The PC-OFF.BAT virus loads a shutdown script when logging onto Windows XP. A few seconds after logging in, Windows will shutdown. This also affects safe mode. The countdown timer is set to only a few seconds, not allowing the user to enter “shutdown – a” in the run box. You may not even see the emergency shutdown dialog before you are automatically shutdown.

In order to remove the files, you’ll need the Windows XP CD. Other options include putting the hard drive into another computer, or using a LiveCD (BartPE or Linux) to remove the files.

Remove the files from your hard drive using the Windows XP CD

1. Insert the Windows XP disc into the CDROM. You may need to adjust your BIOS settings to boot the CDROM first.
2. When the “Welcome to Setup” screen appears, press “R.”
3. Select the installation you wish to access (there should be only one option for most systems).
4. Enter the administrator password when asked.
5. Once at the Recovery Prompt, press ENTER after typing the following command: chdir c:\windows
6. Press ENTER after typing the following command: del bar311.exe
7. Press ENTER after typing the following command: del password_viewer.exe
8. Press ENTER after typing the following command: del photo.zip.exe
9. Press ENTER after typing the following command: del pc-off.bat
10. Press ENTER after typing the following command: exit
11. Remove the Windows XP disc and restart your computer.

Once pc-off.bat is removed from the Windows directory, you’ll be able to logon to Windows without it shutting down immediately. There are still remnants left over in the registry though – best to clean those up.

1. Go to Start -> Run and type “regedit” and press ENTER.
2. Go to HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon and find the key: “Userinit=C:\WINDOWS\system32\userinit.exe,xxxxxx.exe” where xxxxxx.exe is bar311.exe, photo.zip.exe or password_viewer.exe.
3. Delete bar311.exe, photo.zip.exe or password_viewer.exe from the key, but be sure to leave userinit.exe! If you delete that, you will be unable to logon to Windows.
4. Go to HKEY_CURRENT_USER \software\microsoft\windows\currentversion\explorer\advanced and set the following key values: “Hidden=dword:00000001 (1)” “HideFileExt=Dword:00000000 (0)” “ShowSupperHidden=Dword:00000001 (1)”
5. Go to HKEY_CURRENT_USER \software\microsoft\Command Processor and find the key: “autorun=c:\windows\pc-off.bat” and remove “c:\windows\pc-off.bat”

No Comments |  Print This Post |

February’s Patch Tuesday was eventful to say the least. Many have noticed that Patch #977165 (Security Bulletin MS10-015) causes a blue screen on some systems (Stop Error: PAGE_FAULT_IN_NONPAGED_AREA). While the initial outrage was directed at Microsoft for a shoddy patch, eventually it was found that the Alureon Rootkit was the cause of the blue screen after KB977165 was installed.

But don’t worry! – the makers of the Alureon Rootkit have actually updated it and patched the flaw! Hurray!

For everyone else there are two options:

1. Use a LiveCD to scan your hard drive for the rootkit and remove it. This will resolve the issue. Try Knoppix STD (http://www.knoppix-std.org/) or BartPE (http://www.nu2.nu/pebuilder/).
2. Remove MS10-015 (977165) from your system.

How to remove Security Bulletin MS10-015 (977165) from your system

1. Insert the Windows XP disc into the CDROM. You may need to adjust your BIOS settings to boot the CDROM first.
2. When the “Welcome to Setup” screen appears, press “R.”
3. Select the installation you wish to access (there should be only one option for most systems).
4. Enter the administrator password when asked.
5. Once at the Recovery Prompt, press ENTER after typing the following command: CHDIR $NtUninstallKB977165$\spuninst
6. Press ENTER after typing the following:  BATCH spuninst.txt
7. Press ENTER after typing the following:  systemroot
8. Press ENTER after typing the following:  exit
9. Remove the Windows XP CD and restart.

No Comments |  Print This Post |

Some time ago a co-worker had mentioned someone had been rummaging through her files on her computer. She had expressed some concern over the situation as the files in question were pertaining to a terminated employee. I nodded in sympathy and asked her the following questions:

• When did this happen?
  Her response: After she had left work for the evening, but before she came in the next day.
• Did you log-off of your computer in the evening?
  Her response: No.
• Did you lock your office in the evening?
  Her response: No.
• Is there anyone currently employed that would have an interest in those files?
  Her response: Yes.
• Did you tell the Boss?
  Her response: No.

