Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do I stop Infected Client Systems from logging in?

Login Scripts

How do I stop Infected Client Systems from logging in?

by  jnicks  Posted    (Edited  )
Ordinary Login Script statements give you a 70% chance of rejecting logins from client systems with viruses.

You cannot run an A-V scan every login, they take too long by far. However simple Login Script Commands can detect and trap 69.9% of the last month's 'most popular virus' list from Sophos.

http://www.sophos.com/virusinfo/topten/

A Login Script that take about a tenth of a second to run, once per user login.

--------------------------------------------
The top ten viruses/worms and their percentages

[tt]
Virus per cent
------------------------
W32/Klez-H 17.7% *
W32/Frethem-Fam 17.0% *
W32/Yaha-E 16.8% *
W32/Badtrans-B 5.8% *
W32/ElKern-C 3.7%
W32/Magistr-B 2.5%
W32/Hybris-B 1.9%
W32/Klez-E 1.7% *
W32/Nimda-A 1.5%
W32/Magistr-A 1.3% *
Others 30.1%
[/tt]


The ones that can be detected by very simple tasks at NT Login time are marked with *

[ul]We have used %windows% to refer to the windows directory, \windows on w98 and so forth.[/ul]

------------ HOW TO ------------

Klez.H, Klez.E and Frethem all delete anti-virus files. One such file is C:\anti-vir.dat.

Ergo: If the file has been deleted the system is probably infected, if the file was there once. The user should not be let into the network.

--------------------------------------------
Stage one, get the file to all users:

Modify the server login script to include the code to create the file if it is not there. Let it run for several days, or a week.
Code:
  If not exist c:\Anti-Vir.Dat echo x>c:\anti-vir.dat

Now all, or almost all, sytems have a file c:\anti-vir.dat.

Stage two, install the check.

Remove the statement that creates the file and replace it with:

Code:
  If not exist c:\Anti-Vir.Dat goto BailOut

Where BailOut is a section of the login script that does someething
like:

Code:
 BailOut:
  cls
  Echo You are not permitted to login, contact Tech Support
  echo  for further information.  Ext 1234. 
  pause
  goto BailOut

Most importantly the statment does NOT let the user into the network. YOu could show a screen, reboot the system, or use whatever your security policy decides is right.

--------------------------------------------

By eliminating Klez-E, Klez.H and Frethem we eliminate 27.4%. Remaining are

[tt]
W32/Yaha-E 16.8% *
W32/Badtrans-B 5.8% *
W32/ElKern-C 3.7%
W32/Magistr-B 2.5%
W32/Hybris-B 1.9%
W32/Nimda-A 1.5%
W32/Magistr-A 1.3% *
Others 30.1%
[/tt]


--------------------------------------------

Yaha-E and BadTrans_B create c:\%windows%\MSTASKMON.EXE

The Login Script addition should be obvious:

Code:
  If Exist c:\%windows%\mstaskmon.exe goto BailOut


--------------------------------------------We are now down to

[tt]
Virus
W32/ElKern-C 3.7%
W32/Magistr-B 2.5%
W32/Hybris-B 1.9%
W32/Nimda-A 1.5%
W32/Magistr-A 1.3% *
[/tt]

ElKern-C, Magistr-B, Hybris-B, and Nimda-A are a little more sophistcated than the others and do not leave such obvious traces on the systems infected. That was only 9.6% of the infections in July, 2002.


--------------------------------------------
W32/Magistr-A creates filenames that use include:
[tt]
CFGWIZ32.EXE CHLINST.EXE DPLAYSVR.EXE MAKETAG.EXE
MKCOMPAT.EXE MLSET32.EXE MSOOBD.EXE MSOOBE.EXE
OEMRNCE.EXE SETMODD.EXE SUCATREG.EXE SULFNBK.EXE
UNREGASF.EXE
[/tt]

We could create a series of
Code:
If Exist
statements for each of them. Not a problem. A better, faster, more maneageable way is to get a BlackList program that will look for a list of file names a lot faster than the Login Script can. Or, write your own, it is easy.


--------------------------------------------

We are now down to 9.6% of last months most 'popular' viruses.
[tt]
Virus
W32/ElKern-C 3.7%
W32/Magistr-B 2.5%
W32/Hybris-B 1.9%
W32/Nimda-A 1.5%
[/tt]


The thing is that we can trap systems with 69.9% of the virus infections with a Login Script which takes less than a tenth of a second, once per user login.

