AAiddennium » BLOG «

Today just before registering my new living place, I had to wait in a queue of 33 people. I had much spare time, so looking around I found a message about the new EU passports that save person’s biometric information.

Already half a year Germans get passports with special chips mounted in the covers. The digital photo of a person is stored there. Since 2007, the prints of two fingers will have been stored in the chips too.

What poor counterfeiters of documents! In addition to their special press experience, they will need to learn electronics, biometrics, and programming. Perhaps they will outsource computer specialists for that job. Hereof the prices will increase in the black market…

As Internet hasn’t been working at home for the past few days, I have started learning 3D modelling at my spare time. I was working step by step and then I started conceiving the basics. Even the corners of the handbook turned down (nobody knows that it was an e-tutorial). According to the mentioned tutorial of 3ds max, I achieved the intermediate level — what a bigmouth. So I illustrate my self-praises by the most complex chessman, that I have gouged out.

Since last weekend I’ve had some new and interesting experience. I faced a virus square for my first time and it was destroyed manually with my magical fingers!

While visiting my girlfriend’s home, I decided to finish some JavaScript tool. I turned on my girlfriend’s computer and plugged an USB Memory stick into it. Then I opened the HTML document. To my great surprise the file was modified without my permissions. I corrected the changes back, saved the file and reopened it. However, the file was changed again. Suddenly I realized that a virus poisoned the computer.

There was no antivirus and no Internet, so I had to do something with my own hands. I scanned the modified code line by line. The HTML file had two BODY sections – one had been written by me and someone else had written another. I concluded that the virus added some code to HTML files. As soon as possible, I opened other HTML files and found the same lines of code at their ends.

‘What writes the additional code to my files?’ – I asked myself. Task Manager didn’t show me anything executed unusually. There was no tool as Process Viewer, anyway there supposed to be a way to find Mr. Virus. Every file that is loaded to memory should have been started.
Firstly I checked out the AUTOEXEC.BAT. As there was nothing unusual I executed msconfig. There was a suspicious file in the Startup section. It was called kernel32 (kernel.dll) as if it were some OS file. I knew that the OS wouldn’t have let to check whether you want to load the main OS file on startup or not. Additionally I had heard that there was a virus that hid under the name of ‘kernel’.
I checked off the kernel32 in the list and rebooted the computer. However, the kernel32 was checked in msconfig again.
Then I loaded regedit and started searching for kernel.dll. One value was found. And it was under the ‘Run’ key that was used for startup purposes. I deleted the value, anyway it returned after restart of the computer.
I tried to rename or delete kernel.dll, but the OS didn’t let me to do this with an executed file. Surrender isn’t my second name. I restarted computer in confirmation mode (this was useless) and then in safe mode.

Fortunately the kernel.dll could be modified in safe mode, because it was not loaded and executed in such conditions. I opened the file for Quick View and realized that there was the same HTML inside as in the file that was described in the beginning. ‘Interesting. HTML file can be executed as DLL’ – I thought.

Then I erased the content of the kernel.dll and made it Read Only.

Finally I decided to find all files containing the poisoned lines. As I noticed, every bad HTML addition consisted of body with function call KJ_start(), few script tags with binary data inside and a few lines of script for decoding that data. Everything was programmed with vbscript for IE. I opened my favorite text editor that had an ability to find files with a specified pattern. Then all the 4200 files containing KJ_start() were found. Mostly there were files of HTT, HTML, and PHP type.

In the next 4 hours my girlfriend and I deleted poisoned lines from the files. We tried to do that as much automatically, as possible. My text editor had an ability to replace multiple opened files, but it could open only 300 files at once. So we had to divide 4200 files into groups by 300 and to replace unnecessary parts from them with empty strings.

Finally I unchecked the kernel.dll in msconfig and deleted the poisoned record in regedit.

After the next reboot the computer was working faster, there was nothing writing unnecessary lines of code to my HTML creations, and there was nothing littering the Windows Registry.
I was proud of myself. And i’m still proud of myself

Besides, I disemboweled the virus later and now I know even more about it. It does anything worse than spawn and spawn, and spawn… It hides itself in an email template, it hides itself in all FOLDER.HTT files, and it hides itself in all external drives. Today I found out the name of the virus on the web. It’s VBS.Redlof.

I think that this research was a good training for my brains and also the first glance at a virus from inside. Also the event proved me that knowing scripting languages can help not only in the web area. I hope this information will be useful for someone who gets a similar problem. I think that it would be fun to create a virus, anyway don’t do it, because it is rude to get famous doing bad things.