Virus infected from a friend, twice in my life
by Andy Flagg, Publication Date: Friday, November 29, 2019
View Count: 228, Keywords: Virus, Infection, Jump Drive, Flashing Bios, Hashtags: #Virus #Infection #JumpDrive #FlashingBios
this happened to me back in 1998 when my friend Mike of Mike's Computer Service in Winnemucca Nevada opened up his email and an attached ZIP file and the infection spread to all his contacts in his Outlook Express address book. I got his email, and trusted his email and attachment, and opened it, and blam! I got bit. "Darn it Mike", I said. Thank goodness I knew these viruses existed and my address book was empty, and/or I had an ! exclamation mark for my first entry to block the virus script, and/or my primary contact address book was blank and my working was secondary... whatever.. i digress...
fast forward 20 years... i get bit again... life threatening but not deadly... i had an antidote at the ready...
So, my nephews engineering laptop is jacked up and I do some analysis on it, and realize the BIOS needs to be flashed.., so I plug in the jump drive with A17 just downloaded from Dell Support website and put on my 32GB PNY. When i unplugged the PNY 32GB from my laptop, and plugged it into the destination laptop, the folders of my stuff on that jump drive was there and then disappeared!!!
That was odd. The entire folder contents on the drive partially and then completely disappeared and a link to the jump drive appeared. odd. i clicked on the link within the explorer window to the jump drive and then all hell broke lose again on the laptop, but I could not tell what... I was then suspicious.
So i took the jump drive back out and plugged it into my laptop to see if it was just a USB plug and play issue and it was not, my computer, windows 10 pro running windows security threat center protection pops up and says threat detected on USB and started cleaning and then 4 more threats popped up and more threats are being resolved. holy smokes!!!
My friends laptop had a nasty malware virus even though he had ByteFence installed... and then I really realized that something wiped out the contents of my jump drive and thank god not his files nor my files. What could be going on? I could recover my data on any drive unless encrypted or ransonwared, and back ups existed, just not closely in hand.
regardless, my investigation and recovery continued for another 2 hours, and so here is the list of threats in the order of appearance, quarantine and removal.
most of these appear in the AppData\roaming startup and AppData\roaming root directory.
so what happened to the content on the jump drive? tricky what they did. i ran a data recovery tool on the jump drive and all the content were there just like the explorer saying the contents free space used space did not change, 14gb free, 16gb used, and here is the trick, the virus created a folder name with a space character and hid it as a system folder.
so I just attrib'ed the folder and removed the attributes of system and hidden and then renamed the folder and all my contents were inside. the problem with a folder name as a space character is that even with hidden system files on the folder does not show up because its a space character. very tricky!
doing a DIR command /ah it did show up though one would have confused that with the . and .. folder names rather than where the virus moved all ones contents.
i did recover the data anyhow to a separate drive, and corrected the jump drive and tested the contents and re-scanned the drive for other harmful items and it checked out.
crazy virus and crazy that it came from a friend who should have been aware of it, yet most engineers are too naive to check their own gear except me and a few others in a rare group of systems experts.
moving forward, back up your stuff and keep your jump drives safe. use a blank jump drive when going to a foreign system.
what else? oh, i did reset my firewalls and ran the GoGreen PC TuneUp program to clean up my system, temp folders, and guess what, this virus even had its own regeneration task in the system32 tasks folder. I removed that too.
more to come...
if you found this article helpful, consider contributing $10, 20 an Andrew Jackson or so..to the author. more authors coming soon
FYI we use paypal or patreon, patreon has 3x the transaction fees, so we don't, not yet.
© 2021 myBlog™ v1.1 All rights reserved. We count views as reads, so let's not over think it.