DVD Talk
"Virus" help needed and a word of warning [Archive] - DVD Talk Forum
 
Best Sellers
1.
2.
3.
4.
5.
6.
7.
8.
The Longest Day
Buy: $54.99 $24.99
9.
10.
DVD Blowouts
1.
2.
3.
4.
5.
6.
7.
Alien [Blu-ray]
Buy: $19.99 $9.99
8.
9.
10.

PDA
DVD Reviews

View Full Version : "Virus" help needed and a word of warning


Darren Garrison
01-29-01, 05:32 PM
I was away from my computer for a while today while on-line, and when I got back, there was a DOS window open in which a program had been ran-- a batch file that deleted the contents of my e: and f: drives (it was supposed to delete the contents of ALL drives, but apparently the file was badly written). I don't know how that batch file got there, I don't know if someone was feeling around for security holes in systems, found one in mine, and loaded and executed the program, or if somehow it was a "time bomb" installed somehow by a downloaded file (though I don't use unknown files, so I don't know how) set to go off after a certain period. Either way, if it had been written correctly, I would have been dealing with a totally wiped system instead of a few wiped archives (most of which had been moved to CD-R). If it is coming in over a security hole, watch out for your systems.

Here's a link to the text of the batch file (saved as a .txt to make it safe). If anyone can read it better than I, maybe you can give me tips as to how to best clean up the problem and make sure that it doesn't happen again (I already deleted my autoexec.bat, which had been modified, too, but the program ran during operation, not at a reboot).

http://members.tripod.com/darren_garrison/hdkp_4.txt

cartman
01-29-01, 05:37 PM
DO NOT CLICK THAT LINK! There's a trojan in there, so says Norton Anti-Virus.

RandyC
01-29-01, 06:19 PM
What would be scary is a worm that goes onto all the forums you are registered on, logs in and posts a link with some text to a trojan file url.


Good luck Darren
http://talk.dvdtalk.com/ubb/smile.gif

Darren Garrison
01-29-01, 06:45 PM
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR><font face="Verdana, Arial" size="2">Originally posted by cartman:
DO NOT CLICK THAT LINK! There's a trojan in there, so says Norton Anti-Virus.</font><HR></BLOCKQUOTE>

OF COURSE there is a trojan (or more specificly, an MS-DOS batch file) in there. That program was what I was asking about! Didn't you even READ the text of the message that TOLD what was in the link??? Like, possibly, the part of the message that tells that the link is to the damaging batch file itself, saved as a text file so that it couldn't execute itself??? It isn't an attempt to wreck anyone's computer, it's an attempt to get help from someone who can read what the "code" parts of the batch file mean-- and the reason the text was placed in a seperate link, not put into the body of the message. The text is ENTIRELY harmless to you unless you save it as a batch file and then execute it. Sheesh.

[This message has been edited by Darren Garrison (edited January 29, 2001).]

X
01-29-01, 07:02 PM
What an idiot that batch file virus writer is! He even comments his code. Any idea where you picked this up?

Definitely get rid of anything called temp.bat. I would suggest you search all remaining files for a string contained in the batch file. Like "Munga Bunga" or "Hard Drive Killer"

Darren Garrison
01-29-01, 09:52 PM
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR><font face="Verdana, Arial" size="2">Originally posted by X:
What an idiot that batch file virus writer is! He even comments his code. Any idea where you picked this up?
</font><HR></BLOCKQUOTE>

I don't have any idea where or when I picked up the file. I hadn't downloaded or executed any executable or batch files before walking away from my computer, either. There was a component of the file written to autoexec.bat, but it had been a while since my last reboot. That's what concerns me, and why I posted it here. I was wondering if anyone could see within the file any links to other files (other than to other *.bat files, which I already killed) or a sign that it had an internal "timer" (execute after such-and such date). What concerns me more than the possiblity of a bomb hidden in a download some time (which would be mostly sloppyness on my part) is the possibility that some security hole in my system was exploited to download and execute the file remotely-- I know it is less common on dial-ups than on DSL/cable type connections, but I know that such things ARE possible on dial-ups. Concidering that the program didn't do what it was supposed to do (it wiped only drives E and F and didn't manage to wipe drives C, D, and G) I'm hoping that it doesn't have any sophisticated left-overs, such as hidden in my regestry file. I'm looking now to find a decent shareware anti-virus program to see if it can find traces of it (apparently Norton sees it, but I don't think there is a downloadable shareware version).

X
01-29-01, 10:16 PM
Like I said, search for files named temp.bat, do a text search on ALL files on all drives for the string temp.bat (maybe do it overnight -- it could take a while), and run regedit to search your registry for the same name. Inspect your Run key in your registry also to see if something foreign is in there, especially a batch file. Be aware of "official" sounding things that are slight deviations from the real names.