Hello Monks,
The context for this question is that I think I had something that tried to get onto my windows 10 laptop by means of my android phone. I'd been warned that an app had malware, and I should go to google play to get it fixed. I decided to factory reset the phone instead, but I was losing power, and without thinking about it, hooked it up to my computer. 2 ms-dos windows appeared and then disappeared. Oops.
So I wrote a script that finds the newest files in my User namespace and then scrutinized anything new. It was a much different listing back then, with so much appdata that I had to filter it. I cleared out all kinds of stuff for varying reasons, and what remains is pretty close to what they give you for an identity with windows 10. I want to show the terminal output first. It's verbose, so I'm gonna throw it between readmore tags and suggest reading it last or not at all if output makes you grumpy.
C:\Users\Fred>perl virus4.pl >>text1.txt
Use of uninitialized value $access_age in numeric gt (>) at virus4.pl
+line 29.
Use of uninitialized value $access_age in printf at virus4.pl line 31.
Can't opendir(C:/Users/Fred/AppData/Local/Application Data): Invalid a
+rgument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/AppData/Local/ElevatedDiagnostics): Invali
+d argument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/AppData/Local/History): Invalid argument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/AppData/Local/Microsoft/Windows/INetCache/
+Content.IE5): Invalid argument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/AppData/Local/Microsoft/Windows/INetCache/
+Low/Content.IE5): Invalid argument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/AppData/Local/Microsoft/Windows/Temporary
+Internet Files): Invalid argument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/AppData/Local/Temp/msdtadmin): Invalid arg
+ument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/AppData/Local/Temporary Internet Files): I
+nvalid argument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/AppData/LocalLow/Oracle/Java/jre1.8.0_91/j
+ava_sp): Invalid argument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/Application Data): Invalid argument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/Cookies): Invalid argument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/Documents/My Music): Invalid argument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/Documents/My Pictures): Invalid argument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/Documents/My Videos): Invalid argument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/Local Settings): Invalid argument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/My Documents): Invalid argument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/NetHood): Invalid argument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/PrintHood): Invalid argument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/Recent): Invalid argument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/SendTo): Invalid argument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/Start Menu): Invalid argument
at virus4.pl line 18.
Can't opendir(C:/Users/Fred/Templates): Invalid argument
at virus4.pl line 18.
C:\Users\Fred>dir
Volume in drive C is Windows8_OS
Volume Serial Number is 3052-CD20
Directory of C:\Users\Fred
12/18/2016 10:54 PM <DIR> .
12/18/2016 10:54 PM <DIR> ..
11/05/2016 09:28 PM <DIR> .android
07/27/2015 10:35 PM <DIR> .gem
11/27/2016 04:15 PM <DIR> .gimp-2.8
10/14/2016 04:38 PM 153 .gitconfig
06/08/2016 07:05 PM <DIR> .LSC
06/01/2016 09:07 PM <DIR> .oracle_jre_usage
05/02/2015 12:44 AM 0 .perlcriticrc
06/08/2016 07:05 PM <DIR> .QtWebEngineProcess
07/01/2016 02:17 AM <DIR> .ssh
04/28/2015 11:10 PM <DIR> .thumbnails
12/15/2016 10:41 PM <DIR> Contacts
12/16/2016 12:14 AM <DIR> Desktop
12/16/2016 06:55 PM <DIR> Documents
12/16/2016 06:55 PM <DIR> Downloads
12/15/2016 10:41 PM <DIR> Favorites
12/15/2016 10:41 PM <DIR> Links
12/15/2016 10:41 PM <DIR> Music
12/15/2016 03:58 PM <DIR> OneDrive
06/15/2016 12:57 PM <DIR> perl5
12/15/2016 10:41 PM <DIR> Pictures
12/15/2016 10:41 PM <DIR> Saved Games
12/15/2016 10:41 PM <DIR> Searches
12/18/2016 10:58 PM 293 text1.txt
06/21/2015 06:09 PM <DIR> Tracing
12/15/2016 10:41 PM <DIR> Videos
12/15/2016 11:24 PM 523 virus1.pl
12/15/2016 11:29 PM 519 virus2.pl
12/16/2016 09:16 PM 484 virus3.pl
12/18/2016 10:36 PM 543 virus4.pl
7 File(s) 2,515 bytes
24 Dir(s) 42,966,175,744 bytes free
C:\Users\Fred>type text1.txt
C:/Users/Fred
Fred: M age in days: 0.0000
C:/Users/Fred/NTUSER.DAT
NTUSER.DAT: M age in days: 0.0026
C:/Users/Fred/text1.txt
text1.txt: M age in days: 0.0000
C:/Users/Fred/virus4.pl
virus4.pl: M age in days: 0.0122
C:/Users/Fred/Pictures/2016-12/z
z: M age in days: 0.0986
C:\Users\Fred>type virus4.pl
#!/usr/bin/perl
use warnings;
use strict;
use File::Find;
use Cwd;
=pod
=head1 DESCRIPTION
returns files within a hard-coded M time
=cut
my $current = cwd;
find( \&pm_beneath, $current, );
sub pm_beneath {
use File::Basename;
my $file=$File::Find::name;
my $days = .1; #hard-coded
my $basename = basename($file);
return if $file =~ /.*AppData.*/;
my $access_age = -M $basename;
return if ($access_age > $days);
print "$file\n";
printf "$basename: M age in days: %.4f\n\n", $access_age;
}
__END__
C:\Users\Fred>
Now I'd like to pick that apart and ask some questions. The script is a simple find routine:
use File::Find;
use Cwd;
my $current = cwd;
find( \&pm_beneath, $current, );
sub pm_beneath {
use File::Basename;
my $file = $File::Find::name;
my $days = .1; #hard-coded
my $basename = basename($file);
return if $file =~ /.*AppData.*/;
my $access_age = -M $basename;
return if ( $access_age > $days );
print "$file\n";
printf "$basename: M age in days: %.4f\n\n", $access_age;
}
The first thing I'd like to do is clear the warnings. A typical warning looks like this:
Can't opendir(C:/Users/Fred/AppData/Local/Microsoft/Windows/Temporary
+Internet Files): Invalid argument
at virus4.pl line 18.
I don't understand how this even made it past the return statement, but that aside, I'm to believe that I have an invalid argument in my find statement. I can only speculate what it might be. It could be my OS saying, "it's none of your business." Let's look at another example:
Can't opendir(C:/Users/Fred/Documents/My Pictures): Invalid argument
at virus4.pl line 18.
This one confuses me more, because, in my output, it shows the only directory I created in My Pictures in this time frame:
C:/Users/Fred/Pictures/2016-12/z
z: M age in days: 0.0986
My first question how to handle the warnings in a way that leaves no quarter for a trojan.
I learned a few things about my system. Am I correct to think that these are the drivers for my android phone?
C:\Users\Fred>cd .android
C:\Users\Fred\.android>dir
Volume in drive C is Windows8_OS
Volume Serial Number is 3052-CD20
Directory of C:\Users\Fred\.android
11/05/2016 09:28 PM <DIR> .
11/05/2016 09:28 PM <DIR> ..
11/05/2016 09:26 PM 1,704 adbkey
11/05/2016 09:26 PM 716 adbkey.pub
01/04/2012 04:06 PM 354 adb_usb.ini
11/05/2016 09:28 PM 137 androidwin.cfg
11/05/2016 09:26 PM <DIR> avd
11/05/2016 09:26 PM 114 ddms.cfg
5 File(s) 3,025 bytes
3 Dir(s) 42,990,264,320 bytes free
C:\Users\Fred\.android>
Can anyone speculate why I have this hidden file with nothing in it?
05/02/2015 12:44 AM 0 .perlcriticrc
Finally, as I post a program to fight software attackers, I have this ginormous sense of re-inventing the wheel. What perl tools already exist?
Thank you for your comment, and happy holidays,