Wednesday, March 14, 2007

Cut n' Paste or Folder.exe?

well, this virus was introduced to my pc by a friend of mine. the main symptoms of the virus are:

1. inability to "cut" and "paste" documents and folders using "explorer." the document/folder will be copied to the location instead. but it will not remove the original document/folder from its original location.

2. the virus creates "exe" files by the name of the folder in the root and sub folders of removable drives (i.e., usb drives).

3. the virus creates it's infection files in the root of the removable drive and they may have the following names:
a. folder named $lddata$
b. folder named rm and a file named rm.exe
c. folder named ms.config



method of cloning:

the "exe" files created by the name of the name of the folders, act as cloning base for the virus. if you double click on the "exe" file, thinking it's a folder (hoping to open it), it will infect your pc.




how to clean:

1. make sure not to open the files in the removable drive. if you do, the virus will further infect your pc.

2. use the windows command editor for the following steps (start=>run or windows key+"r").

3. browse to the removable drive (i.e., d:)

4. then do a "dir .exe" and you should see the "exe" files by the previous folder names. you will notice that the folders have disappeared. but this is not true. the folders are actually attributed "hidden" and "system."

5. once the "exe" file list is up "del *.exe" but make sure that there are no actual "exe" files in the list, or else you might loose them. only the "exe" files baring folder names should be deleted. if you are not sure, use "del *.exe/p" instead and select which files to delete.

6. once this is done, "attrib -s -h 'lost foder name'". repeat this to recover all the folders. if you forget a particular folder name, do a "dir/ah" and get the list.

7. now that the folders are recovered and you are happy, lets clean the virus files itself. if not, this will infect your pc again. do a dir/ah again and check if there are any more files or folders left. (examples of such file/folder names are $lddata$, rm, ms.config)

8. do "attrib -s -h 'folder name'" for each folder/file and delete them ("del " for files and "rd " for folders). if the folder is not empty, you will have to goto each folder do the above metioned attrib procedure to display the files/folders and delete them, come back to the root and remove the folder.


once this is done, do a "dir/ah" and check if there are any files/folders displayed. if the list is empty, congrats, you are good to go.


note: some new usb drives have built-in software that can't be removed. don't worry if such files are in the list they won't be infected and will not cause any problem.


happy cracking
cheers
neo



1 comment:

Mano said...

thanks dude... i just cleaned one of ma friend's PC... which was infected with this varient...