WMF Exploit

There’s a nasty exploit going around involving WMF files. Windows XP SP2 is not protected by any of the updates now available. Check out this video showing the exploit in action. It infects your computer with spyware, then prompts you to buy Winhound for $39.99 to clean it off! F-secure’s blog describes this little demon. Be careful out there.

-Soli Deo Gloria

Disabling Sound During Sysprep

In a business environment, you usually do not want users having the ability to produce sound on a computer. In the latest Dell GX280, GX620 and GX520s, however, they use the regular internal speaker as if it was a regular speaker. I actually remember doing this in Windows 3.1 with a special driver. The only problem is that when Windows 3.1 would play the sound nothing else would happen. If I was playing a game, Windows 3.1 will literally stop everything, play the sound and then resume operation of the computer.

Now, it’s easy enough to go into the device manager to disable the sound card after ghosting an image down to a machine. Wouldn’t it be better if we could script it? Well, we can! Microsoft has a niffy utility called devcon that will interact with the device manager on a command line level.

Every device in a computer will have an unique hexadecimal id. Download devcon and then issue “devcon find *”. This will return all of the devices in the system and there corresponding ids. Upon issuing this on a Dell GX620 and scrolling through the list we find this:

PCIVEN_8086&DEV_27DE&SUBSYS_01AD1028&REV_01: SoundMAX Integrated Digital Audio

Here’s the part we need:

PCIVEN_8086&DEV_27DE

Now we can type the following: “devcon disable “PCIVEN_8086&DEV_27DE”. Viola, the sound card is disabled! We can put this in the [GuiRunOnce] section in sysprep.inf to disable the sound. Repeat this for every model of computer you have (the statement for the GX280 looks like this: “devcon disable “PCIVEN_8086&DEV_266E””)

Wait….what about laptops? We give laptops to traveling users and it’s OK for for them to have sound. The problem with the above statement is that the Dell Latitude D610 and Dell Optiplex GX280 share the same sound chipset! The above statement will disable the sound chipset on both models. How can we get around this? Well, from a little trick from my sysprep page:

@echo off

C:installtemppci32 > C:installtempdev.txt

C:windowssystem32find /i “cardbus” C:installtempdev.txt >NUL

if errorlevel 1 “C:installtempsound.cmd”

if not errorlevel 1 echo “Not a workstation, do nothing”

Here’s what this does: it runs PCI32 from Craig Hart to run a hardware profile of our system and dumps the results into a file called dev.txt. It looks for any text with the labeling “Cardbus” in the dev.txt file. Cardbus is only found in laptops. If we find the term “cardbus”, the find program will return 0 and 1 if it doesn’t find it. Based on this result, we can determine whether we are imaging a laptop or desktop. If it’s a laptop, the command for disabling the sound never executes.

-Soli Deo Gloria

Antivirus Nightmares

I’ve used various antivirus programs over the years and want to share my thoughts on some of them. Just recently I was running Symantec Antivirus 10 Corporate Edition. This is a no thrills antivirus program that doesn’t have any of the bloat of the retail version. A few weeks ago I came home and SAV informed me of a hacktool named SVKP.SYS in my Windows directory. I was quited alarmed, wondering how on earth I would have gotten a hacktool. I then went to play one of my favorites games, Command and Conquer Renegade only to find it did not work. Why didn’t it work? Well, it was because SAV had removed SVKP.SYS! See, I also run an addon to Renegade called Renguard. This addon ensures that I am not cheating by using various techniques. In order to prevent debugging tools such as Regmon and Filemon from disassembling and circumventing the program, it uses this tool kit to prevent Renguard from running if it detects these tools.

This is the problem with SAV. Whenever it finds a file that could be used with a virus its immediate action is to delete the file. Instead of this dumb action, how about letting the user decide what to do with the file? In the above case I would have done some research before blindly letting SAV deleting any file it wishes. In addition to doing this, SAV seems to take a ridiculous amount of RAM: 28 MB! 28 MB for what?

I then decided to try out Mcafee 8.0i. Unfortunately, it has the same problem as SAV: removing files that are not viruses, but valid security tools. Mcafee also took around the same memory (27 MB). I removed it at once as well.

I then tried NOD32. Again, it would find files that were not viruses which is really annoying, but at least NOD32 gave me the choice what to do with the files. Now that’s an anti-virus program I like to see! In addition, NOD32 only took up 18 MB vs. 28 MB for SAV and Mcafee. In addition to its small footprint, NOD32 also updates virus definitions DAILY. That means if a virus should break out you are much better protected then with Mcafee or SAV.

NOD32 is available for download for a 30 day trial.

-Soli Deo Gloria