King of Excellent (according to Scaryduck)

Monday, April 16

Teenagers and Viruses

Two things that don't mix. Unfortunately, they do seem to attract each other, and today I was called out to a family who's teenage son had contracted this virus.

I like viruses. I've never had one beat me. In past years I've had many encounters with such delights as the Kak virus, which changes your signature in outlook express to add the code for the program in a hypertext application. Another one I came across was called Klez. A world famous virus, this would infect each and every .exe file again and again until the file stopped working. The only fix for this was to delete the file, meaning windows and everything else had to be installed.

Today's virus was called Virtumondo, or more recently shortened to Vundo. It would create 2 files in the system32 folder of Windows, and then cleverly latch these files onto the windows logon procedure. Try as I might, I couldn't remove the files because they'd just be reinserted when removed from the registry. I couldn't delete them because they were in use by windows, and even in safe mode they were still running. Fortunately I knew the name of the file that was being patched onto the windows logon, a clue called "mlljh.dll." Searching for this on google gave the usual list of people seeing it in HijackThis, an invaluable program I use for identifying what's running when the PC's turned on. The same people were all asking how to get rid of it, and after an hour of downloading fix1.exe and fix2.exe all of which didn't work, I found a nifty little program that does called "VirtumundoBeGone.exe"

This program does exactly what it says on the tin. It (worryingly) bluescreened the pc I was on, but that was deliberate as it crashed winlogon, thus enabling the files to be renamed. I then restarted and was treated to a logfile now left behind, telling me how it had removed it. All very thorough, neat and easy.

Now all I need to do is get a program called "StopTeenagersfromdownloadingeverythingdodgy.exe"