http//
Hey i want to know your guys opinion on the idea of this new and critical threat thats going to start hitting people. After reading that the virus will delete files, im unsure as to what state its leaving these "deleted" files at. Are they recoverable by forensics tools? If so, can forensics tools be the rescue medium for this new threat?
I have included part of the description from F-Secure and a link below for more information. According to them, the contents of the file are overwritten with "DATA Error [47 0F 94 93 F4 K5]". It isn't clear if the entire file is overwritten or just the first part of it. Either way, the data (all or part) is hosed. If I can get a copy of the virus, I will infect a virtual machine later and tell you for sure.
The worm has a dangerous payload. If the date is equal to 3 (3rd of February, 3rd of March, etc) and the worm's UPDATE.EXE file is run, it destroys files with those extensions on all available drives
*.doc
*.xls
*.mdb
*.mde
*.ppt
*.pps
*.zip
*.rar
*.psd
*.dmpThe files' contens get replaced with a text string "DATA Error [47 0F 94 93 F4 K5]"
Check out these posts from F-Secure. I am linking the image in so you can see that it looks like the the file itself isn't overwritten, but the contents of the file are overwritten so those fat 50MB PowerPoint files would now be a couple KB. Overall, it looks like more hype than actual threat just like the WMF flaw.
I really like this