Create an Undeleteable File

I have this Aurora variant that I keep running into.  My thought is if I could create an executable of the same name that couldn't be deleted, that would put  a stop to it.  I tried setting deny -> everyone permissions on the file, but somehow it got around that.

Anyone know a good trick for this?

Thanks.

NV
NoahVailAsked:
Who is Participating?
 
GuruGaryConnect With a Mentor Commented:
If you have tried the suggestions that are a direct answer to your question (by r-k and GuruGary) please post the results.  If you have not tried them, see if they give you the solution you want, or combine the 2 suggestions and use them both at the same time.

There is no 100% way to create an undeleteable file.  The best way I can think of is to open a handle to the file before anythign else gets a chance to get to the file ... that way it would be in use and could not be deleted.  But then something could always come along after that and load something that deletes the file before you get to open the file ... or something could kill the process that has the open handle to the file.

The best approach is to fix the root cause of the file being created.  But as far as creating an "undeleteable" file, try combining multiple methods.  Create the file as a directory, set the file permissions, set the file attributes, set ownership, open a handle to the file.  And making a directory with the file name has additional advantages, as you can put files in the directory and do some additional tricks, like create a file with an invalid file name inside the directory.  The directory will not be able to be deleted until all the files in the directory are deleted.  One way to create an invalid filename is to use the "\\?\" access to create a file named "LPT1" or some other reserved name that is very difficult to delete.  To do this, open a command prompt and use a command like:
copy con "\\?\c:\windows\aurora.exe\lpt1"
then type in some text followed by [Ctrl]+Z and [Enter] to create the file (this assumes the "undeleteable" file you want to create is "C:\Windows\aurora.exe" and you have created a directory with that name).  This will create a file named LPT1 in the directory "aurora.exe" which cannot be deleted by Windows.  
0
 
Rich RumbleSecurity SamuraiCommented:
0
 
GuruGaryCommented:
A very simple trick to try:  Instead of creating a file (aurora.exe or whatever) try creating a directory with the same name (folder name = aurora.exe or whatever).  I have used that before in other scenarios, and often the programs are smart enough to remove a file, but aren't smart enough to try to remove a folder.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Rich RumbleSecurity SamuraiCommented:
Frankly, that is a "band-aid on a cancer" solution. To be sure Security isn't a Product, it is a Process, and all the AV andAnti-Spyware in the world can't help you as much as the simple things like the acount of least privilege can.
-rich
0
 
GuruGaryCommented:
Rich is right.  Even if you can prevent the file from being created, there are still problems with the system.  You should find the root cause of the problem, fix the problem, and put something in place to prevent it from occurring in the future.
0
 
SunBowCommented:
Agreeing that it is not good time for a bandaid. It is also not good time in a public forum to identify how malware can create a directory on your system that you cannot delete. So,

I also recommend shoring up procedures. SuperUser Admin IDs are for installing and maintaining applications and setting up security. They are not for surfing out suspect websites or for clicking on strange emails. Ensure that the people have the proper authority levels. Admins should have a second ID with less privilege to hijack or piggyback. Regular users do not need to install, maintain, and upgrade.
0
 
rpggamergirlCommented:
AdAware and its VX2 plugin will get rid of it.

1. Download AdAware SE if you haven't yet.
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html

 And the VX2 Cleaner Plug-in
 http://www.lavasoft.de/software/addons/vx2cleaner.shtml
 Install Ad-Aware using the default options, then install "vx2cleaner_inst.exe", taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on "Add-ons" in the lefthand column.  Select "VX2 Cleaner V2.0" and click "Run Tool".  Click "OK", then, if something is found, click "Clean" as in the directions given.  Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again.  This time, click on the "Start" button in Ad-Aware, select "Perform smart system scan" and click "Next".  Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects").  Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK".  Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next".  Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.


2.  If problem persists, let us look at your hijackthis log.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
0
 
r-kCommented:
Instead of trying to "deny" permissions, you can "remove" all permissions as follows:

(1) Right click on the file in Windows Explorer or My Computer, select Properties

(2) Click on the Security tab.

(3) Click on the Advanced button.

(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

Of course I agree with the others that this is not a long-term fix, but it gives you a chance to clean up the virus.
0
 
SunBowCommented:
actually, without identifying a few execptions, I think that is the better idea.

Major difference between MS and alernatives, is that they are easier. Easier to run, easier to hack.

One way to define this, is that you have a choice of starting with everything initially denied, then opening a little for some rights here and there as needed. The other way is start with everything always availabel, then run around looking for doors to shut. Most of us prefer the former, then we best know who is doing what.

A similar situation is for use of ports. My preference is close them all first. Then open them one at a time as needed. The system takes longer to get going, but the method beats the alternative of starting with alll open and then trying to close one at a time as you find them getting abused. My IMO anyway
0
 
NoahVailAuthor Commented:
Sorry for the delay.
With respect, rpggamergirl, Adaware and VX2 will not clean several different variants of Aurora.  Neither will CWShredder, MSAntispy, Spybot, Webroot or any other antispyware package as far as I know.  Some variants are rootkit installed and uncleanable.

