davis@udel.EDU (Michael Davis) (03/28/89)
Has anyone ran across a "virus" that consists of a hidden dir called INDEX that has subdirectories named DELETED containing still, files call DELETED.xxx where xxx are hex numbers? When the files are deleted, a new DELETED subdir is created with more files!!! It's happening on my prof's machine at home in his directory filled with NCSA TELNET distributions and such. They were obtained using FTP Software mgets, but I don't know from where. Thanks for any info or help mike
vlruo02@dutrun.UUCP (Ge van Geldorp) (03/29/89)
In article <11758@louie.udel.EDU> davis@udel.EDU (Michael Davis) writes: >Has anyone ran across a "virus" that consists of a hidden dir called INDEX >that has subdirectories named DELETED containing still, files call >DELETED.xxx where xxx are hex numbers? When the files are deleted, >a new DELETED subdir is created with more files!!! It's happening on >my prof's machine at home Sounds like your prof is using the Microsoft Editor (M.EXE). In the default configuration, this editor will save backup copies of the files edited in a hidden subdirectory named DELETED. The INDEX you mention is not a subdirectory but a file in the hidden subdirectory DELETED. If you want to get rid of the files in the DELETED subdirectory use the EXP.EXE program which comes with the Microsoft Editor. Ge van Geldorp. (...uunet!mcvax!hp4nl!dutrun!vlruo02)
len@rufus. (Len Evens) (03/29/89)
|In article <676@dutrun.UUCP> vlruo02@dutrun.UUCP (G.v.Geldorp) writes: |>In article <11758@louie.udel.EDU> davis@udel.EDU (Michael Davis) writes: |>>Has anyone ran across a "virus" that consists of a hidden dir called INDEX |> |>Sounds like your prof is using the Microsoft Editor (M.EXE). In the |>default configuration, this editor will save backup copies of the files |>edited in a hidden subdirectory named DELETED. The INDEX you mention is |>not a subdirectory but a file in the hidden subdirectory DELETED. |>If you want to get rid of the files in the DELETED subdirectory use the |>EXP.EXE program which comes with the Microsoft Editor. |> |>Ge van Geldorp. I also managed to produce the same collection of hidden directories and files as an indirect result of installing the Microsoft C compiler. I forget exactly what I did, but somehow a program called rm.exe got on my disk. This program saved deleted files by moving them to a hidden directory from which they could be recovered. I was using a memory resident shell in which I had defined some common unix equivalents for DOS commands including `rm' for `del', but the new rm.exe took precedence and I started filling up my disk with copies of files I thought I had deleted. Leonard Evens len@math.nwu.edu Department of Mathematics Northwestern University Evanston, IL 60208 312-491-5537
wjc@sppy00.UUCP (William J. Curry) (03/30/89)
In article <676@dutrun.UUCP> vlruo02@dutrun.UUCP (G.v.Geldorp) writes: >In article <11758@louie.udel.EDU> davis@udel.EDU (Michael Davis) writes: >>Has anyone ran across a "virus" that consists of a hidden dir called INDEX >>that has subdirectories named DELETED containing still, files call >>DELETED.xxx where xxx are hex numbers? ... > >Sounds like your prof is using the Microsoft Editor (M.EXE). ... >... this editor will save backup copies of the files edited in a hidden >subdirectory named DELETED. The INDEX you mention is not a subdirectory >but a file in the hidden subdirectory DELETED. >If you want to get rid of the files in the DELETED subdirectory use the >EXP.EXE program which comes with the Microsoft Editor. >... In addition, the Microsoft editor comes with a program RM.EXE which, if mistakenly used instead of the MKS RM.EXE (or others), will also create a hidden directory called DELETED with these files. In addition, I seem to recall that the Watcom C Compiler does something similar to this. I do not use the Watcom compiler, though, so I am not sure on this. Maybe someone who uses the Watcom compiler could respond on this issue. Hope it helps! -Bill -- William Curry UUCP:wjc@sppy00.UUCP, or {seismo|cbosgd}!osu-cis!sppy00!wjc bitnet: wjc@oclcrsun OCLC = Online Computer Library Center "Services for Libraries" Snail: 6565 Frantz Road Dublin, Ohio 43017-0702 614-761-5031
jcmorris@mbunix.mitre.org (Joseph C. Morris) (03/31/89)
In article <11758@louie.udel.EDU> davis@udel.EDU (Michael Davis) writes: >Has anyone ran across a "virus" that consists of a hidden dir called INDEX >that has subdirectories named DELETED containing still, files call >DELETED.xxx where xxx are hex numbers? Are you sure that the machine doesn't have one of these TSR's which protects you from accidentally deleting a file? What they do is to save the "deleted" file for _n_ days, usually in a hidden directory. If you accidentally delete a file, it can recover it by un-renaming the original file. Check the AUTOEXEC.BAT and maybe CONFIG.SYS for an invocation of some such program. Good luck.
garyc@dbase.UUCP (Gary Carter) (04/09/89)
In article <47106@linus.UUCP> jcmorris@mbunix (Morris) writes: >In article <11758@louie.udel.EDU> davis@udel.EDU (Michael Davis) writes: >>Has anyone ran across a "virus" that consists of a hidden dir called INDEX >>that has subdirectories named DELETED containing still, files call >>DELETED.xxx where xxx are hex numbers? The Microsoft Editor supplied with their C compiler and assembler products (runs on both DOS and OS/2) creates a hidden DELETED directory with INDEX and DELETED.xxx in it which are backups of edited files. These can be listed and recovered using the undel.exe program that comes with it.