the worm
could copy itself to <user profile path>\Start Menu\Programs\Startup.
Freethem deletes:
ANTI-VIR.DAT
CHKLIST.DAT
CHKLIST.MS
CHKLIST.CPS
CHKLIST.TAV
IVB.NTZ
SMART CHK.MS
SMARTCHK.CPS
AVGQT.DAT
AGUARD.DAT
--------------------------------------------
Yaha-E
creates MSTASKMON.EXE
--------------------------------------------
W32/Badtrans-B creates MSTASKMON.EXE
F-Secure says it also creates files with the tests:
[code]
if exist c:\%windows%\KERNEL32.EXE goto BailOut
if exist c:\%windows%\system\KERNEL32.EXE goto BailOut
if exist c:\%windows%\system\CP_25389.NLS goto BailOut
--------------------------------------------
W32/ElKern-C No obvious traces.
F-Secure says:
if exist C:\%windows%\system\WQK.EXE goto BailOut
--------------------------------------------
W32/Magistr.B No obvious traces.
F-Secure says:
Magistr.b looks for and 'destroys' *.NTZ
As was done for Anti-Vir.dat, so one could create a file named c:\%windows%\Test.NTZ and look for its removal.
--------------------------------------------
W32/Hybris-B No obvious traces.
F-Secure says:
Creates Wininit.ini as do other installs.
The thing is that unless there has been a recent install one should not have a c:\%windows%\wininit.ini nor a C:\%windows%\deletefi.ini
In a stable client environment where users are not supposed to install packages one could test for these files and bar any user that has one.
--------------------------------------------
Klez-E deletes:
ANTI-VIR.DAT
CHKLIST.DAT
CHKLIST.MS
CHKLIST.CPS
CHKLIST.TAV
IVB.NTZ
SMART CHK.MS
SMARTCHK.CPS
AVGQT.DAT
AGUARD.DAT
F-Secure says:
[code]
if exist c:\%windows%\SystemWINK*.EXE goto BailOutW32/Nimda-A No obvious traces.
F-Secure says it creates:
c:\%windows%\MMC.EXE and ADMIN.DLL
Code:
if exist c:\%windows%\MMC.EXE goto BailOutbut where ADMIN.DLL is was not noted. I'd suggest adding
Code:
if exist c:\%windows%\ADMIN.DLL goto BailOut
if exist c:\%windows%\system\ADMIN.DLL goto BailOutSearches through several directories are better done with a BlackList program.
--------------------------------------------
W32/Magistr-A
Filenames that the virus can use include:
CFGWIZ32.EXE
CHLINST.EXE
DPLAYSVR.EXE
MAKETAG.EXE
MKCOMPAT.EXE
MLSET32.EXE
MSOOBD.EXE
MSOOBE.EXE
OEMRNCE.EXE
SETMODD.EXE
SUCATREG.EXE
SULFNBK.EXE
UNREGASF.EXE
Another BlackList item.
Please Note: 1 is Bad, 10 is Good :-)
Part and Inventory Search
-
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.