Hello, welcome to the Wednesday, January 5th, 2021 edition of the Sandsenet Storm Center's

Stormcast. My name is Johannes Ulrich. And I'm recording from Jacksonville, Florida.

Xavier was out hunting for Malver and came across an interesting batch file that took advantage of

the block input API call.

Blog input, as you may guess by the name, blocks all user input, so it essentially locks the

system and does not allow the victim here to interact with the code.

Typically that's done as an anti-debugging feature, so this way the

user running the code in a debugger wouldn't be able to interact with it, but could also

just be to essentially complete whatever action, the particular code attempts to complete without any disruption by the user.

This particular script maybe the later it's a fairly simple script.

All it does is it basically deletes your Windows partitions.

So I would call it a wiper in that it basically destroys your data, and then it displays a message,

and doesn't really look like any ransom demand or anything like that.

It's really just to outright destroy the computer and tell the user that this is what happened.

So likely the attacker also doesn't want that process to be interrupted.

If you ever run into this, Xavier points out that a simple alt-control delete should give

you the option then to cancel.

And Microsoft today released the emergency update for Windows Server 2019 and Windows Server

2012 R2 to fix a black screen, slow sign-in, and general slowness on Windows

server if you're using remote desktop. The problem affects other versions of Windows

server as well, pretty much anything from Windows Server 2012,

all the way to Windows Server 2022, and other updates should be made available shortly according

...