Because the office didn’t have any form of employee tracking, we could not find out who was in the building, let alone who accessed the files. While management was trying find out who did it, I was focusing more on the measures that could have been taken to prevent it. The worker had not logged off her machine or locked her office in the evening. As with all things in IT, the typical process response is always reactive instead of proactive. If the managers had taken my concerns seriously with regards to physical and virtual security months before, the situation would not have happened. This example was the catalyst I needed to affect a change in policy regarding passwords, automatic log-off, and certain aspects of physical security.

People, Process, Technology

Everyone has seen the People, Process, Technology Venn diagrams prevalent in business literature. I believe the most effective security practices involve a balance of all three categories to succeed – the process has to be sound, the technology relevant, and the people informed. Relying on any one of these categories too much will surely result in failure. No matter how locked-down a server is, if someone writes their password on a post-it note on the monitor, it is no longer secure. If there is no process in place to direct the people or the technology on the correct actions to take to be secure, it will fail.

Social Engineering

It seems the most vulnerable aspect of security lies in people’s tendency to succumb to social engineering tricks. Medium-sized companies are especially vulnerable as they may not have the means to implement physical security and also lack the close-knit employee base to detect outsiders easily. How easy do you think it would be to walk into a medium-sized company with a Canon shirt and convince them you are there to fix the copier?

I’d like to hear your own experiences with security, including what you think are the most important factors in creating a successful security policy.

1 Comment |  Print This Post |

Last night Malwarebyte’s AntiMalware program detected a false positive of the Atapi.sys driver and associated registry keys. As you may know, Atapi.sys is required by the storage system in Windows, and as such deleting it will render the system unbootable.

If you have the reboot on error checked in your system properties, your system will continuously reboot itself without giving an error. If you have a stop on reboot option checked, you will see the STOP error 0x0000007B.

I have included a zip file with the following registry keys and atapi.sys (5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)) taken from a fresh install of Windows XP SP2. Apparently it only affects SP2 installations.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi

Files Infected:
C:\WINDOWS\system32\drivers\atapi.sys

A few ways to fix this:

Use another machine to load Atapi.Sys and Registry Keys

1. Install the hard drive into another Windows computer and copy the computer’s good Atapi.sys driver (Windows\System32\Drivers) to your hard drive. Or download the XP SP2 one here.
2. Put the hard drive back into the original computer and select “Last known good configuration” to boot – this will restore the registry keys.
3. If the “Last known good configuration” doesn’t work, you may try editing the registry hive of your installation via another computer. Put the hard drive into a second machine and load the hive within that machine’s registry editor. If you are uncomfortable doing this, create a LiveCD of Windows (below).

Make a BartPE or LiveCD of Windows

1. Go to http://www.ubcd4win.com/howto.htm and follow the instructions to make a LiveCD of Windows. You can also use BartPE, but the following instructions may be different (http://www.nu2.nu/pebuilder/).
2. From a known good machine, export the above 3 registry keys to a USB drive.
3. From a known good machine, copy the atapi.sys driver from Windows\System32\Drivers to a USB drive. Or download the XP SP2 keys and atapi.sys here (zip).
4. When the LiveCD loads (this will take a while), attach the USB key to the machine. Copy the atapi.sys to your machine’s Windows\System32\Drivers directory.
5. In the LiveCD’s Windows environment, go to: Start>Program Files>Registry Editors>Regedit (remote).
6. You will be prompted to select a user from your machine to edit. Most likely it is “Administrator.”
7. Go to File and Import in the registry editor.
8. Import each of the 3 .reg keys you exported from a known good machine.
9. Restart your computer, taking out the LiveCD.
10. Everything should work.

Use Windows Repair

I don’t like this option because it does not always work. You may also need to reinstall or fix some programs after this procedure.

1. Put the Windows XP disc into the machine.
2. When the machine boots into the Setup environment, it will give you the following options:
   To setup Windows XP now, press ENTER.
   To repair a Windows XP installation using Recovery Console, press R.
3. Press ENTER, not R.
4. On the next screen, it will detect a previous installation and ask if you want to repair it. Choose to do so.
5. Windows will go through the setup by reinstalling all default options and drivers. You will need your Windows XP key.

14 Comments |  Print This Post |

Most System Administrators use a hardware firewall to block IP addresses from accessing their network. Co-located servers do not always have the advantage of utilizing a hardware firewall. Software firewalls can often be expensive.

