Solved

How can I ?

Posted on 2006-06-17
4
181 Views
Last Modified: 2010-04-05
Okay for a couple of days ive had this *.exe run every 15mins from out of no where. Virus picks it up but it still returns, so im guessing that the exe is made by some other program. Ive check the proccess run almost every scanner there is and searched the site for millions of things, NOTHING... not even a hint.

So ive had an idea which requires code:

Is it possible to enclose a folder, scan it periodicaly if a file got created in it, or is being created can i see the source file for the creation of that file during runtime/after creation...

Im guessing a HOOK of some sort ?

Any ideas, suggestions apart from format (to much stuff to get back, and pc's been working great for a year till this)

Peace Scay7
0
Comment
Question by:Scay7
  • 3
4 Comments
 
LVL 28

Accepted Solution

by:
ciuly earned 500 total points
ID: 16926370
hehe, you can use folder monitoring.  you can do it by code or just use the tool from sysinternals: http://www.sysinternals.com/Utilities/Filemon.html
since all you want is track down that exe, I guess there is no need to waste time reinventing the wheel ;)
0
 
LVL 5

Author Comment

by:Scay7
ID: 16929320
Nope ciuly, im still no smarter about where they came from... they still managed to get created even with that filemon left on through the night... (logsize 534mb)

Peace Scay7
0
 
LVL 28

Expert Comment

by:ciuly
ID: 16929563
well, that mon will not disable them from being created. you will hae to gro through those logs (ouch) and see who created them.

there is of course another thing to consider: your firewall. this is usually the way worms work: they exploit some vulnerability in your system, drop a program that will be executed and spread.
try to get the network cable out of the network card before you go to sleep, and check with the antivirus and make sure you deleted all instances, then wait around 20 min (that shgould be enough ot get the 15 min period you talk about) and see if there are any more instances. if not, leave that through the night and in teh morning check for those exe. if there isn't any, it means your firewall is not configured properly or you are exposing a service that has some major vulnerability.

it is also a good idea to install a firewall with some intrusion detection and very important: application protection. the minut the work will execute the nasty program it will be caught by the application protection and you will be asked if you want to run it. and you can block it.

a very effective way to fight against worms that exploit services you need to expose, is to fight fire with fire. most worms are using a few names to create the temporary file that will be executed. create  text files with those names and put some garbage text in it and save. then take out the right for everybody. this way noonr will be able to delete/modify that file. (you can of course grant yourself right when you want to delete it since you are admin, but worms don't know that trick ;) ) so the next time when the worm tries to create that file it will fail. if it tries to execute it, it will fail since it's a text file. and after you get a patch for that service, you can then delete the files if you wish.

but first step is to identify the worm. you know the exe name that is being executed (you can check in task manageror something) so google for it. you will find the worm name and probably how to remove and even patch your system against it.

good luck with that
0
 
LVL 28

Expert Comment

by:ciuly
ID: 16929573
you could also write a utility using some folder monitoring components that exist and just kill any ap that starts from that folder and maybe follows some filename pattern.
but this will not solve your problem. you need to patch your system against the threat.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Introduction The parallel port is a very commonly known port, it was widely used to connect a printer to the PC, if you look at the back of your computer, for those who don't have newer computers, there will be a port with 25 pins and a small print…
Introduction Raise your hands if you were as upset with FireMonkey as I was when I discovered that there was no TListview.  I use TListView in almost all of my applications I've written, and I was not going to compromise by resorting to TStringGrid…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now