General discussion

Locked

What type of virus is this? Or is it something else?

By nuSkool ·
One of the computers on our network has a 60 GB partition on it's hard drive. It is the main partition where windows is installed and is used by one of our developers. Windows kept popping up an information box from the task bar saying that the hard drive was full.

I checked the C drive properties and there was less than 1 GIG of space left. After I did a disk clean up and removed some unneccessary programs I was able to free up 2GB of free space. Enough to work. We have Anti-virus and Anti Spyware on our network, but I downloaded and installed some freware versions updated them, turned off System Restore and booted into safemode. The programs I installed were AVG anti-spyware, Spybot, Ad-Aware, and Avira anti-virus. None of them detected anything beyond a few cookies though.

I checked the root of the C drive for suspicious files of directories and noticed that there was a directory named 1. The folder size was 42.9 GB with a size on disk of 43.1 GB and it contained 180,838 files. Obviously the source of the low disk space. I thought this was strange so I checked the contents before I deleted it and found the contents stranger than a mysterious folder appearing out of nowhere.

The contents where as follows:

180,804 files had the following naming convention:

1962x through 182766x with a file type file
odd files (1963x,1965x, etc) where all zero bytes and even files where 680bytes.

This was followed by 32 files with yzy file type. they where named
ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_2 through ABCDEF..._34.

files _2 through _22 where each 2GB. Files 23-25 where 256 MB. Files 26-28 where each 32MB, and 29-34 where 1.32 kb for the odd and 68 bytes for the even files.

I used sdelete to get rid of the files. It can be downloaded from http://www.microsoft.com/technet/sysinternals/Utilities/SDelete.mspx
once I copied it over to my windows directory I opened the command line and typed

sdelete -p 10 -s C:\1

This securely deletes the directory and all subdirectories using 10 passes. This might of been a little bit of overkill though. It's been 20 minutes and so far sdelete has only got rid of 28,000 (100mb) files and these are the smaller ones. I will keep everyone updated on how it goes and if the files come back. (I hope not!)

Does anyone else think that this is a virus or can it be something else such as user error? What would you have done if you were in my position? I could have reinstalled but I think this will turn out to be a great learning experience when i figure out how all those files got there.

This conversation is currently closed to new comments.

16 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Ironically....

by NotSoChiGuy In reply to What type of virus is thi ...

Not five minutes ago, one of the developers I work with asked me to look at her PC, and she had about 10 files/directories of similar nature to what you describe. However, each file was identical in size to the system page file.

The time of the creation of the file corresponded to her installing Visual Studio SP1 (I think that is what she said...at any rate...something along that line).

I had her remove the files, and reboot the system. The files weren't recreated (which is usually a telltale sign of some sort of infection/malware presence), and the system was running just fine.

I THINK it had to do with the install of the SP (memory intensive install??). However, I am keeping an eye out on it, and have a port monitor keeping track of her PC on the network.

If anyone else has any info, I'd be receptive and appreciative.

Thanks!

Collapse -

Secure deletion

My guess is that your data in the folder was overwritten with the alphabet 20 times in order to make sure that the data could not be undeleted. the proces might have been interupted and therefore you are now sitting with the folder names that look like a scramble of the alphabet.

Collapse -

Thanks for all the reply's - Here's an update.

by nuSkool In reply to Secure deletion

This is a development machine running Visual Studio, iMacros, IronSpeed, and few other programs like PhotoShop, GIF Animator, etc. This machine is used mainly to develop asp.net applications and it could have been a macro, or any of the other things that were suggested.

I checked the event log and the only thing I could find for the date the files were created were a bunch of entries for MS SQL 2005. I'll post the info in the morning when I get to work.

Sdelete was taking too long so I just used Ultimate Boot CD to boot the computer and delete the files. It's been four days and they haven't came back so far. I'm curios what were in the files though and if I could have opened them with notepad. If they do come back (although I hope they don't) I will post the contents here.

Sorry Posted it in the wrong spot.

Collapse -

One of Your developers????

by Dukhalion In reply to What type of virus is thi ...

What is he/she developing?
Sounds like one of my first programming attempts when I accidentally wrote a loop that eventually filled my disk with one large file.
So, check wheather someone has been doing some programming (or tried some weird macros) on the computer in question. And don't settle for "No, I didn't do anything, honest". The fact that several antivirus programs didn't find anything is a further hint of this.

Collapse -

Programmer learning!

by jay In reply to One of Your developers??? ...

Most likely a programmer using your network drive as a "safe" location to try out some new code.

Be thankful they were writing a "create file" loop, not a "delete file" loop!!!
(like a novice programmer i used to know)

Collapse -

I assume its a Virus

by fatsaiko In reply to What type of virus is thi ...

Its a virus, its called brontox or something. Yeah, they detected it once, and there was another version and they cleared it as well.

I am assuming as it once affected my college server and duplicates itself all throughtout the network. Making all possible hard drives full of it. Even with an antivirus! as the antivirus detects it, not being able to clean it, and transfers itself to Quarantine. (primarly norton's antivirus)

So the way to clear it up is by using a compact remover.
http://www.compactbyte.com/cav/index.en.php

Its an external tool which detects the virus.
And also cleans it up. And you can always deleted those files by yourself i guess.

Its just a suggestion, if it doesnt get cleared up. It must be something else then. Its worth the try thou!

cheers.
bob.

Collapse -

I had something like this years ago.

by CVB_X2Z In reply to What type of virus is thi ...

I had something like this years ago.
I found a folder in my temp directory that had over 10,000 zero byte files. I could not delete the folder but found I could delete the files just not all at once. I deleted 250 of the at a time. Once all of them were deleted I right clicked on the folder and clicked PROPERTIES and unchecked all. Then I deleted the folder. Then I restarted in safe mode and ran anti-viral and anti spyware programs. It did find something but since it has been years ago I do not remember the name of what it found. If you find a name for this please post it so others can check for it. Some spam emails or scripts on a visited page may have been the culprit but cannot say for sure. Always keep a log of any new folders created.
I was using Win98 SE back then. Good luck if you decide to attepmt to track it back to its origin.

Collapse -

I'm curious - did you examine the contents of the files?

by Zeppo9191 In reply to What type of virus is thi ...

I'd have used Notepad to check the contents of some of the smaller files. (Of course, it wouldn't have been able to handle the larger ones.) That might give you some indication of what they were and how they came to be.

Collapse -

More than likely a virus.

by thegreek In reply to What type of virus is thi ...

this is a good example of why it's a good practice to image your hard drive regularly and back up important files. With an image of a hard drive you could be back to normal and up and running within an hour.

Collapse -

If (and only if)

by techrepublic In reply to More than likely a virus.

This is an excellent suggestion IFF the contamination occurred after the image was taken.

Back to Malware Forum
16 total posts (Page 1 of 2)   01 | 02   Next

Security Forums