AFAIK, you can't have a file without a file name of some sort. What happens if you do a dir /b in the directory? What do you get if you use PowerShell to enumerate the directory? Are you sure that it's not creating an ADS? Try this to make sure: http://technet.microsoft.com/en-us/sysinternals/bb897440
Kurt On Sat, Oct 29, 2011 at 12:47, Tammy <[email protected]> wrote: > Hi, > > Interesting issue. > > One of the variants of sirefef/zeroaccess trojan while it infects several > 3rd party exe files that usually run as services such as google updater > service (just as an example) also in the same directory creates a totally > blank file. No file name & no extension. File is completely blank. > Having the AV repair infected exes is not an issue. > Removing the main rootkit(s) is not an issue. > Issue is mostly with 64 bit vista/windows7 > > Not usually an issue removing these blanks (on 32 bit OS) with the likes of > GMER (an anti-rootkit tool) or if that is the only file in the directory > (moved orig exe so nothing is in that directory besides the blank) & doing > del *.* from cmd will wipe out the file. > > However if this file is there along with a bunch of others that cannot be > moved out (even temporary) obviously I can't do del *.*. > If it is in say the system32 directory (which is common) where tools like > Gmer does not work because it is not compatible with the system (64 bit OS, > critical server where one cannot chance a crash (gmer is not the most stable > ARK tool on the planet) ) > The ones that seem to be the biggest issue are the ones that are burried in > some \assembly sub directories where permissions are different anyways. > > Cleaning up the rootkit & infected exes then trying to do a system retore > (because at this point the infection is not blocking it) is at best sketchy. > Either it works well or blanks cause issues and restore brings OS to worse > condition than half fixed infection. > > How can one look for & delete totally blank file names without nuking > everything else in said directory? > Biggest issue seems to be 64 bit OSes. > No specific file size. All are different. > Leaving said blank files often cause issues with whatever program this > blank is in. > These blanks also often cause issues with updating said software or > successful uninstall/re-install. > Often system directories are affected. (system32, drivers, assembly, etc) > > To further complicate things permissions on said file are trashed so > nothing has enough access to it to remove. > Cannot do it in explorer because windows cannot read the files. (I assume > blank file names are illegal in windows) > You can see them in explorer but cannot do anything from there. > This blank is usually a copy of whatever exe that was infected. > > Because of the above... > Most AV scanners when it hits this blank it is either haulted & can't scan > any deeper so just hangs or passes the directory entirely without scanning > contents. (so one cannot scan (or even properly monitor) the entire system > until this file is cleared out) > If you have a dozen of these files including a few in large system > directories -- you can see how this can be a security issue. > > So to make a long story short (er)..... > 1. I need to be able to search entire drive for files with no file > name/extension > > 2. I need to be able to adjust permissions on said files so I can delete > them. (without messing with permissions on entire directory) > > 3. I need to delete said files without nuking the remaining contents of > whatever directory these files live in. > > Google-Fu soes not seem to be working well. > Ideas on a batch or script to perform the above? > > TIA! > > Tammy > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
