Secret secret
So I had a worm on my Windows XP machine. Allow me to describe its behavior.
It runs as a process called QUUOXA.EXE. Attempts to terminate this process always fail. It even runs on Startup when I boot into Safe Mode. The file is stated as being located in C:\Documents and Settings\MYNAME, but it does not show up in Windows Explorer, even if I have "show hidden files and folders" checked. It doesn't show up in the command prompt, either. The file is set in the Registry to run at startup, but when I delete the entry, it immediately returns.
About five false shortcuts appear in the root folder of any USB drive I attach to the computer, appearing to be shortcuts to My Videos, My Pictures, My Music, a text file called passwords.txt, and maybe one or two others. The Properties of these shortcuts show that they lead to a file called QUUOXA.SCR on that drive.
I cannot find or delete any of these QUUOXA files through Windows, not even through the command prompt. Attempts to do so result in 'file cannott be found'. When I attempt to create a shortcut to the file, however, that succeeds. When I attempt to create a shortcut to a file that I know does not exist, Windows complains that the file cannot be found.
Norton Endpoint Security routinely pops up reports that QUUOXA.EXE has attempted to write to Norton's memory, which is how I realized the virus was there, only later noticing the shortcuts on my USB drive.
I saw something similar to this a few weeks ago on a friend's computer, except that in that instance, the offending file hid itself in complexly-named folders that were also similarly invisible. However, I could enter the folder by entering the path in the path text bar, or thru the command prompt. I could not delete the file, though, so I ended up doing a clean reinstallation of Windows. I will likely do the same for my computer in this case, but I am afraid that my USB drives will simply reinfect my computer, as Norton Endpoint Security cannot find or clean it.
My computer has not been connected to the internet in months, but I use my USB drive to download files via public computers that reset every 24 hours using a program similar to Deep Freeze. I suspect this is where I picked up the worm.
Well, I ended up cleaning it out by using my Ubuntu Live CD to run Ubuntu, under which the files all showed up. I then deleted them, along with their associated Autorun.inf files. I also found that there were several other files and folders on my drives that had also been similarly invisible (but accessible!) to Windows. Deleting them fixed a few problems that I had just figured were XP inconveniences.
What really irks me about this is the Windows flaw exposed through this experience. How does Windows allow this vulnerability? How can a file exist on the computer, but be invisible in this way? How can Windows be unable to show it, unable to find it, unable to delete it, but able to execute it? Is this a feature of the OS with some legitimate use, or an exploit of a programming flaw?
Makes me want to abandon Windows altogether with a loophole like this. I mean, really, WTF?
...though from a programming perspective, I'd love to see the worms' source code.
It runs as a process called QUUOXA.EXE. Attempts to terminate this process always fail. It even runs on Startup when I boot into Safe Mode. The file is stated as being located in C:\Documents and Settings\MYNAME, but it does not show up in Windows Explorer, even if I have "show hidden files and folders" checked. It doesn't show up in the command prompt, either. The file is set in the Registry to run at startup, but when I delete the entry, it immediately returns.
About five false shortcuts appear in the root folder of any USB drive I attach to the computer, appearing to be shortcuts to My Videos, My Pictures, My Music, a text file called passwords.txt, and maybe one or two others. The Properties of these shortcuts show that they lead to a file called QUUOXA.SCR on that drive.
I cannot find or delete any of these QUUOXA files through Windows, not even through the command prompt. Attempts to do so result in 'file cannott be found'. When I attempt to create a shortcut to the file, however, that succeeds. When I attempt to create a shortcut to a file that I know does not exist, Windows complains that the file cannot be found.
Norton Endpoint Security routinely pops up reports that QUUOXA.EXE has attempted to write to Norton's memory, which is how I realized the virus was there, only later noticing the shortcuts on my USB drive.
I saw something similar to this a few weeks ago on a friend's computer, except that in that instance, the offending file hid itself in complexly-named folders that were also similarly invisible. However, I could enter the folder by entering the path in the path text bar, or thru the command prompt. I could not delete the file, though, so I ended up doing a clean reinstallation of Windows. I will likely do the same for my computer in this case, but I am afraid that my USB drives will simply reinfect my computer, as Norton Endpoint Security cannot find or clean it.
My computer has not been connected to the internet in months, but I use my USB drive to download files via public computers that reset every 24 hours using a program similar to Deep Freeze. I suspect this is where I picked up the worm.
Well, I ended up cleaning it out by using my Ubuntu Live CD to run Ubuntu, under which the files all showed up. I then deleted them, along with their associated Autorun.inf files. I also found that there were several other files and folders on my drives that had also been similarly invisible (but accessible!) to Windows. Deleting them fixed a few problems that I had just figured were XP inconveniences.
What really irks me about this is the Windows flaw exposed through this experience. How does Windows allow this vulnerability? How can a file exist on the computer, but be invisible in this way? How can Windows be unable to show it, unable to find it, unable to delete it, but able to execute it? Is this a feature of the OS with some legitimate use, or an exploit of a programming flaw?
Makes me want to abandon Windows altogether with a loophole like this. I mean, really, WTF?
...though from a programming perspective, I'd love to see the worms' source code.