Code:
  If not exist c:\Anti-Vir.Dat goto BailOut
  if exist c:\%windows%\mstaskmon.exe goto BailOut
  blacklist magista.dat
  if errorlevel 1 goto bailout

Where magista.dat has the list of blacklist files.

Below are brief notes on the individual viruses from Sophos.... Please see Sophos or F-secure for complete writeups of viruses.

http://www.sophos.com

http://www.f-secure.com



In the notes below, F-Secure sometimes has information suggesting additional tests. These are after "F-Secure says:".




--------------------------------------------
Klez.H
Deletes the files
ANTI-VIR.DAT
CHKLIST.DAT
CHKLIST.MS
CHKLIST.CPS
CHKLIST.TAV
IVB.NTZ
SMART CHK.MS
SMARTCHK.CPS
AVGQT.DAT
AGUARD.DAT


F-Secure says: Creates c:\%windows%\winkxxxx.exe where xxx is two to three characters.

Code:
If exist c:\%windows%\wink*.exe goto BailOut

--------------------------------------------

W32/Frethem-Fam
C:\%windows%\Start Menu\Programs\Startup\setup.exe

Alternatively, for a computer with multi-user setting enabled, the worm
could copy itself to <user profile path>\Start Menu\Programs\Startup.


Freethem deletes: 

  ANTI-VIR.DAT
  CHKLIST.DAT
  CHKLIST.MS
  CHKLIST.CPS
  CHKLIST.TAV
  IVB.NTZ
  SMART CHK.MS
  SMARTCHK.CPS
  AVGQT.DAT
  AGUARD.DAT



--------------------------------------------
Yaha-E
 creates MSTASKMON.EXE


--------------------------------------------
W32/Badtrans-B creates  MSTASKMON.EXE

F-Secure says it also creates files with the tests: 
[code]
   if exist c:\%windows%\KERNEL32.EXE goto BailOut
   if exist c:\%windows%\system\KERNEL32.EXE goto BailOut
   if exist c:\%windows%\system\CP_25389.NLS goto BailOut

--------------------------------------------
W32/ElKern-C   No obvious traces.

F-Secure says: 
  if exist C:\%windows%\system\WQK.EXE goto BailOut

--------------------------------------------
W32/Magistr.B   No obvious traces.

F-Secure says:

Magistr.b looks for and 'destroys' *.NTZ

As was done for Anti-Vir.dat, so one could create a file named c:\%windows%\Test.NTZ and look for its removal.


--------------------------------------------
W32/Hybris-B   No obvious traces.

F-Secure says:

Creates Wininit.ini as do other installs.  

The thing is that unless there has been a recent install one should not have a c:\%windows%\wininit.ini nor a C:\%windows%\deletefi.ini

In a stable client environment where users are not supposed to install packages one could test for these files and bar any user that has one.


--------------------------------------------
Klez-E deletes: 

ANTI-VIR.DAT
CHKLIST.DAT
CHKLIST.MS
CHKLIST.CPS
CHKLIST.TAV
IVB.NTZ
SMART CHK.MS
SMARTCHK.CPS
AVGQT.DAT
AGUARD.DAT

F-Secure says:  
[code]
   if exist c:\%windows%\SystemWINK*.EXE goto BailOut
--------------------------------------------
W32/Nimda-A No obvious traces.

F-Secure says it creates:
c:\%windows%\MMC.EXE and ADMIN.DLL

Code:
   if exist c:\%windows%\MMC.EXE goto BailOut

but where ADMIN.DLL is was not noted. I'd suggest adding

Code:
   if exist c:\%windows%\ADMIN.DLL goto BailOut
   if exist c:\%windows%\system\ADMIN.DLL goto BailOut

Searches through several directories are better done with a BlackList program.


--------------------------------------------
W32/Magistr-A
Filenames that the virus can use include:

CFGWIZ32.EXE
CHLINST.EXE
DPLAYSVR.EXE
MAKETAG.EXE
MKCOMPAT.EXE
MLSET32.EXE
MSOOBD.EXE
MSOOBE.EXE
OEMRNCE.EXE
SETMODD.EXE
SUCATREG.EXE
SULFNBK.EXE
UNREGASF.EXE

Another BlackList item.
Register to rate this FAQ  : BAD 1 2 3 4 5 6 7 8 9 10 GOOD
Please Note: 1 is Bad, 10 is Good :-)

Part and Inventory Search

Back
Top