Weird Problem

[GDPurple]

A customer called me in because his PC would not boot up he was getting an "Invalid System Disk" message on boot up. I suspected that he had a faulty hard disk drive or possibly a damaged boot sector. I booted up the PC using a floppy and had a look on the hard disk drive. I could access the hard disk fine and all his files were there.

Then I noticed something very weird, the date and time on all the files on his PC was set to 6/7/02 9:30am. I investigated further and all the files on his PC are blank! Every file when opened in notepad is empty although the sizes are reported as normal in Windows. I scanned his hard disk for viruses and it was infected with the dreaded W32/Klez.e - but there were only 2 infected files and I have dealt with a lot of Klez infections before and never seen anything like this.

Anybody come accross anything similar? Is it possible for Klez to blank all his files or is more likely some sort of corruption of the FAT. I have run a thorough Scandisk on the drive and it reported no problems.

Pc Spec Compaq Deskpro running Windows 98SE.

[Draggar]

klez.e is nasty,
<a href="http://www.trendmicro.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.E" target="_blank">http://www.trendmicro.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.E</a>

According to housecall, it won't affect BAT, COM, or EXE files, but I have heard of it doing that in the past...

Maybe.

[MaddMaxx]

Klez loves to eat executibles and one of the first
ones it feasts upon is Quickbooks.

[Ruslan]

Did You try to rewrite system files (i.e. command.com, io.sys and so on)?
Did You check partition status (using Fdisk or Partition Magic? - may be, bootable primary partition is now become "non-DOS" partition - some of viruses can change partition's type.

[geoscomp]

I know that Panda reported a week or so ago that July 6th was the date that Klez i was supposed to activate with a payload that rewrites all system files with 1's and zeros..this would explain the files being the same size but blank..haven't seen anything like this in the shop yet, but people are still trying to fix their computers from the last few thunderstorms here, so maybe it will be delayed..according to panda, the solution was format/reinstall..

[geoscomp]

well, I spoke to soon..seems about ten minutes after writing the last post I got in a machine with WinME and Klez i..not all the files were overwritten yet, but a lot of them are, and in microsofts infinite wisdom, there isn't a system file checker in ME..so I can't run and replace system files that are corrupted. Looks like another reformat..since reinstalling doesnt work, and I think the sfpdb.sfp file is probably corrupt as well..and no doubt the virus is in the files in system restore

[GDPurple]

Thanks everyone for the info.

Looks like it's definately Klez then as the date is 6th July on all the files. I don't know if this is a new variant but it doesn't just overwrite executables it overwrites everything! documents, e-mail folders, ini files - everyhting on this computer apart from about 20-30 files is blank.