Virus replicating itself and directories

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.win2000.advanced_server (More info?)

Hi all,

I posted about the W32/NetskyP@mm virus last week and got some good
suggestions. I was able to contain the virus, but I am finding that as I
hit certain directories there is a trigger file that causes the creation of
more directories using the POSIX subsystem, and then once the directories
are created, it populates them with more virus files.

Using the procedures of doing a dir /x to ID the 8.3 names of each
directory is fine if the tree is not as deep as some of these directories.
But at a certain point, the system just does not progress past a certain
level of directory, which is kind of weird.

Does anyone know of a tool, or a "file manager" interface that actually
displays the real 8.3 directory name and would allow me to kill off the
directory and all the files?

Also, I think the only way to stop this from spawning any more files and
directories is to kill off the POSIX system. Has anyone done this before,
and been successful?

Thanks,

D.E.

--
"I felt evil surging through me, in every fiber of my being. Pure,
undiluted evil. I could taste it."

"How's evil taste?"

"A little chalky."
 
M

ME

Distinguished
Apr 1, 2004
1,746
0
19,780
Archived from groups: microsoft.public.win2000.advanced_server (More info?)

first, you can use file manager from nt4 and that will show both the 8.3 and
long names

second, there is a utility on the nt resource kit that has the option to
remove posix subsystem. i have not tried it on 2000 and of course, not
knowing your environment, not sure of what implications you might have by
removing, so if you wanna play with it, do it at your own risk

"Doctor Evil" <Evil@Shhh.com> wrote in message
news:Xns9542774544D7DDrEvil@140.99.99.130...
> Hi all,
>
> I posted about the W32/NetskyP@mm virus last week and got some good
> suggestions. I was able to contain the virus, but I am finding that as I
> hit certain directories there is a trigger file that causes the creation
of
> more directories using the POSIX subsystem, and then once the directories
> are created, it populates them with more virus files.
>
> Using the procedures of doing a dir /x to ID the 8.3 names of each
> directory is fine if the tree is not as deep as some of these directories.
> But at a certain point, the system just does not progress past a certain
> level of directory, which is kind of weird.
>
> Does anyone know of a tool, or a "file manager" interface that actually
> displays the real 8.3 directory name and would allow me to kill off the
> directory and all the files?
>
> Also, I think the only way to stop this from spawning any more files and
> directories is to kill off the POSIX system. Has anyone done this before,
> and been successful?
>
> Thanks,
>
> D.E.
>
> --
> "I felt evil surging through me, in every fiber of my being. Pure,
> undiluted evil. I could taste it."
>
> "How's evil taste?"
>
> "A little chalky."
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom