Join 3,440 readers in helping fund MetaFilter (Hide)


But mom!
December 8, 2010 9:03 AM   Subscribe

What does this program/script do, and presuming a locked down environment like a grade school, could it be used maliciously?

I can make an educated guess what this does, but I would like to know for sure.
loop:
Set WshShell = CreateObject("WScript.Shell")
a = InputBox("What is your name?", "NAME", "Enter your name here:")
b = InputBox("Who would you like to send a msg to?", "USERNAME", "Enter Username Here:")
c = InputBox("What is your msg you want to send?", "MSG", "Enter Msg Here:")
Dim objFSO
Dim objStream
Dim objstrLine
Set objFSO = createobject("scripting.filesystemobject")
Set objStream = objFSO.CreateTextFile("C:\Users\Eddy\Desktop\RemoteCmd.bat", True)
objStream.Writeline("msg * " & c )
x = InputBox("Would you like to send another msg?", "REPEAT", "Yes or No:")
if x == "Yes" then
goto loop
else
exit
A friend of mine has a son that has gotten in trouble on his school's computers. He created a gmail account to bypass his parent's no email accounts without the parent's knowing the password rule. She found out about this, and the above program was in an email exchange with another student. The email read like they were excited about getting away with something. She'd like to know what.

Long story short she wants to know what the above does before busting the kid's chops.
posted by cjorgensen to Computers & Internet (29 answers total) 2 users marked this as a favorite
 
It sends a message to another user logged onto the same Windows domain. If you go into a command prompt on a windows machine and type msg username "message" then it'll do the same thing manually. (Where username is the login name of the destination user.
posted by atrazine at 9:11 AM on December 8, 2010


This doesn't look very malicious to me. I'm no expert but it looks as if the script simply creates a new text file called "RemoteCmd.bat" on eddy's desktop and then adds whatever message they've typed it. I suppose it could be used to send messages back and forth to one another without using the schools messaging system (which would then be free from prying eyes).

They'd would have to specifically assign permission to the file to allow write access from the script so I don't even think it could be used to send messages to arbitrary users (which is what the "username" component of the prompt seems to indicate they are trying to do).

Hope that helps a bit.
posted by talkingmuffin at 9:14 AM on December 8, 2010


Actually, the file that's being created is an executable batchfile. This could be used to send a message to an arbitrary user.
posted by atrazine at 9:15 AM on December 8, 2010


Yeah, long story short, it looks like a crude instant messaging thing to let two users chat on the school computers.
posted by EndsOfInvention at 9:15 AM on December 8, 2010


atrazine is right about what it's supposed to do, but I don't think it'll actually work - as far as I can see they never state the username.
posted by muddgirl at 9:16 AM on December 8, 2010 [1 favorite]


lol that's kind of brilliant, its basically the new way to pass notes in class.

There's nothing about the program itself thats malicious it just sends messages.
posted by bitdamaged at 9:16 AM on December 8, 2010 [2 favorites]


I mean they ask for a username but then don't actually use it.
posted by muddgirl at 9:17 AM on December 8, 2010


Oh yeah right now only Eddy gets messages.
posted by bitdamaged at 9:17 AM on December 8, 2010


atrazine, your windows-fu is probably better than mine, but to put a "practical" application on this, couldn't the boy and his friends be using this to message each other if they are all on the school's computer network? This would probably not be considered desirable by the school's IT admin (who can probably lock it down if they know what they're doing, I assume?)

local networks are not my specialty, so ...
posted by randomkeystrike at 9:17 AM on December 8, 2010


shoulda refreshed. yeah, what they said.
posted by randomkeystrike at 9:18 AM on December 8, 2010


The way this code is written it will send the message to every connected user in the domain, if you wanted to send the message to the intended recipient then you would replace the asterisk with "b", as it is that variable isn't used. Also, there is no need to collect the username as windows automatically adds it. These kids should be disciplined for sloppy coding! Also, if they run the code as written they'll be spamming everyone at the school, which is likely not OK with the administration.
posted by atrazine at 9:19 AM on December 8, 2010 [1 favorite]


Actually (I'm not a windows guy) it looks like it appends messages to a Bat file that Eddy has. Eddy probably has to execute it to actually get the messages sent?
posted by bitdamaged at 9:20 AM on December 8, 2010


Yeah, it doesn't look like the username is ever used.
Also, I'm proud of this kid for coming up with neat little ways to communicate, even if they're against the rules.
posted by azarbayejani at 9:20 AM on December 8, 2010


These kids should be disciplined for sloppy coding!

