Discussions

What type of virus is this? Or is it something else?

Tags:
+
0 Votes
Locked

What type of virus is this? Or is it something else?

nuSkool
One of the computers on our network has a 60 GB partition on it's hard drive. It is the main partition where windows is installed and is used by one of our developers. Windows kept popping up an information box from the task bar saying that the hard drive was full.

I checked the C drive properties and there was less than 1 GIG of space left. After I did a disk clean up and removed some unneccessary programs I was able to free up 2GB of free space. Enough to work. We have Anti-virus and Anti Spyware on our network, but I downloaded and installed some freware versions updated them, turned off System Restore and booted into safemode. The programs I installed were AVG anti-spyware, Spybot, Ad-Aware, and Avira anti-virus. None of them detected anything beyond a few cookies though.

I checked the root of the C drive for suspicious files of directories and noticed that there was a directory named 1. The folder size was 42.9 GB with a size on disk of 43.1 GB and it contained 180,838 files. Obviously the source of the low disk space. I thought this was strange so I checked the contents before I deleted it and found the contents stranger than a mysterious folder appearing out of nowhere.

The contents where as follows:

180,804 files had the following naming convention:

1962x through 182766x with a file type file
odd files (1963x,1965x, etc) where all zero bytes and even files where 680bytes.

This was followed by 32 files with yzy file type. they where named
ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_2 through ABCDEF..._34.

files _2 through _22 where each 2GB. Files 23-25 where 256 MB. Files 26-28 where each 32MB, and 29-34 where 1.32 kb for the odd and 68 bytes for the even files.

I used sdelete to get rid of the files. It can be downloaded from http://www.microsoft.com/technet/sysinternals/Utilities/SDelete.mspx
once I copied it over to my windows directory I opened the command line and typed

sdelete -p 10 -s C:\1

This securely deletes the directory and all subdirectories using 10 passes. This might of been a little bit of overkill though. It's been 20 minutes and so far sdelete has only got rid of 28,000 (100mb) files and these are the smaller ones. I will keep everyone updated on how it goes and if the files come back. (I hope not!)

Does anyone else think that this is a virus or can it be something else such as user error? What would you have done if you were in my position? I could have reinstalled but I think this will turn out to be a great learning experience when i figure out how all those files got there.
  • +
    0 Votes
    NotSoChiGuy

    Not five minutes ago, one of the developers I work with asked me to look at her PC, and she had about 10 files/directories of similar nature to what you describe. However, each file was identical in size to the system page file.

    The time of the creation of the file corresponded to her installing Visual Studio SP1 (I think that is what she said...at any rate...something along that line).

    I had her remove the files, and reboot the system. The files weren't recreated (which is usually a telltale sign of some sort of infection/malware presence), and the system was running just fine.

    I THINK it had to do with the install of the SP (memory intensive install??). However, I am keeping an eye out on it, and have a port monitor keeping track of her PC on the network.

    If anyone else has any info, I'd be receptive and appreciative.

    Thanks!

    +
    0 Votes

    My guess is that your data in the folder was overwritten with the alphabet 20 times in order to make sure that the data could not be undeleted. the proces might have been interupted and therefore you are now sitting with the folder names that look like a scramble of the alphabet.

    +
    0 Votes
    nuSkool

    This is a development machine running Visual Studio, iMacros, IronSpeed, and few other programs like PhotoShop, GIF Animator, etc. This machine is used mainly to develop asp.net applications and it could have been a macro, or any of the other things that were suggested.

    I checked the event log and the only thing I could find for the date the files were created were a bunch of entries for MS SQL 2005. I'll post the info in the morning when I get to work.

    Sdelete was taking too long so I just used Ultimate Boot CD to boot the computer and delete the files. It's been four days and they haven't came back so far. I'm curios what were in the files though and if I could have opened them with notepad. If they do come back (although I hope they don't) I will post the contents here.

    Sorry Posted it in the wrong spot.

    +
    0 Votes
    Dukhalion

    What is he/she developing?
    Sounds like one of my first programming attempts when I accidentally wrote a loop that eventually filled my disk with one large file.
    So, check wheather someone has been doing some programming (or tried some weird macros) on the computer in question. And don't settle for "No, I didn't do anything, honest". The fact that several antivirus programs didn't find anything is a further hint of this.

    +
    0 Votes
    jay

    Most likely a programmer using your network drive as a "safe" location to try out some new code.

    Be thankful they were writing a "create file" loop, not a "delete file" loop!!!
    (like a novice programmer i used to know)

    +
    0 Votes
    fatsaiko

    Its a virus, its called brontox or something. Yeah, they detected it once, and there was another version and they cleared it as well.

    I am assuming as it once affected my college server and duplicates itself all throughtout the network. Making all possible hard drives full of it. Even with an antivirus! as the antivirus detects it, not being able to clean it, and transfers itself to Quarantine. (primarly norton's antivirus)

    So the way to clear it up is by using a compact remover.
    http://www.compactbyte.com/cav/index.en.php

    Its an external tool which detects the virus.
    And also cleans it up. And you can always deleted those files by yourself i guess.

