[Discuss] virus?

[greg at freephile.com (Greg Rundlett (freephile))]

On Mon, Oct 27, 2014 at 6:21 PM, Stephen Adler <adler at stephenadler.com>
wrote:
>
> Guys,
>
> I'm not sure if this is the right forum to post this question, but here
goes.
>
> I have a linux server box in my lab which I'm using to run a samba
service and server up some disk space to some laboratory equipment which
have computer consoles operating them running windows. As it turns out, on
one of the equpiement, I mounted the samba served network folder and lo and
behold Autorun.inf and a rundll.exe file suddenly appeared in the top level
directory of the mounted network folder. I proceeded to delete the files on
the linux side (on my linux server) and within seconds the two files
reappeared.
>
> The content of the Autorun.inf basically causes rundll.exe to execute.
>

(The condensed version)
An autorun.inf file is a text file that can be used by the AutoRun and
AutoPlay components of Microsoft Windows operating systems. For the file to
be discovered and used by these component, it must be located in the root
directory of a volume.  More at http://en.wikipedia.org/wiki/Autorun.inf

As the name implies, autorun.inf will cause something to happen when a
device contains that file at it's root and the device is inserted (e.g. a
CD-ROM)

Since it's a text file, you should be able to just read it with the editor
of your choice to at least figure out what it wants to do.  It sounds like
you've already gotten this far.

So let's assume it's a virus, and it is invoking it's companion
rundll.exe.  A file by the same name (\Windows\System32\rundll32.exe) is
the heart and soul of Windows, and so the virus writer is trying to obscure
the virus by making it look like a system file.  Your "virus" rundll.exe
will be binary and will be harder to "look" at.  I'd scan it with clamscan
to figure out what kind of virus you're dealing with.  That way you can
find recommended ways of fixing it.

Greg Rundlett
http://eQuality-Tech.com
http://freephile.org