Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Script/Exploit Virus Coping Partitions?

Script/Exploit Virus Coping Partitions? 7 years 1 week ago #32870

  • glacier
  • glacier's Avatar
  • Offline
  • Frequent Member
  • Posts: 28
  • Karma: 0
I am wondering if anyone has come across a similar situation. I am working on 2 separate computers connected to the same network ( a home network). Both have had "script/exploit virus" discovered by AVG and moved to the virus vault. They were in the temp. internet files folder. The strange thing is that they (the script/exploit virus) are in partitions that were created unknowingly. Both PC's are running XP Pro, with raid configurations. What has happened, somehow the partitions have been copied and 2 new drives have been created. The one PC shows that the raid configuration has been tampered with and now shows each of the raid drives as single entities. The other PC seems to show the raid configuration as operational but has had a copy of each partition created. I have done a lot of searching for info on this phenomena and have found nothing, which I find strange in this day and age.

Any insight would be appreciated.

Thanks,
Glacier
The administrator has disabled public write access.

if i understand.... 7 years 1 week ago #32874

  • talk2sp
  • talk2sp's Avatar
  • Offline
  • Expert Member
  • Posts: 528
  • Thank you received: 1
  • Karma: 1
Hey Glacier if i understand the plot of ur story well i will summarize by saying u having some virus scripts on ur system ~ Viruses right? Correct me if am wrong. Well first things first. Download Spybot Search and Destroy and then install and update and scan ur system lets see wat happens...?

Cheers



C0DE - 3
I AM MADE TO SHINE... BORN TO BE GREAT


C0dE - 3
..........................................................
Take Responsibility! Don't let failures define you
The administrator has disabled public write access.

Re: Script/Exploit Virus Coping Partitions? 7 years 1 week ago #32880

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
I'm definitely not the expert in RAID, But I'll take a shot

It sounds like the Raid configuration has been tampered with. At least in that PC were you have two drives that look like their copies of each other. Raid (can in certain configurations) mirror/copy drives while keeping them look like one logical drive.

If I'm correct, the straight forward but lengthy way would be to format/rebuild your Raid again. But check your Raid software that your running first, there might be some fixing/rebuilding tools for recovery.

And here is a RAID recovery software by the way: www.runtime.org/raid.htm
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.

Re: if i understand.... 7 years 1 week ago #32881

  • glacier
  • glacier's Avatar
  • Offline
  • Frequent Member
  • Posts: 28
  • Karma: 0
Talk2sp,
I had already done all of the scans you spoke of and even a few more. I ran a "HijackThis" scan and didn't see any that put up a red flag. I believe AVG has isolated it but I am trying to find out the damage done and if I can fix it. One thing I found was that the administrators rights had been altered, easy fix. The issue with the partitions showing up out of nowhere has me stumped.

SOlo,
Rebuilding the RAID might be an issue because there have been 2 partitions created out of nowhere. The PC's origalnally had a "C" drive "S" drive, 2 hard drives in a "mirroring" RAID 1 configuration, with 2 partitions (C & S). Now each PC show 4 drives, "C", "F", "S", & "Z".
The "F" drive is the same size as was the "C", and the "Z" is the same size as the "S". One of the PC's is showing a RAID config error on startup. Going into the RAID config, it is just showing 2 separate RAID configs with one hard drive each. It was setup up as one RAID 1 config with 2 drives (mirroring).

I can save the data and rebuild without an issue. I would just like to know: 1] if anyone has seen a similar issue with a script/exploit virus, 2] what damage has this infection caused, 3] why the drive/partition manipulation. I know that's a lot too ask but that why I'm asking you guys, you always seem to amaze me with your knowledge!!

Thanks,
Glacier
The administrator has disabled public write access.

RE: Knowledge Test 7 years 6 days ago #32892

  • talk2sp
  • talk2sp's Avatar
  • Offline
  • Expert Member
  • Posts: 528
  • Thank you received: 1
  • Karma: 1
Glacier Said
I can save the data and rebuild without an issue. I would just like to know: 1] if anyone has seen a similar issue with a script/exploit virus, 2] what damage has this infection caused, 3] why the drive/partition manipulation. I know that's a lot too ask but that why I'm asking you guys, you always seem to amaze me with your knowledge!!

1] Glacier i have encountered a situation where Admin accounts have been compromised / exploited by some virus Script or sought.

2] The Damage it caused was that it lets the user log on and immediately log off the user. It multiply folders and make the 2nd copy a .exe with size of em 47kb i think.

3] Well u knw the thing about virus. it could just do anything including tearing a large corporate network apart. Each Virus with its task and mission. lol.

In addition have u tried booting this machine to safe mode and em Glacier i hope u have done a backup first and foremost so u don't run into a fix. Backup and lets continue the experiment (thats if u have not done so).


Cheers


C0DE - 3
I AM MADE TO SHINE... BORN TO BE GREAT


C0dE - 3
..........................................................
Take Responsibility! Don't let failures define you
The administrator has disabled public write access.

Re: Script/Exploit Virus Coping Partitions? 7 years 6 days ago #32899

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
I agree with talk2sp that viruses can really do wild stuff.

Still, from what I've seen, I never came across one that would alter RAID configs. But sure there might be. So I'd like to ask, did the RAID problems occur immediately after the infection? Immediately after removal? Or....?

The only thing that I once encountered was a corrupted RAID because of some hardware problem with one of the hard drives (bad clusters, I think it was). Not from a virus.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.
Time to create page: 0.086 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup