Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

File checker script


  • Please log in to reply
9 replies to this topic

#1 sauceboss

sauceboss

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 19 November 2013 - 10:55 AM

Frist off after looking around I am wondering if this is possible, is there a way the check a file for error in a batch file such as .pdf .docx I'm asking because I have been  recently hit by cryptolocker, and I need to check an see what files have been affected quickly. I have already fleshed out a basic batch file that will run the program as an administrator and go the desired dir, I'm think if I need something more powerful I will use python to do the actaully scanning and output if needed I just kinda need some guidance on what to look or how to actaully check to see if the files are good. Any suggestions would be great!


Edited by sauceboss, 19 November 2013 - 10:58 AM.


BC AdBot (Login to Remove)

 


#2 SpywareDoc

SpywareDoc

  • Members
  • 674 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland, USA
  • Local time:03:13 AM

Posted 19 November 2013 - 11:14 AM

CryptoLocker Scan Tool

 

?



#3 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:01:13 AM

Posted 19 November 2013 - 11:52 AM

Are you trying to determine what files may have changed? Do you have a snapshot of your system before the infection?



#4 sauceboss

sauceboss
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 19 November 2013 - 01:00 PM

No I do not have a snapshot of the system before the virus, that is part of the issue. With the crytolocker scan tool is it does not scan pdf's that is why I was wondering if there is a way  to check the file for encryption another way such as a batch file, vbs script, or even python. Is there a way to edit the source code for the cryptolocker scan tool?



#5 sauceboss

sauceboss
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 19 November 2013 - 01:01 PM

There is however I small change in size I don't have enough "good" files to really compare with the bad



#6 SpywareDoc

SpywareDoc

  • Members
  • 674 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland, USA
  • Local time:03:13 AM

Posted 19 November 2013 - 01:08 PM

How to find files that have been encrypted by CryptoLocker



#7 sauceboss

sauceboss
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 19 November 2013 - 02:05 PM

I have also tried the Powershell opition as well and reg key. The problem was that there was no reg key to try to scan with



#8 SpywareDoc

SpywareDoc

  • Members
  • 674 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland, USA
  • Local time:03:13 AM

Posted 19 November 2013 - 02:16 PM

The first seven characters of PDF files are:

%PDF-1.



#9 sauceboss

sauceboss
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 19 November 2013 - 02:23 PM

How would this help me to know the files are encrypted? or how can you search that?



#10 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:01:13 AM

Posted 19 November 2013 - 03:41 PM

It won't tell you that the file is encrypted by the name; it just gives you an idea of what files fit the pattern.

 

A computer cannot tell 100% if a file is infected, or merely a format it doesn't know how to read. I assume that anti-malware engineers have been hard at work figuring out ways to determine if files were infected.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users