Script/Exploit Virus Coping Partitions?

I am wondering if anyone has come across a similar situation. I am working on 2 separate computers connected to the same network ( a home network). Both have had "script/exploit virus" discovered by AVG and moved to the virus vault. They were in the temp. internet files folder. The strange thing is that they (the script/exploit virus) are in partitions that were created unknowingly. Both PC's are running XP Pro, with raid configurations. What has happened, somehow the partitions have been copied and 2 new drives have been created. The one PC shows that the raid configuration has been tampered with and now shows each of the raid drives as single entities. The other PC seems to show the raid configuration as operational but has had a copy of each partition created. I have done a lot of searching for info on this phenomena and have found nothing, which I find strange in this day and age.

Any insight would be appreciated.

Thanks,
Glacier

Hey Glacier if i understand the plot of ur story well i will summarize by saying u having some virus scripts on ur system ~ Viruses right? Correct me if am wrong. Well first things first. Download Spybot Search and Destroy and then install and update and scan ur system lets see wat happens...?

Cheers



C0DE - 3

I'm definitely not the expert in RAID, But I'll take a shot

It sounds like the Raid configuration has been tampered with. At least in that PC were you have two drives that look like their copies of each other. Raid (can in certain configurations) mirror/copy drives while keeping them look like one logical drive.

If I'm correct, the straight forward but lengthy way would be to format/rebuild your Raid again. But check your Raid software that your running first, there might be some fixing/rebuilding tools for recovery.

And here is a RAID recovery software by the way: www.runtime.org/raid.htm

Talk2sp,
I had already done all of the scans you spoke of and even a few more. I ran a "HijackThis" scan and didn't see any that put up a red flag. I believe AVG has isolated it but I am trying to find out the damage done and if I can fix it. One thing I found was that the administrators rights had been altered, easy fix. The issue with the partitions showing up out of nowhere has me stumped.

SOlo,
Rebuilding the RAID might be an issue because there have been 2 partitions created out of nowhere. The PC's origalnally had a "C" drive "S" drive, 2 hard drives in a "mirroring" RAID 1 configuration, with 2 partitions (C & S). Now each PC show 4 drives, "C", "F", "S", & "Z".
The "F" drive is the same size as was the "C", and the "Z" is the same size as the "S". One of the PC's is showing a RAID config error on startup. Going into the RAID config, it is just showing 2 separate RAID configs with one hard drive each. It was setup up as one RAID 1 config with 2 drives (mirroring).

I can save the data and rebuild without an issue. I would just like to know: 1] if anyone has seen a similar issue with a script/exploit virus, 2] what damage has this infection caused, 3] why the drive/partition manipulation. I know that's a lot too ask but that why I'm asking you guys, you always seem to amaze me with your knowledge!!

Thanks,
Glacier

Glacier Said

I can save the data and rebuild without an issue. I would just like to know: 1] if anyone has seen a similar issue with a script/exploit virus, 2] what damage has this infection caused, 3] why the drive/partition manipulation. I know that's a lot too ask but that why I'm asking you guys, you always seem to amaze me with your knowledge!!

1] Glacier i have encountered a situation where Admin accounts have been compromised / exploited by some virus Script or sought.

2] The Damage it caused was that it lets the user log on and immediately log off the user. It multiply folders and make the 2nd copy a .exe with size of em 47kb i think.

3] Well u knw the thing about virus. it could just do anything including tearing a large corporate network apart. Each Virus with its task and mission. lol.

In addition have u tried booting this machine to safe mode and em Glacier i hope u have done a backup first and foremost so u don't run into a fix. Backup and lets continue the experiment (thats if u have not done so).


Cheers


C0DE - 3

I agree with talk2sp that viruses can really do wild stuff.

Still, from what I've seen, I never came across one that would alter RAID configs. But sure there might be. So I'd like to ask, did the RAID problems occur immediately after the infection? Immediately after removal? Or....?

The only thing that I once encountered was a corrupted RAID because of some hardware problem with one of the hard drives (bad clusters, I think it was). Not from a virus.