Oh that's smart. Although on modern OS's you may find that disabled.
Again, using Cygwin, you could
Echo >" "
But that fails using cmd.exe.
Regards,
Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com
From: Tammy Stewart [mailto:[email protected]]
Sent: Saturday, October 29, 2011 5:06 PM
To: NT System Admin Issues
Subject: RE: Renaming blank files from cmd line
Hmmm use short name?
http://www.techiwarehouse.com/engine/8bc34522/Removing-No-Name-Files-&-Folders
Would love to know how to create a complete blank file to test the above.
Thanks,
Tammy
________________________________
From: Tammy Stewart
[mailto:[email protected]]<mailto:[mailto:[email protected]]>
Sent: Saturday, October 29, 2011 4:52 PM
To: NT System Admin Issues
Subject: RE: Renaming blank files from cmd line
This is a screenshot of what they look like:
http://s257.photobucket.com/albums/hh239/blendersww/?action=view¤t=blanks.jpg
In the pic - the renamed exe (exe_) is the infected file. The proper exe is the
cleaned exe & the blank is a copy of the exe. (but often infected)
Thanks,
Tammy
________________________________
From: Michael B. Smith
[mailto:[email protected]]<mailto:[mailto:[email protected]]>
Sent: Saturday, October 29, 2011 4:40 PM
To: NT System Admin Issues
Subject: RE: Renaming blank files from cmd line
Well, it's got a name. You just can't access it through the normal cmd.exe or
Windows utilities. And that name may be blanks.
NTFS provides full POSIX support including VLFNs and Unicode filenames. Windows
doesn't.
Loading cygwin1.dll along with ls.exe and find.exe and od.exe and rm.exe should
give what's necessary: the ability to look at every file, translate its name to
hex for identification, and then do arbitrary removals.
I'm pretty sure that Cygwin can be loaded on USB key these days.
Regards,
Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com
From: Kurt Buff
[mailto:[email protected]]<mailto:[mailto:[email protected]]>
Sent: Saturday, October 29, 2011 4:26 PM
To: NT System Admin Issues
Subject: Re: Renaming blank files from cmd line
AFAIK, you can't have a file without a file name of some sort. What happens if
you do a dir /b in the directory? What do you get if you use PowerShell to
enumerate the directory? Are you sure that it's not creating an ADS? Try this
to make sure: http://technet.microsoft.com/en-us/sysinternals/bb897440
Kurt
On Sat, Oct 29, 2011 at 12:47, Tammy
<[email protected]<mailto:[email protected]>> wrote:
Hi,
Interesting issue.
One of the variants of sirefef/zeroaccess trojan while it infects several 3rd
party exe files that usually run as services such as google updater service
(just as an example) also in the same directory creates a totally blank file.
No file name & no extension. File is completely blank.
Having the AV repair infected exes is not an issue.
Removing the main rootkit(s) is not an issue.
Issue is mostly with 64 bit vista/windows7
Not usually an issue removing these blanks (on 32 bit OS) with the likes of
GMER (an anti-rootkit tool) or if that is the only file in the directory (moved
orig exe so nothing is in that directory besides the blank) & doing del *.*
from cmd will wipe out the file.
However if this file is there along with a bunch of others that cannot be moved
out (even temporary) obviously I can't do del *.*.
If it is in say the system32 directory (which is common) where tools like Gmer
does not work because it is not compatible with the system (64 bit OS, critical
server where one cannot chance a crash (gmer is not the most stable ARK tool on
the planet) )
The ones that seem to be the biggest issue are the ones that are burried in
some \assembly sub directories where permissions are different anyways.
Cleaning up the rootkit & infected exes then trying to do a system retore
(because at this point the infection is not blocking it) is at best sketchy.
Either it works well or blanks cause issues and restore brings OS to worse
condition than half fixed infection.
How can one look for & delete totally blank file names without nuking
everything else in said directory?
Biggest issue seems to be 64 bit OSes.
No specific file size. All are different.
Leaving said blank files often cause issues with whatever program this blank is
in.
These blanks also often cause issues with updating said software or successful
uninstall/re-install.
Often system directories are affected. (system32, drivers, assembly, etc)
To further complicate things permissions on said file are trashed so nothing
has enough access to it to remove.
Cannot do it in explorer because windows cannot read the files. (I assume blank
file names are illegal in windows)
You can see them in explorer but cannot do anything from there.
This blank is usually a copy of whatever exe that was infected.
Because of the above...
Most AV scanners when it hits this blank it is either haulted & can't scan any
deeper so just hangs or passes the directory entirely without scanning
contents. (so one cannot scan (or even properly monitor) the entire system
until this file is cleared out)
If you have a dozen of these files including a few in large system directories
-- you can see how this can be a security issue.
So to make a long story short (er).....
1. I need to be able to search entire drive for files with no file
name/extension
2. I need to be able to adjust permissions on said files so I can delete them.
(without messing with permissions on entire directory)
3. I need to delete said files without nuking the remaining contents of
whatever directory these files live in.
Google-Fu soes not seem to be working well.
Ideas on a batch or script to perform the above?
TIA!
Tammy
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
[email protected]<mailto:[email protected]>
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
[email protected]<mailto:[email protected]>
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
[email protected]<mailto:[email protected]>
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
[email protected]<mailto:[email protected]>
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
[email protected]<mailto:[email protected]>
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
