Re: Huge Autoexec.bat

["Chris Norris" <cnorris () continental-microwave co uk>]

I think rather than a sign of something sinister this sounds fairly simple.
For example, corrupted and crosslinked files. You say it contained old
emails, well maybe this PC was used as a workstation and was upgraded with
NT4 server but somehow the corrupted files were crosslinked and ended up in
autoexec.bat
I use to see this with DOS based PCs.

Chris Norris
----- Original Message -----
From: "Matthew S Barnes" <btc1 () alltel net>
To: "Incidents" <incidents () securityfocus com>
Cc: "Chris Barnes" <cbarnes () bfinity net>
Sent: Saturday, September 14, 2002 4:53 PM
Subject: Huge Autoexec.bat


> Hi all we were working on a system the other day at a client's who called
us
> in to fix a downed domain controller, his system was blue screening and so
> we got there and started poking around the system, we noticed something
> weird and wanted to ask if anyone had seen it before. I hadnt ever ...
> His autoexec.bat was huuge 26 megabytes to be exact. Now this computer was
> running nt 4 sp6a and also a ton of other stuff but none of the stuff in
> autoexec.bat as far as i could see was anything related to his systems, i
> told him he was probably hacked and that he needed to really treat this
like
> it was a crime scene and try to save all the data so we could reconstruct
> later, well he said he didnt care(no wonder he was hacked ) and told me to
> not waste time on it he wouldnt pay me to investigate he would only pay me
> to fix it. I did save some of the files I thought were suspicious and was
> hoping someone, anyone could point me in a direction to find out what
would
> make this autoexec.bat so big? is there any known exploits that do this
type
> of thing?  I appreciate all you help
>
> The autoexec.bat file was full of script's and code and also some old
emails
> of his from years ago and we never got time to go thru the whole thing
just
> enuff to make me think it was a total compromise of his system.....
>
> Sincerely
>
> Matthew S Barnes
>
> ---
> Outgoing mail is certified Virus Free.
> Barnes Technical Consulting 2002
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.385 / Virus Database: 217 - Release Date: 9/4/2002
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com