BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] virus?
- Subject: [Discuss] virus?
- From: greg at freephile.com (Greg Rundlett (freephile))
- Date: Mon, 27 Oct 2014 18:42:46 -0400
- In-reply-to: <544EC564.3050307@stephenadler.com>
- References: <544EC564.3050307@stephenadler.com>
On Mon, Oct 27, 2014 at 6:21 PM, Stephen Adler <adler at stephenadler.com> wrote: > > Guys, > > I'm not sure if this is the right forum to post this question, but here goes. > > I have a linux server box in my lab which I'm using to run a samba service and server up some disk space to some laboratory equipment which have computer consoles operating them running windows. As it turns out, on one of the equpiement, I mounted the samba served network folder and lo and behold Autorun.inf and a rundll.exe file suddenly appeared in the top level directory of the mounted network folder. I proceeded to delete the files on the linux side (on my linux server) and within seconds the two files reappeared. > > The content of the Autorun.inf basically causes rundll.exe to execute. > (The condensed version) An autorun.inf file is a text file that can be used by the AutoRun and AutoPlay components of Microsoft Windows operating systems. For the file to be discovered and used by these component, it must be located in the root directory of a volume. More at http://en.wikipedia.org/wiki/Autorun.inf As the name implies, autorun.inf will cause something to happen when a device contains that file at it's root and the device is inserted (e.g. a CD-ROM) Since it's a text file, you should be able to just read it with the editor of your choice to at least figure out what it wants to do. It sounds like you've already gotten this far. So let's assume it's a virus, and it is invoking it's companion rundll.exe. A file by the same name (\Windows\System32\rundll32.exe) is the heart and soul of Windows, and so the virus writer is trying to obscure the virus by making it look like a system file. Your "virus" rundll.exe will be binary and will be harder to "look" at. I'd scan it with clamscan to figure out what kind of virus you're dealing with. That way you can find recommended ways of fixing it. Greg Rundlett http://eQuality-Tech.com http://freephile.org
- References:
- [Discuss] virus?
- From: adler at stephenadler.com (Stephen Adler)
- [Discuss] virus?
- Prev by Date: [Discuss] virus?
- Next by Date: [Discuss] virus?
- Previous by thread: [Discuss] virus?
- Next by thread: [Discuss] virus?
- Index(es):