Re: Huge Autoexec.bat

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: 09/18/02 

Date: Wed, 18 Sep 2002 11:35:22 +1200
From: Nick FitzGerald <nick@virus-l.demon.co.uk>
To: incidents@securityfocus.com

"Matthew S Barnes" <btc1@alltel.net> wrote:

> Hi all we were working on a system the other day at a client's who called us
> in to fix a downed domain controller, his system was blue screening and so
> we got there and started poking around the system, we noticed something
> weird and wanted to ask if anyone had seen it before. I hadnt ever ...
> His autoexec.bat was huuge 26 megabytes to be exact. Now this computer was
<<snip>>
> The autoexec.bat file was full of script's and code and also some old emails
> of his from years ago and we never got time to go thru the whole thing just
> enuff to make me think it was a total compromise of his system.....

from what you have said and without the benefit of seeing the file
myself (and no -- please don't Email it to me!), the most likely
reason for what you saw is file system corruption. This also ties in
with unexplained BSODs and so on. It _may_ be indicatve of
(impending) hardware failure.

Further, you presented absolutely no evidence suggesting a "hack".

Maybe the threat to not pay you for "wasting time" shows your client
was wiser than you think... 

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: SBS 2K corrupt(?) mailboxes
    ... True, there is much to grasp, but Client needs a 'fix'. ... mount the store and the bad files are gone. ... Use this step if the above doesn't solve the problem emails. ... Maybe you should consider a professional Data Recovery service such as ...
    (microsoft.public.backoffice.smallbiz2000)
  • MICROSOFT has to take RESPONSABILITY for the emails
    ... >unstable they might fix it with a good old security ... I think that Microsoft are liable for any damage ... the emails made to look like they come from ... >it, we test it, u then fix the bugs WE find with updated, ...
    (microsoft.public.security)
  • Re: PC Security
    ... > suspected he got from reading my emails. ... > my MSN dialup. ... I was on the phone with Dell & MSN constantly trying ... > to fix it. ...
    (microsoft.public.security)
  • Re: [opensuse] My Kmail2 does not get email
    ... the inbox under .cur the four deleted emails have gone. ... Fix usage of wrong ids for part filenames. ... Fix valgrind-ing agents running in the agent launcher. ... Add 4.7 branch diff ...
    (SuSE)
  • Re: [opensuse] My Kmail2 does not get email
    ... the inbox under .cur the four deleted emails have gone. ... Anyway the changelogs give me enough info to go on. ... Fix usage of wrong ids for part filenames. ... Fix valgrind-ing agents running in the agent launcher. ...
    (SuSE)