http://en.wikipedia.org/wiki/EICAR_test_file

This has been around forever. http://www.eicar.org/anti_virus_test_file.htm

Just pick any of the scores of .exe files masquerading as cracks on LimeWire. You’ll have to turn off the AV and executable file filter to download it, of course...

It's Windows, so it's easy... just create a CD or USB drive with two files:

autorun.inf :
[autorun]
            open=installpopup.bat

installpopup.bat :
cmd.exe /k echo "Hi I am a virus"
copy installpopup.bat "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"

Bonus is that it has plenty of legitimate uses for system automation for your little script kiddies as well.

Er, did you even read the damn post?

Here, let me help you out with the first four fucking words:

The interrupts and NOPs interfered greatly with the network cards, causing the whole thing to come crashing down when more than a couple of the computers were running at a time. It took at least a couple of days for the sysadmin to sort it out.

RIP George, thanks for introducing me to the Internet and I'm sorry that you didn't get to stick around for Linux and /. I should have taken your Minix class when I had the chance.

Well, if you want to get all prissy about the Latin, then it's incorrect to use the word to describe a single unit of the substance, in the way it's not correct to call a single water molecule "a water". Id est, since a viral program is itself a cell in the viral infection of many computers, there's no term for it other than "viral program" and no term for several of them other than "viral programs". The "virus" would be some arbitrarily bounded subset of the population of said viral programs infecting machines, which could devolve to a single program infecting a single machine, but would still not be the correct term for that program or, indeed, for the viral infection being suffered by that machine. It could correctly refer to the running program and its data (which in most computers includes its instructions) and the progress of its states, but I'm pretty sure nobody much thinks of it that clearly when using the word "virus". Nor is it correct to use "a virus" to refer to a type of virus (exempli gratia Stuxnet, Sasser, Hopper, et cetera) but only to an instance of that type of virus as it is spreading, or, again, some arbitrary subset thereof, wherein it has its physical expression and aggregate, fluid form.

As for whether it annoys you for people to use a latinate word that is both convenient and apt despite its not being precisely Latin, well, tough titty, because apparently the Latin version of it is a mispronunciation of the Proto-Indo-European word for the same gooey mess, so insisting on going only as far back as Latin for the value of correctness of form is false cognitive closure, and that gives everyone else cause to be annoyed at you.

if UAC is enabled, Explorer is not running with privileges that can write to the All Users profile.

For that matter, this will fail on any system where the profile directory isn't in "C:\Documents and Settings", which includes any non-English OS.

Use

copy installpopup.bat "%userprofile%\Start Menu\Programs\Startup" instead

...if they know of a good virus candidate?

http://www.clamav.net/ [clamav.net]

I think you may have missed this part of the summary:

EICAR is detected by all AV products including ClamAV.

I'd put it in a zip file, then attach the zip to an email message. Show how real viruses propagate by mail. How about putting a copy on a USB pendrive then running eicar.com from Autostart? Any Windows AV product with a decent autoscanner should detect both of these and pop up a warning.

If you want to get really fancy you can set up a Linux box running MailScanner [mailscanner.info] with ClamAV and send an "EICAR-infected" e-mail message through it. You'll see MailScanner detect the virus, put it in a quarantine, and send notices to the admin and, optionally, the sender.

For a lay audience I think it's more important to stress the vectors than to concentrate on the payload itself.

Now if you could only find a site distributing Antivirus 2010. If you do, make sure you're using a Linux machine when you visit the site. If your class understands that there's more to the world than Windows, see how long it takes them to understand why there can't really be an AV program "scanning the C: drive."

The gap between my suggestion and what those researchers did is pretty wide. My idea:

  o Doesn't involve bilking people out of their private credentials;
  o Would be limited to a class studying malicious software (how's that for an appropriate context)
  o Involves a known-harmless teaching payload;
  o Would be fully understood and removed by students at the end of the class.

I have a hard time understanding why any real teacher in this fellow's position would abstain from imparting one of the most critical lessons a student can learn about security: that they themselves are the weakest link, no matter how smart and prepared they think they are, and no matter how much theory they can regurgitate at paper time.

The burned hand teaches best, and understanding how and why you were burned is priceless.

It's disrespectful, and even a little condescending, to 'protect' students from real lessons. Are we preparing them for the real world or not? And are students so fragile that they would run to the Dean's office to complain to about the teacher after such a simple and well-explained exercise?