On Fri, 8 Nov 2002 at 13:18 -0600, Kevin.M-CTR.Shannonat_private wrote: > This sounds like virus activity. Doesn't to me, though it might be a Trojan Horse. > Did you consider the possibility that a virus may have wiped the files > and directories and then wrote over the blocks? As for the files on > root, where they all common file extensions like .doc .xls? A virus > may have been written to search for those files and secure wipe them. > At least this would explain why the normal system files where still > present. Again, that would be a Trojan: no replication in sight here. > If the file system was FAT/FAT32, you can check out ECFS (Enforcement of > Critical File Systems) by Winternals (www.winternals.com). This is a nice > utility for hashing the files sector by sector based on MD5, 128 bit or > other hashes. At least this could tell you if the windows folder is still > present in the blocks. [Thanks for that; wasn't aware of it. If others look, though, it's listed as "ECSF".] > I do have a question though; you stated that "4,096 Bytes in Bad Sectors." > Shouldn't those bad sectors appear when you list out all of the files based > on their hash? Bad sectors aren't in files. They're marked as bad in the FAT at format time. > Can a virus mark sectors as bad? Anyone? Sure. As a matter of fact, the very first PC virus did exactly this, 16+ years ago. -BPB University of Michigan AntiVirus Team Leader University of Michigan Data Recovery Team Leader PGP 2.6.2 key fingerprint: 0D A5 98 3C 91 DA E0 DD 9C 6D FA 8F 4D 34 95 ED ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 11 2002 - 10:35:36 PST