Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

"Virus" help needed and a word of warning

Old 01-29-01, 05:32 PM
  #1  
Needs to provide a working email
Thread Starter
 
Join Date: Dec 1999
Location: Formerly known as Darrin Garrison
Posts: 3,321
I was away from my computer for a while today while on-line, and when I got back, there was a DOS window open in which a program had been ran-- a batch file that deleted the contents of my e: and f: drives (it was supposed to delete the contents of ALL drives, but apparently the file was badly written). I don't know how that batch file got there, I don't know if someone was feeling around for security holes in systems, found one in mine, and loaded and executed the program, or if somehow it was a "time bomb" installed somehow by a downloaded file (though I don't use unknown files, so I don't know how) set to go off after a certain period. Either way, if it had been written correctly, I would have been dealing with a totally wiped system instead of a few wiped archives (most of which had been moved to CD-R). If it is coming in over a security hole, watch out for your systems.

Here's a link to the text of the batch file (saved as a .txt to make it safe). If anyone can read it better than I, maybe you can give me tips as to how to best clean up the problem and make sure that it doesn't happen again (I already deleted my autoexec.bat, which had been modified, too, but the program ran during operation, not at a reboot).

http://members.tripod.com/darren_garrison/hdkp_4.txt
Darren Garrison is offline  
Old 01-29-01, 05:37 PM
  #2  
DVD Talk Limited Edition
 
cartman's Avatar
 
Join Date: Oct 1999
Location: SP, Colorado
Posts: 5,344
DO NOT CLICK THAT LINK! There's a trojan in there, so says Norton Anti-Virus.
cartman is offline  
Old 01-29-01, 06:19 PM
  #3  
Super Moderator
 
RandyC's Avatar
 
Join Date: Aug 1999
Location: shine on you crazy diamond
Posts: 26,038
What would be scary is a worm that goes onto all the forums you are registered on, logs in and posts a link with some text to a trojan file url.


Good luck Darren
RandyC is offline  
Old 01-29-01, 06:45 PM
  #4  
Needs to provide a working email
Thread Starter
 
Join Date: Dec 1999
Location: Formerly known as Darrin Garrison
Posts: 3,321
quote:
Originally posted by cartman:
DO NOT CLICK THAT LINK! There's a trojan in there, so says Norton Anti-Virus.



OF COURSE there is a trojan (or more specificly, an MS-DOS batch file) in there. That program was what I was asking about! Didn't you even READ the text of the message that TOLD what was in the link??? Like, possibly, the part of the message that tells that the link is to the damaging batch file itself, saved as a text file so that it couldn't execute itself??? It isn't an attempt to wreck anyone's computer, it's an attempt to get help from someone who can read what the "code" parts of the batch file mean-- and the reason the text was placed in a seperate link, not put into the body of the message. The text is ENTIRELY harmless to you unless you save it as a batch file and then execute it. Sheesh.

[This message has been edited by Darren Garrison (edited January 29, 2001).]
Darren Garrison is offline  
Old 01-29-01, 07:02 PM
  #5  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,683
What an idiot that batch file virus writer is! He even comments his code. Any idea where you picked this up?

Definitely get rid of anything called temp.bat. I would suggest you search all remaining files for a string contained in the batch file. Like "Munga Bunga" or "Hard Drive Killer"
X is offline  
Old 01-29-01, 09:52 PM
  #6  
Needs to provide a working email
Thread Starter
 
Join Date: Dec 1999
Location: Formerly known as Darrin Garrison
Posts: 3,321
quote:
Originally posted by X:
What an idiot that batch file virus writer is! He even comments his code. Any idea where you picked this up?



I don't have any idea where or when I picked up the file. I hadn't downloaded or executed any executable or batch files before walking away from my computer, either. There was a component of the file written to autoexec.bat, but it had been a while since my last reboot. That's what concerns me, and why I posted it here. I was wondering if anyone could see within the file any links to other files (other than to other *.bat files, which I already killed) or a sign that it had an internal "timer" (execute after such-and such date). What concerns me more than the possiblity of a bomb hidden in a download some time (which would be mostly sloppyness on my part) is the possibility that some security hole in my system was exploited to download and execute the file remotely-- I know it is less common on dial-ups than on DSL/cable type connections, but I know that such things ARE possible on dial-ups. Concidering that the program didn't do what it was supposed to do (it wiped only drives E and F and didn't manage to wipe drives C, D, and G) I'm hoping that it doesn't have any sophisticated left-overs, such as hidden in my regestry file. I'm looking now to find a decent shareware anti-virus program to see if it can find traces of it (apparently Norton sees it, but I don't think there is a downloadable shareware version).
Darren Garrison is offline  
Old 01-29-01, 10:16 PM
  #7  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,683
Like I said, search for files named temp.bat, do a text search on ALL files on all drives for the string temp.bat (maybe do it overnight -- it could take a while), and run regedit to search your registry for the same name. Inspect your Run key in your registry also to see if something foreign is in there, especially a batch file. Be aware of "official" sounding things that are slight deviations from the real names.
X is offline  

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive Advertising Cookie Policy Privacy Statement Terms of Service

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.