Day: July 4, 2007

Virus Clues

Synetech Leave a comment

If you are downloading files from a P2P network, then be especially wary of viruses.

One dead giveaway is when a search gives you moderate results, but then you get a few results (usually at the end of the search) that suddenly have hundreds, or even thousands of sources, particularly if those files are of wildly different sizes. What happened, did you get really lucky and manage to find a hidden cache of the file you were looking for? No, those few results that show hundreds or thousands of sources for the file you were searching for are not real, they are viruses that a bad server returns. When you do a search, the servers that are queried return a list of sources for that file that they know of. There are fake servers and virus pits that always respond with a very large number of sources no matter what the file is. They return a large number as bait, and if someone attempts to download the file, they receive one of a number of fakes (possibly even dynamically created), which are infected with viruses and other malware, regardless of what file they were trying to get.

Yet another dead giveaway is when you get a ZIP file that contains three files, an EXE, a DLL, and a TXT, especially if the files have gibberish filenames. This is a common dummy file that virus pits send out which contains an encrypted virus (checking the binary contents looks like it’s not an executable, but it is merely XOR-encrypted and is indeed a virus). What’s interesting about this one is that it usually uses the tag ZWT. ZWT is an actual scene group that does release “legitimate” cracks and such. It is unknown whether the owners of the virus pits that send out fake ZWT-tagged files targeted ZWT on purpose or not, but since it is the only group who’s name is used in the fakes, it may very well be the case.

One more virus-infected fake pattern that is making the rounds on the donkey network is the one where the resulting files contain an NFO file and an EXE. The EXE is the virus, and the NFO contains nothing but a numerical url: eg www.209193.com, www.39520.com, etc. These ones often contain the name of a piece of software or something in the names, and even version numbers to look even more legitimate. However, they don’t usually contain release group names.

As usual, be very wary of anything you download, especially from P2P networks, and in particular when looking for warez. Always check files that you download with at the very least a virus scanner, if not a trojan scanner, worm scanner, rootkit scanner… You can also run them through online scanners such as Jotti’s, Virus.org, and Virustotal.

If everyone kept themselves clean, the whole world would be cleaner overall. If you must pirate, practice safe piracy.

Unexpected DIR Results for Numbered Files

Synetech Leave a comment

If you have ever used the DIR command to list numbered files in a command prompt and been confused by the output, it may have been due to SFNs.

Here is an example to demonstrate the problem. In a directory with files with long names and numbered filenames, you might type dir *1.txt to list all files that end in a 1. However you may end up getting a bunch of files that do not end in a 1 mixed in with the results.

What happened? Remember that each file that has a long filename has a DOS compatible (8.3) SFN associated with it. These are usually six characters from the filename followed by a swung-dash and a numerical counter. In other words, “Long Filename.txt” would not only have that as it’s name, but also “LONGFI~1.TXT”. And there’s the 1!

If there are multiple LFN files (that are too long or have spaces) that begin with LONGFI—eg “Long File.txt”, “Long Fi.txt”, etc.—then they will be saved as LONGFI~2.txt, LONGFI~3.txt, and so on. Therefore you may get weird results for dir *2.txt, dir *8.txt, dir *516.txt

There does not seem to be a way around this, but using the /X switch can at least reveal the source of the unexpected results.