Category Virus

Oct 27 2009

NewFolder .exe Virus

Here’s a useful tool I recently discovered for all you poor guys who have been troubled by the naughty NewFolder .exe Virus. What is a NewFolder .exe virus ? Well, as the name says it appears as NewFolder .exe in your folder. As soon as it lands in a folder, it scans the folder for subfolders recursively, and inside every folder it finds, it will create a copy of itself with the same name as the folder name. Writing this virus is just as easy as removing it. But in this short article, I’ll talk about how to destroy the virus not create.

I assume everyone must have had an encounter with this virus once in his lifetime. Removing this virus can be very irritating, even if you are a linux user. Ofcourse, when you’re in Linux , all you have to do is go to each of the folder, select the virus and simply delete it. But imagine what’ll happen when the virus has already spread across your hard drive or prendrive, spanning thousands of folders and made so many copied of itself.

Obviously you’re not going to go by this naive approach again. If you’re good at shell, writing a script isn’t a big deal. But if you’re even better in Linux Basics, then you should know that just 1 line of code is enough to remove this virus completely from your drive. All you have to do is to search & destroy the virus recursively.

Searching : How to search ? Well there are 2 ways. Way 1 is to check the name of the folder and then scan the folder for a file named .exe. If its there, then its the virus. Implementing this way will definitely take you more than 1 line of code. The simpler way to do is to forget about the folder and just search for all file names which matches the pattern ” * .exe ” (quotes for clarity). The important point to be noted here is that this virus, while creating the copy of itself, always adds a space before the “.exe” file extension. No other windows file generally have a space before .exe extension (unless you created it yourself).

Destroying : Just redirect the output of the search code to a “rm” command.

Just go to the directory in which the virus exists and execute the following code :

NOTE : There is a SPACE between “*\” and “.exe” (quotes for clarity).

find -name “*\ .exe” -exec rm -rf {} \;

PS : This code will find and delete all the file names with an extension of exe and a space before .exe in the filename. So make sure you don’t have any of your personal files with this kind of name pattern. Just make sure that there’s no space before the .exe extension in the file name. If you’re not sure, I’d recommend you take a backup before executing this code.