Yeah, I wouldn't bust their chops: I'd sit them down with someone who is technically-proficient enough to explain (a) Why you shouldn't just copy a code that you found on Google without understanding how it works, and (b) how to diagram and troubleshoot unknown code.
posted by muddgirl at 9:22 AM on December 8, 2010


except the gotos. Why???
posted by azarbayejani at 9:22 AM on December 8, 2010 [1 favorite]


(the goto closes the loop - it looks like it loops so you can keep sending messages to other people)
posted by bitdamaged at 9:23 AM on December 8, 2010


the file is created at C:\Users\Eddy\Desktop\RemoteCmd.bat sounds more like its his home computer rather than the school network
posted by missmagenta at 9:23 AM on December 8, 2010


This code won't even run. VBScript doesn't have GoTo, the == operator, or an Exit statement. The If statement is missing "End If".
posted by zixyer at 9:32 AM on December 8, 2010


Oh, joy, another budding programmer getting ready to get "disciplined" by ignorant public school IT staff.

I did something very similar to this; it's not malicious at all. This is what people who are good at computers do. Chances are that there will be negative consequences from it, but make sure that your friend understands that her son is a larval programmer and can make a very lucrative career doing what he is experimenting with here. The mediocrities who are generally public school IT staff wouldn't understand that if it walked up and punched them in the jubblies.

She should look around and see if there are any interesting Summer programs or internships available at local companies and universities.
posted by sonic meat machine at 9:34 AM on December 8, 2010 [12 favorites]


He's not getting ready to be disciplined, that's already happened. What's going on now is his mother is clamping down tighter control.

It's no longer an issue of violating trust, but of regaining it. He promised he wasn't going to do anything he wasn't supposed to on school machines. He was since caught hiding an email from his parents for the express reason of being able to circumvent their supervision. In this case it wasn't exactly needed anyway, since his mother can't tell what he was trying to do with the code.

I'm suggesting the same things as far as channeling his interests. I suggested a subscription to 2600, a Mitnik book, and I believe she's getting him the programming book he wanted for Christmas.

The mother has reasonable expectations here. She did analogous things at his age.

Thanks for the answers! I was close on what I thought they were trying to do.
posted by cjorgensen at 9:50 AM on December 8, 2010


Regardless of the actual results of running the code, it's really blatantly obvious what he was trying to achieve by just reading the user queries:

"What is your name?"
"Enter your name here:"
"Who would you like to send a msg to?"
"Enter Username Here:"
"What is your msg you want to send?"
"Enter Msg Here:"
"Would you like to send another msg?"

He's trying to write a chat program. That's about it. Absolutely not nefarious or wrong from a technical standpoint - he's attempting to use built-in network and computer features.
posted by odinsdream at 10:25 AM on December 8, 2010


The msg program is part of Windows. It's a command line utility that lets you send console messages to other Windows machines on the network. The way in which the code above does this clearly demonstrates lack of understanding and experience. Instead of building and executing the msg command, it creates a batch file which that contains the command, presumably, must be executed manually at a later time. Since it performs this operation in a loop and the second parameter to CreateTextFile is set to true it will overwrite the previous command every time. So even if you do execute the batch file, it will only send the last message. As others pointed out the username is read but not used, instead substituting the * which will broadcast to all users on the selected server. But since the /SERVER parameter is not specified, I'm not sure which server that will use... it's either the current machine (e.g. Eddy's laptop) or the Domain Server, potentially. I don't remember exactly how msg works.

So you don't need to worry that they are trying to do something malicious, but you still need to worry.

Ultimately what is going on here, I suspect, is that there is some sort of IT policy in effect that they're trying to get around. Probably a "no instant messaging" policy. What they are doing is completely harmless, but they are attempting to circumvent an IT policy which is going to bring down a much harsher response if they get caught than would simply passing paper notes in class. You need to have a talk with them about the consequences of doing this will be in the eyes of whoever is running the show at their school. They will overreact. It will not be worth it.

And you should rush to his defense when he gets busted. You should lobby the school to set up some sort of sanctione, intra-school IM system for them to use rather than punish the clever ones.

