Virus replicating itself and directories

D

Doctor Evil

Hi all,

I posted about the W32/NetskyP@mm virus last week and got some good
suggestions. I was able to contain the virus, but I am finding that as I
hit certain directories there is a trigger file that causes the creation of
more directories using the POSIX subsystem, and then once the directories
are created, it populates them with more virus files.

Using the procedures of doing a dir /x to ID the 8.3 names of each
directory is fine if the tree is not as deep as some of these directories.
But at a certain point, the system just does not progress past a certain
level of directory, which is kind of weird.

Does anyone know of a tool, or a "file manager" interface that actually
displays the real 8.3 directory name and would allow me to kill off the
directory and all the files?

Also, I think the only way to stop this from spawning any more files and
directories is to kill off the POSIX system. Has anyone done this before,
and been successful?

Thanks,

D.E.

--
"I felt evil surging through me, in every fiber of my being. Pure,
undiluted evil. I could taste it."

"How's evil taste?"

"A little chalky."
 
M

me

first, you can use file manager from nt4 and that will show both the 8.3 and
long names

second, there is a utility on the nt resource kit that has the option to
remove posix subsystem. i have not tried it on 2000 and of course, not
knowing your environment, not sure of what implications you might have by
removing, so if you wanna play with it, do it at your own risk
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top