    Its just a suggestion, if it doesnt get cleared up. It must be something else then. Its worth the try thou!

    cheers.
    bob.

    +
    0 Votes
    CVB_X2Z

    I had something like this years ago.
    I found a folder in my temp directory that had over 10,000 zero byte files. I could not delete the folder but found I could delete the files just not all at once. I deleted 250 of the at a time. Once all of them were deleted I right clicked on the folder and clicked PROPERTIES and unchecked all. Then I deleted the folder. Then I restarted in safe mode and ran anti-viral and anti spyware programs. It did find something but since it has been years ago I do not remember the name of what it found. If you find a name for this please post it so others can check for it. Some spam emails or scripts on a visited page may have been the culprit but cannot say for sure. Always keep a log of any new folders created.
    I was using Win98 SE back then. Good luck if you decide to attepmt to track it back to its origin.

    +
    0 Votes
    Zeppo9191

    I'd have used Notepad to check the contents of some of the smaller files. (Of course, it wouldn't have been able to handle the larger ones.) That might give you some indication of what they were and how they came to be.

    +
    0 Votes
    thegreek

    this is a good example of why it's a good practice to image your hard drive regularly and back up important files. With an image of a hard drive you could be back to normal and up and running within an hour.

    +
    0 Votes
    techrepublic

    This is an excellent suggestion IFF the contamination occurred after the image was taken.

    +
    0 Votes
    alain.peraux

    It's always a good install policy to put some more time into the completion of a system image for all the alike machines. Userdata should be backud up on other basis but, the main thing is to have a complete rolled-out system with all tweaks and softs in an image that can be put back in a matter of minutes (or some more if windows minutes)

    +
    0 Votes
    mackman2011

    You possibly have a "decompression bomb". Somewhere you may have downloaded and unleashed a compressed file which just keeps replicating a certain file or file type. I had one on my home PC which kept filling up my hard drive with gif files. It was easy to delete manually after locating it. Try the forum at avast.com for some information and links to downloads that are helpful. Avast anti-virus will pick-up decompression bombs by catching any compressed file which will grow larger then a predetermined size. (Some false positives are possible) The avast scan log will give you the file name and list it as a decompression bomb. Avast has found three or four more decompression bombs since and I let them die a peaceful death in the avast virus chest. Disk compression seems to hold it at bay and give you some working space until you can get rid of it.

    +
    0 Votes
    BALTHOR

    Trying to find dinosaurs in Viet Nam or planet Dune awards to the Earth in Baghdad.They might be there and they might be big!

    +
    0 Votes
    steveoh

    The files may be leftover from a HDD testing utility.
    The time and date of the files may prompt the user to recall what was happening then.
    Were they created in one session or slowly over a period? What was the content of the files? 0's, random or maybe something that the developer may recognise.
    AV fails so often these days because of the speed that new viruses propagate. I have reasonable success removing viruses by examining the registry RUN and RUNONCE entries, also viewing the windows and system32 folders sorted by date and locating anything that smells. I look for random file names, small .EXE's and check that properties of .EXE's contain manufacturer information. Most virus and malware have no such info. Anything I don't trust is moved to a folder created in the root so I can replace it if I'm wrong.
    Over the years I've become reasonable familiar with good V bad files. The time investment is now paying off with the speed I can run through a system.
    Rootkits now force me to use a bootable CD. The registry may not be available but if I move the virus files the reg entries can't start them on next boot anyway.
    This isn't a 100% technique (about 70% success) and it may be a little dangerous but, I've won many battles quickly and easily without trashing any machines. I've lost a heap as well but the 15 mins it takes me these days is worth a try.

  • +
    0 Votes
    NotSoChiGuy

    Not five minutes ago, one of the developers I work with asked me to look at her PC, and she had about 10 files/directories of similar nature to what you describe. However, each file was identical in size to the system page file.

    The time of the creation of the file corresponded to her installing Visual Studio SP1 (I think that is what she said...at any rate...something along that line).

    I had her remove the files, and reboot the system. The files weren't recreated (which is usually a telltale sign of some sort of infection/malware presence), and the system was running just fine.

    I THINK it had to do with the install of the SP (memory intensive install??). However, I am keeping an eye out on it, and have a port monitor keeping track of her PC on the network.

    If anyone else has any info, I'd be receptive and appreciative.

    Thanks!

    +
    0 Votes

    My guess is that your data in the folder was overwritten with the alphabet 20 times in order to make sure that the data could not be undeleted. the proces might have been interupted and therefore you are now sitting with the folder names that look like a scramble of the alphabet.

    +
    0 Votes
    nuSkool

    This is a development machine running Visual Studio, iMacros, IronSpeed, and few other programs like PhotoShop, GIF Animator, etc. This machine is used mainly to develop asp.net applications and it could have been a macro, or any of the other things that were suggested.

    I checked the event log and the only thing I could find for the date the files were created were a bunch of entries for MS SQL 2005. I'll post the info in the morning when I get to work.

