Espoo
Technical User
- Jun 6, 2005
- 3
I'm trying to help a friend with a Windows 98 SE computer whose entire Windows directory and perhaps more has "disappeared". This looks like it may have been caused by malware; i mean, even Windows is not usually *that* unreliable 
I'm very interested in finding out what kind of malware and how it does such a complete deletion job. I mean, i thought that (despite all the hype) malware is normally more of a (terrible) nuisance than actually destructive. And when it (apparently rarely) is destructive, it "just" does a "simple" delete, i.e. only marks a file called ABCDEF, for example, as ?BCDEF, as far as i've heard. This malware, however, apparently rewrote over the deleted files with all ones or zeros because the two data recovery programs and the one undelete program i used can't find any trace of the Windows folder.
Somebody on another forum also suggested that one way this "total" deleting could perhaps have been carried out is by first truncating the files to 0 bytes before deleting. Another suggested explanation was that in addition to or instead of the above (which makes it harder to undelete files), the malware could have renamed the files before deleting, and then renamed
the Windows folder itself before deleting.
Can anyone suggest data recovery or undelete programs that can deal with the above tricks?
This looks like a possible malware candidate for the observed destruction:
If the date is 12 of May, the virus shows a message box:
Your PC has been hacked by KaGra[ATZI virus ver 2.1]
From the KaGra
If the date is 13 of May, Horty.A tries to delete Windows folder.
I'm very interested in finding out what kind of malware and how it does such a complete deletion job. I mean, i thought that (despite all the hype) malware is normally more of a (terrible) nuisance than actually destructive. And when it (apparently rarely) is destructive, it "just" does a "simple" delete, i.e. only marks a file called ABCDEF, for example, as ?BCDEF, as far as i've heard. This malware, however, apparently rewrote over the deleted files with all ones or zeros because the two data recovery programs and the one undelete program i used can't find any trace of the Windows folder.
Somebody on another forum also suggested that one way this "total" deleting could perhaps have been carried out is by first truncating the files to 0 bytes before deleting. Another suggested explanation was that in addition to or instead of the above (which makes it harder to undelete files), the malware could have renamed the files before deleting, and then renamed
the Windows folder itself before deleting.
Can anyone suggest data recovery or undelete programs that can deal with the above tricks?
This looks like a possible malware candidate for the observed destruction:
If the date is 12 of May, the virus shows a message box:
Your PC has been hacked by KaGra[ATZI virus ver 2.1]
From the KaGra
If the date is 13 of May, Horty.A tries to delete Windows folder.