Hi, Interesting issue.
One of the variants of sirefef/zeroaccess trojan while it infects several 3rd party exe files that usually run as services such as google updater service (just as an example) also in the same directory creates a totally blank file. No file name & no extension. File is completely blank. Having the AV repair infected exes is not an issue. Removing the main rootkit(s) is not an issue. Issue is mostly with 64 bit vista/windows7 Not usually an issue removing these blanks (on 32 bit OS) with the likes of GMER (an anti-rootkit tool) or if that is the only file in the directory (moved orig exe so nothing is in that directory besides the blank) & doing del *.* from cmd will wipe out the file. However if this file is there along with a bunch of others that cannot be moved out (even temporary) obviously I can't do del *.*. If it is in say the system32 directory (which is common) where tools like Gmer does not work because it is not compatible with the system (64 bit OS, critical server where one cannot chance a crash (gmer is not the most stable ARK tool on the planet) ) The ones that seem to be the biggest issue are the ones that are burried in some \assembly sub directories where permissions are different anyways. Cleaning up the rootkit & infected exes then trying to do a system retore (because at this point the infection is not blocking it) is at best sketchy. Either it works well or blanks cause issues and restore brings OS to worse condition than half fixed infection. How can one look for & delete totally blank file names without nuking everything else in said directory? Biggest issue seems to be 64 bit OSes. No specific file size. All are different. Leaving said blank files often cause issues with whatever program this blank is in. These blanks also often cause issues with updating said software or successful uninstall/re-install. Often system directories are affected. (system32, drivers, assembly, etc) To further complicate things permissions on said file are trashed so nothing has enough access to it to remove. Cannot do it in explorer because windows cannot read the files. (I assume blank file names are illegal in windows) You can see them in explorer but cannot do anything from there. This blank is usually a copy of whatever exe that was infected. Because of the above... Most AV scanners when it hits this blank it is either haulted & can't scan any deeper so just hangs or passes the directory entirely without scanning contents. (so one cannot scan (or even properly monitor) the entire system until this file is cleared out) If you have a dozen of these files including a few in large system directories -- you can see how this can be a security issue. So to make a long story short (er)..... 1. I need to be able to search entire drive for files with no file name/extension 2. I need to be able to adjust permissions on said files so I can delete them. (without messing with permissions on entire directory) 3. I need to delete said files without nuking the remaining contents of whatever directory these files live in. Google-Fu soes not seem to be working well. Ideas on a batch or script to perform the above? TIA! Tammy ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