As you may already know, Windows 2003 lets administrators control IP access from the configuration panels in SMTP and IIS, among others. But what if you want to block an IP address from all services with only one motion? This is where the IP Security Policy Management snap-in comes in handy.

Configure the IP Security Policy to block your first IP address

1. Click “Start” and “Run” – type “MMC” and press OK.
2. In the MMC, click “File” and “Add/Remove Snap In.”
3. In the “Standalone” tab, click “Add.”
4. Select “IP Security Policy Management” and click “Add.”
5. Select “Local Computer” and click “Finish.”
6. Close the “Add standalone Snap-in” window and click “OK” on the “Add/Remove Snap-in” window.
7. Now that you are back in the MMC console, right-click on “IP Security Policies on Local Computer” in the left-hand pane and select “Create IP Security Policy.”
8. Click “Next.”
9. Enter a name (ex. IP Block List) and description into the boxes and click “Next.”
10. Leave “Activate the default response rule” checked. Click “Next.”
11. Leave “Active Directory default (Kerberos)” checked. Click “Next.”
12. Leave “Edit properties” checked. Click “Finish.”
13. The Properties box should be open.
14. To add your first IP address, click “Add.” Make sure “Use Add Wizard” is checked beside the button.
15. Click “Next” when the “Create IP Security Rule” wizard opens.
16. Leave “This rule does not specify a tunnel” checked. Click “Next.”
17. Select “All network connections” under Network Type (unless you want to specify by adapter). Click “Next.”
18. You are now at the “IP Filter List.” The “All ICMP Traffic” and “All IP Traffic” options will not meet our needs; we will need to add another. Click “Add.”
19. Name the IP Filter List (ex. Blocked IP List) and enter a description. Click “Add” to enter the first IP address to block.
20. The “IP Filter Wizard” will pop up. Click “Next.”
21. This will be the first IP address or IP range we enter to block. Enter a description (I usually enter the IP itself) and make sure “Mirrored” is selected below. This will ensure packets to/from are blocked, allowing you to create one rule instead of two. Click “Next.”
22. Keep “Source Address” as “My IP Address” and click “Next.”
23. Under “Destination Address” select “A specific IP Address” or “A specific IP Subnet.” If you select “Any IP address” it will block all IPs!
24. Enter in the IP address in the fields below and click “Next.”
25. Under “select protocol type” choose “Any” (means “All”) unless you specifically want to block from RDP (Remote Desktop), TCP or UDP, etc. Click “Next.”
26. Click “Finish.”
27. Now that you are back to the “IP Filter List” click “OK.”
28. You will be back in the “IP Filter List” list in the Security Rule Wizard – make sure you select your new “Blocked IP List” and not “All IP Traffic” or “All ICMP Traffic.” Click “Next.”
29. You will be taken to “Filter Action.” The lists: Permit, Request Security (Optional), and Require Security will not meet our needs. Click “Add.”
30. In the “IP Security Filter Action” wizard, click “Next.”
31. Select a name (ex. Block all Packets) and click “Next.”
32. Select “Block” for the filter action behavior. Click “Next.”
33. Click “Finish.”
34. You are back to the “Filter Action” list. Select your new list (Block All Packets) and click “Next.”
35. Click “Finish.”
36. You are back to your IP Security Policy list (Blocked IP List) Properties. Click “OK.”
37. Back in the “IP Security Policies on Local Computer” snap-in, you’ll need to assign the new policy. In the right-hand pane, right-click on your new list (IP Block List) and select “assign.”

To make it easier the next time you wish to block an IP address, save the MMC Snap-in configuration as a shortcut. Go to “File” and “Save As” and save it on your Desktop or Start Menu.

To Block Additional IP Addresses

1. Enter the IP Block List snap-in you saved.
2. In the right-hand pane double-click your IP Block List.
3. Under “IP Filter List” select the newly created “Blocked IP List” and click “Edit.” Make sure “Use Add Wizard” is checked.
4. Under “IP Filter Lists” select your “Blocked IP List” (not All ICMP or IP Traffic) and click “Edit.”
5. You are now in the “Add IP wizard” area. You will see the first IP address you blocked in a listing under “IP Filters.” Click “Add.”
6. Follow all previous steps to add the IP address you wish to block. Once finished, exit all dialog boxes.

You may need to restart the server for the settings to take effect.

No Comments |  Print This Post |