I'm sorry, an alternative browser is not an alternative for the several users I am seeking to protect.

HiJackthis logs are useful after the fact, I am trying to prevent the fact.

Often these are sites that I am an oncall tech, and do not have access to the routers.  Setting up multiple permission levels on sites that I am called to infrequently is impractical.   I usually have administrative access to the computers, but that may be all.

I haven't found a TSR antispyware program that is truly effective.

In fact I have quite a few uses for an undeleteable file.  Can someone tell me how to make one?

Thanks.
NV

0
 
r-kCommented:
Did you try my suggestion above?
0
 
rpggamergirlCommented:
>>With respect, rpggamergirl, Adaware and VX2 will not clean several different variants of Aurora.  Neither will CWShredder, MSAntispy, Spybot, Webroot or any other antispyware package as far as I know.  Some variants are rootkit installed and uncleanable.<<

That is not true! Aurora/nail infection is a very old infection, in fact there hasn't been any new variants of aurora since mid last year. There is no aurora variant with rootkitlike capabilities, maybe you are confusing with the epolvy trojan (trojan that comes with aurora/nail infection that changes its name at shutdown, it changes name everytime you look at it)
Malware experts has stopped updating nailfix since Lavasoft has updated their Ad-Aware VX2 cleaner plugin to address the entire bundled Nail/epolvy/dsr infection. And it does a great job!

Even the real rootkits are cleanable!
Aurora is nothing compared to Haxdoor and it's no way near as bad as smitfraud infection in which malware experts manage to clean.
0
 
Rich RumbleSecurity SamuraiCommented:
Disable System restore if using Xp Pro or winME http://download.nai.com/products/mcafee-avert/SystemHelpDocs/DisableSysRestore.htm
Then run ad-aware or other to clean. Once clean, migrate your account to a lesser privileged one, install an alternate browser, and be free from spy-ware.
-rich
0
 
rpggamergirlCommented:
I suggest a

Delete - No Refund
0
 
NoahVailAuthor Commented:
rpggamergirl - FYI - I did run across a variant of Aurora that contained a rootkit component.  
It was an Aruora infection.
It contained the Nail.exe hook.
It was the first rootkit I ever saw, in fact at the time, rootkits were still somewhat obscure.  I was able to locate it using the sysinternals rootkit detector (I think, the only time it ever worked for me).  I had a system with a recurring infection.  I took it everywhere with me and benched it every opportunity to try to figure out how this system kept reinfecting itself.  
The scan for rootkit was a shot in the dark after 40 hours of everything else.  I had never heard of rootkits before.

What an awakening.

Anyhoo, if I could get everyone to stop debating why I shouldn't have an undeleteable file and just offer the best option for creating such a beast, I would be grateful.  Just forget why I want it anymore and let my reasons be my own.

Which it looks like GuruGary tried the hardest to do on my behalf.  Very nice solution, I'll try it next time 'round.
Thanks GG!

FYI - II
One problem-ware I was battling, stripped my permissions from my file after I set it to EVERYONE - DENY and then overwrote it with it's own stuff.

Some of the stuff I battle isn't malware, the coders and I have different ideas on what should happen in my systems.

I had lots of input here.  Thanks to all who took the time to respond.
You guys keep EE from being a dismal disappointment (which it sometimes is).

NV
0
 
NoahVailAuthor Commented:
It was the Sony DRM fiasco that alerted me to rootkits and prompted me to first scan for one.

NV
0
 
NoahVailAuthor Commented:
rpggamergirl - Your post deserves more than the cursory reading I gave it.  I'd be interested in hearing more about what you know abut rootkits.  If you ever expound or have a recommended reading I'd like to learn more; I've had a time trying to stay ahead.

Thanks.
NV
noahvail
at
hotmail.com
0
 
rpggamergirlCommented:
There are many articles about rootkits around, just google it. I help at other forums and I I've seen a few. When rootkits are presents, it's more sensible to format the drive than take the risk of compromising the system security.
A few rootkits now targets Blacklight and Rootkit Revealer, even the pe386 rootkit targets hijackthis as well. So that means those kind of rootkits are able to hide from those scans, luckily not all of them can and there is one recent rootkit scanner that hasn't been targeted yet.

Haven't seen a new variant of nail around for a long while. Some variants of Vundo also has a rootkit capabilities. Recently there are more rootkits showing up in logs than any variant of auroa/nail. Also new variants of HackerDefender/SDBot have surfaced very recently.
0
 
Rich RumbleSecurity SamuraiCommented:
The principal of least privilege will keep 99.99999% of these root kits, spyware, and issues off your PC's. To be certain, there are tasks, and even programs that don't run unless they have admin rights, however, there are a few built-in tools to help you do this, as well as dozens of 3rd parties. The transition is easy, the commitment is the hardest part. however, not having to scan for viri/rootkits and not worrying about your personal information is well worth it.
http://richrumble.blogspot.com/2006/08/anti-admin-vs-anti-virus.html
http://xinn.org/win_bestpractices.html
http://www.xinn.org/annoyance_spy-ware.html
http://nonadmin.editme.com/WhyNonAdmin
-rich
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.