Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Trap for recursive virus

  • Please log in to reply
1 reply to this topic

#1 armitagep


  • Members
  • 2 posts
  • Local time:11:53 PM

Posted 14 November 2013 - 11:31 AM

Not been a good week. A bug got on one of the computers and it quietly ran for seven hourrs in the background code similar to the following (Pseudo code)


For all drives that can be accessed by this computer (local and network mapped)

  For all folders, find files with the extensions (PDF, DOC, DOCX, XLS, XLSX, PPT, PPTX, WPD)

    For each file found

       - record name, created date, file size

       - if OS permits it, open file for modification

       - rewrite contents of file with random data up to preveviously recorded file size

       - close file

       - reset file date to recorded created date


In our case the result was two workstations that I had to format and re-install, losing all locally stored "work files" (they shouldn't have been stored there anyways...), and roughly 40,000 files located on a network share that were trashed and had to be restored from backup tapes.


Now, the workstations and servers have AV software, a variety of them, but as the bug wasn't actually writing "viruses" to the network share, nothing was ever spotted. It's as if the AV software thought, "Hey, just some guy modifying tens of thousands of files recursively, no need to be concerned".


My question to the forum is as follows:


Does anyone know of an AV application which, running on a Windows workstation or a backend NAS server, would flag an alert that a user was making numerous changes to files, even if those changes were not writing "viral" data? Or maybe, would maintain at the root of all drives a folder containing a series of files (such as listed above) and any attempt to modify any of those files would flag an alert?


This is the second time in three months that I've had to restore several terabytes of data (how are you going to go through a backup selection list and specify 40,000 files to recover; just recover everything that was stored in the network share) and I'm just looking for a way to prevent it from happening again.


I look forward to your response.


BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,090 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:53 PM

Posted 14 November 2013 - 07:12 PM

You may want to check out Emsisoft Anti-Malware for server which probably would do a better job at detecting something malicious before it can cause any damage. EAM does a pretty good job of stopping the CryptoLocker Ransomware.

They have other solutions too, see Emsisoft Business Products.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users