On a properly configured and secured network this won't work anyway, even if it was corrected.
posted by jeffamaphone at 10:58 AM on December 8, 2010


What's going on now is his mother is clamping down tighter control.

It's no longer an issue of violating trust, but of regaining it. He promised he wasn't going to do anything he wasn't supposed to on school machines. He was since caught hiding an email from his parents for the express reason of being able to circumvent their supervision. In this case it wasn't exactly needed anyway, since his mother can't tell what he was trying to do with the code.


In my opinion, this is the worst possible reaction to this. She should stop trying to judge this kid, and stop trying to treat him like a prisoner and just sit down and ask him to explain the code, and be genuinely interested in it. Let him teach her what he is learning, because this is valuable, important stuff to know, for both her and him.
posted by empath at 11:00 AM on December 8, 2010 [2 favorites]


Oh, and I would *not* recommend a subscription to 2600 or Mitnick's book. The former is just going to fill his head with more bad ideas and, what's even worse, bad code. Really, you're sending him down exactly the wrong path with that.

You should instead get him some real books on programming. Something from the O'Reilly catalog, or any of Petzold's books.
posted by jeffamaphone at 11:00 AM on December 8, 2010 [3 favorites]


Yeah, seconding jeff on reading material. Don't get him hacker books. Get him a decent introduction to programming book and maybe something on vbasic or javascript/html.
posted by empath at 11:04 AM on December 8, 2010


This would probably not be considered desirable by the school's IT admin (who can probably lock it down if they know what they're doing, I assume?)

I do school IT administration, and ya, it's trivial to lock down the command line and scripting through Active Directory. We also used AV software allowing very granular applications controls. Most schools do.

Oh, joy, another budding programmer getting ready to get "disciplined" by ignorant public school IT staff.

It's because you don't want students to start messing with the computers. If you start letting them do things outside the scope of an Acceptable Use Policy (and a school's AUP should have this covered), it becomes a game of "give an inch, take a mile." An example is a few years back, a teacher let a student use their computer and installed VNC on the teacher computer. Next thing you know, VNC's being run off a flash drive and the student has full access to the teacher computer. He was slapped on the wrist with no punishment.
A year later, the same student goes in and starts changing all the desktop shortcuts to a VB script that looked like a virus. That was innocent enough, but because he wasn't punished earlier, he decided to push the bounds.

I know using the posted script is not the same as installing VNC on a teacher computer, but I can see where the IT staff is coming from. You don't want students to start messing around with the computers outside of what they're supposed to be doing because guess what.

You should lobby the school to set up some sort of sanctione, intra-school IM system for them to use rather than punish the clever ones.

Yes, because students will absolutely not use it to chat with their classmates when they're supposed to be taking notes. Outside of administration, I'm not really sure what the real utility of a student intra-school IM system would be or how'd it enhance education.
posted by jmd82 at 11:54 AM on December 8, 2010


...not use it to chat with their classmates when they're supposed to be taking notes.

I can't think of any real reason to have it either, other than banning it makes it much more attractive. Highschool students should not have computers in class, unless there is a really good reason. In the event they do, you can still monitor it and correct the way physical note passing would be done when it is a system you control.

The difference is one thing is "he hacked our computer network" and the other is "he was sending notes when he should have been paying attention."

...but I can see where the IT staff is coming from.

Yep, me too. Which is why it is important to create walled gardens for the smart ones to play in so you don't have to overreact to minor things.
posted by jeffamaphone at 1:38 PM on December 8, 2010


Yes, the "walled garden" approach is what I would advocate in this type of case. Considering I got into trouble in programming class because I had a habit of producing extracurricular .exe files (which the teacher didn't understand), and I got marked down for seeing potential problems in assigned programs and writing in error-checking (your code is too long!), this is a sore point.

Apologies if I seemed to strident earlier.
posted by sonic meat machine at 7:46 AM on December 10, 2010


Yeah, the low quality of high school programming instruction is pretty amazing. I had a friend who lost points on a test problem because he realized his code would be more efficient if he did the for-loop backward from N-1 to 0 (instead of the usual 0 to N-1). Since it didn't match the answer key, he lost points. When he pointed out that not only did it produce the correct output, but it was more efficient than the solution in the answer key, he still lost points because "the code wasn't clear."
posted by jeffamaphone at 10:21 AM on December 10, 2010


« Older What are some good sites for r...   |  Do I really need to balance ba... Newer »
This thread is closed to new comments.