    Sdelete was taking too long so I just used Ultimate Boot CD to boot the computer and delete the files. It's been four days and they haven't came back so far. I'm curios what were in the files though and if I could have opened them with notepad. If they do come back (although I hope they don't) I will post the contents here.

    Sorry Posted it in the wrong spot.

    +
    0 Votes
    Dukhalion

    What is he/she developing?
    Sounds like one of my first programming attempts when I accidentally wrote a loop that eventually filled my disk with one large file.
    So, check wheather someone has been doing some programming (or tried some weird macros) on the computer in question. And don't settle for "No, I didn't do anything, honest". The fact that several antivirus programs didn't find anything is a further hint of this.

    +
    0 Votes
    jay

    Most likely a programmer using your network drive as a "safe" location to try out some new code.

    Be thankful they were writing a "create file" loop, not a "delete file" loop!!!
    (like a novice programmer i used to know)

    +
    0 Votes
    fatsaiko

    Its a virus, its called brontox or something. Yeah, they detected it once, and there was another version and they cleared it as well.

    I am assuming as it once affected my college server and duplicates itself all throughtout the network. Making all possible hard drives full of it. Even with an antivirus! as the antivirus detects it, not being able to clean it, and transfers itself to Quarantine. (primarly norton's antivirus)

    So the way to clear it up is by using a compact remover.
    http://www.compactbyte.com/cav/index.en.php

    Its an external tool which detects the virus.
    And also cleans it up. And you can always deleted those files by yourself i guess.

    Its just a suggestion, if it doesnt get cleared up. It must be something else then. Its worth the try thou!

    cheers.
    bob.

    +
    0 Votes
    CVB_X2Z

    I had something like this years ago.
    I found a folder in my temp directory that had over 10,000 zero byte files. I could not delete the folder but found I could delete the files just not all at once. I deleted 250 of the at a time. Once all of them were deleted I right clicked on the folder and clicked PROPERTIES and unchecked all. Then I deleted the folder. Then I restarted in safe mode and ran anti-viral and anti spyware programs. It did find something but since it has been years ago I do not remember the name of what it found. If you find a name for this please post it so others can check for it. Some spam emails or scripts on a visited page may have been the culprit but cannot say for sure. Always keep a log of any new folders created.
    I was using Win98 SE back then. Good luck if you decide to attepmt to track it back to its origin.

    +
    0 Votes
    Zeppo9191

    I'd have used Notepad to check the contents of some of the smaller files. (Of course, it wouldn't have been able to handle the larger ones.) That might give you some indication of what they were and how they came to be.

    +
    0 Votes
    thegreek

    this is a good example of why it's a good practice to image your hard drive regularly and back up important files. With an image of a hard drive you could be back to normal and up and running within an hour.

    +
    0 Votes
    techrepublic

    This is an excellent suggestion IFF the contamination occurred after the image was taken.

    +
    0 Votes
    alain.peraux

    It's always a good install policy to put some more time into the completion of a system image for all the alike machines. Userdata should be backud up on other basis but, the main thing is to have a complete rolled-out system with all tweaks and softs in an image that can be put back in a matter of minutes (or some more if windows minutes)

    +
    0 Votes
    mackman2011

    You possibly have a "decompression bomb". Somewhere you may have downloaded and unleashed a compressed file which just keeps replicating a certain file or file type. I had one on my home PC which kept filling up my hard drive with gif files. It was easy to delete manually after locating it. Try the forum at avast.com for some information and links to downloads that are helpful. Avast anti-virus will pick-up decompression bombs by catching any compressed file which will grow larger then a predetermined size. (Some false positives are possible) The avast scan log will give you the file name and list it as a decompression bomb. Avast has found three or four more decompression bombs since and I let them die a peaceful death in the avast virus chest. Disk compression seems to hold it at bay and give you some working space until you can get rid of it.

    +
    0 Votes
    BALTHOR

    Trying to find dinosaurs in Viet Nam or planet Dune awards to the Earth in Baghdad.They might be there and they might be big!

    +
    0 Votes
    steveoh

    The files may be leftover from a HDD testing utility.
    The time and date of the files may prompt the user to recall what was happening then.
    Were they created in one session or slowly over a period? What was the content of the files? 0's, random or maybe something that the developer may recognise.
    AV fails so often these days because of the speed that new viruses propagate. I have reasonable success removing viruses by examining the registry RUN and RUNONCE entries, also viewing the windows and system32 folders sorted by date and locating anything that smells. I look for random file names, small .EXE's and check that properties of .EXE's contain manufacturer information. Most virus and malware have no such info. Anything I don't trust is moved to a folder created in the root so I can replace it if I'm wrong.
    Over the years I've become reasonable familiar with good V bad files. The time investment is now paying off with the speed I can run through a system.
    Rootkits now force me to use a bootable CD. The registry may not be available but if I move the virus files the reg entries can't start them on next boot anyway.
    This isn't a 100% technique (about 70% success) and it may be a little dangerous but, I've won many battles quickly and easily without trashing any machines. I've lost a heap as well but the 15 mins it takes me these days is worth a try.