Wonder if you can create a blank-looking file using something like the non-breaking space instead of a normal space (I think it is Alt-0160 or something similar)
Sent from my SR-71 Blackbird -----Original Message----- From: Tammy Stewart <copper...@personainternet.com> Date: Sat, 29 Oct 2011 17:05:55 To: NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com> Reply-To: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com>Subject: RE: Renaming blank files from cmd line Hmmm use short name? http://www.techiwarehouse.com/engine/8bc34522/Removing-No-Name-Files- <http://www.techiwarehouse.com/engine/8bc34522/Removing-No-Name-Files-&-Fold ers> &-Folders Would love to know how to create a complete blank file to test the above. Thanks, Tammy _____ From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Saturday, October 29, 2011 4:52 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line This is a screenshot of what they look like: http://s257.photobucket.com/albums/hh239/blendersww/?action=view <http://s257.photobucket.com/albums/hh239/blendersww/?action=view¤t=bl anks.jpg> ¤t=blanks.jpg In the pic - the renamed exe (exe_) is the infected file. The proper exe is the cleaned exe & the blank is a copy of the exe. (but often infected) Thanks, Tammy _____ From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Saturday, October 29, 2011 4:40 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line Well, it's got a name. You just can't access it through the normal cmd.exe or Windows utilities. And that name may be blanks. NTFS provides full POSIX support including VLFNs and Unicode filenames. Windows doesn't. Loading cygwin1.dll along with ls.exe and find.exe and od.exe and rm.exe should give what's necessary: the ability to look at every file, translate its name to hex for identification, and then do arbitrary removals. I'm pretty sure that Cygwin can be loaded on USB key these days. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, October 29, 2011 4:26 PM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line AFAIK, you can't have a file without a file name of some sort. What happens if you do a dir /b in the directory? What do you get if you use PowerShell to enumerate the directory? Are you sure that it's not creating an ADS? Try this to make sure: http://technet.microsoft.com/en-us/sysinternals/bb897440 Kurt On Sat, Oct 29, 2011 at 12:47, Tammy <copper...@personainternet.com> wrote: Hi, Interesting issue. One of the variants of sirefef/zeroaccess trojan while it infects several 3rd party exe files that usually run as services such as google updater service (just as an example) also in the same directory creates a totally blank file. No file name & no extension. File is completely blank. Having the AV repair infected exes is not an issue. Removing the main rootkit(s) is not an issue. Issue is mostly with 64 bit vista/windows7 Not usually an issue removing these blanks (on 32 bit OS) with the likes of GMER (an anti-rootkit tool) or if that is the only file in the directory (moved orig exe so nothing is in that directory besides the blank) & doing del *.* from cmd will wipe out the file. However if this file is there along with a bunch of others that cannot be moved out (even temporary) obviously I can't do del *.*. If it is in say the system32 directory (which is common) where tools like Gmer does not work because it is not compatible with the system (64 bit OS, critical server where one cannot chance a crash (gmer is not the most stable ARK tool on the planet) ) The ones that seem to be the biggest issue are the ones that are burried in some \assembly sub directories where permissions are different anyways. Cleaning up the rootkit & infected exes then trying to do a system retore (because at this point the infection is not blocking it) is at best sketchy. Either it works well or blanks cause issues and restore brings OS to worse condition than half fixed infection. How can one look for & delete totally blank file names without nuking everything else in said directory? Biggest issue seems to be 64 bit OSes. No specific file size. All are different. Leaving said blank files often cause issues with whatever program this blank is in. These blanks also often cause issues with updating said software or successful uninstall/re-install. Often system directories are affected. (system32, drivers, assembly, etc) To further complicate things permissions on said file are trashed so nothing has enough access to it to remove. Cannot do it in explorer because windows cannot read the files. (I assume blank file names are illegal in windows) You can see them in explorer but cannot do anything from there. This blank is usually a copy of whatever exe that was infected. Because of the above... Most AV scanners when it hits this blank it is either haulted & can't scan any deeper so just hangs or passes the directory entirely without scanning contents. (so one cannot scan (or even properly monitor) the entire system until this file is cleared out) If you have a dozen of these files including a few in large system directories -- you can see how this can be a security issue. So to make a long story short (er)..... 1. I need to be able to search entire drive for files with no file name/extension 2. I need to be able to adjust permissions on said files so I can delete them. (without messing with permissions on entire directory) 3. I need to delete said files without nuking the remaining contents of whatever directory these files live in. Google-Fu soes not seem to be working well. Ideas on a batch or script to perform the above? TIA! Tammy ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin