[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] Is this a Virus?
From:       "Geo." <geoincidents () nls ! net>
Date:       2005-12-31 16:31:47
Message-ID: 00e601c60e27$d9e4c600$02fea8c0 () honeypot
[Download RAW message or body]

>> I doubt it's a virus.  Filling up a hard-disk is counter productive to
propagation.

Actually not. If you fill an NTFS disk with files that are 1K or smaller it
forces the MFT to suck up the whole disk, small files are stored entirely in
the MFT instead of like larger files which have an MFT entry and a data
segment for storage area. Once that happens it's not possible to shrink the
MFT so the disk becomes useless for storing files larger than 1K even though
it shows as 90% empty and at the same time it allows the system to continue
running and spreading the virus.

A format is the only way to fix it. For virus writers, it's the perfect way
to trash windows machines without slowing virus propogation.

Geo.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]