Hello, I registered to share something odd that happened to me a few days ago and hopefully hear the opinion on the matter of more knowledgeable people. Normally after a suspected virus/malware infection I would just format and move on but this time I’m not even sure it was malware and the whole thing was strange and has left me confused and intrigued.
I have an old computer around that I’ve hooked to my tv and been using as a secondary pc, pretty much just use it to watch movies, play old games and browse the net. Main hardware is q6700 processor on a p35 motherboard with a rx480 gpu (the only somewhat modern thing on it) and two hdds (one old 256gb ssd for the os and a secondary 1tb mechanical drive for storage)
It has windows 7 installed (I know the os doesn’t receive updates anymore and is unsafe but I don’t use personal accounts or do anything sensitive on it so I couldn’t bother moving to win10) with up to date Kaspersky internet security and Firefox with ublock origin as browser.
Now, as for the incident with the suspected malware, I was browsing around websites with emulation resources and end up in some blog with external links to download romsets from filehosts. So I downloaded one to try out, it was a rar file uploaded in late November that supposedly contained roms but upon inspection it just contained a large txt file (about 60mb) with the same name as the rar.
This was probably reckless but since I was curious and this is a secondary pc with nothing of value stored on it I went ahead and uncompressed the file with 7zip. I also scanned the rar with KIS and later the uncompressed txt file and both came clean, this probably doesn’t mean much since I don’t expect any av to be infallible but I think it’s worth mentioning.
I also have the windows option to hide known extensions disabled and the file had a notepad icon so it seems that the file was a legit plain text unless the uploader used some other trick I don’t know about to hide the true file extension.
So curious as I was I opened the txt file with notepad, the program became unresponsive for a while which isn’t that alarming since it was a large txt file and the computer is old, when the text started appearing there was just a strange and out of context sentence written over and over “happiness and blessed days for you!”, as I scrolled down notepad started to become laggy and the text seemed to continuously load more lines so I freaked out a bit and closed it before trying to reach the bottom. I disconnected the computer from the net and deleted the files, I guess it would have been better to keep them to get more information now that any possible damage was done but I guess I wasn’t thinking straight. I did a full scan with KIS to see if it would catch anything but the results were clean other than some warnings for potentially harmful software from a recovery live cd with tools I had in my downloads.
At this point I turned off the computer, disconnected the secondary drive and powered it back on to do another full scan, this time with the admin account. I expected to be greeted by some ransomware affecting my files after logging in but to my surprise everything seemed fine, the scan came clean too. I plugged back the secondary drive and ran another full scan which also came clean. I used the computer a few hours afterwards and there were no obvious signs of malware infection. Maybe if I went online it would have started to act up?
While everything seemed fine I was still wary so what I did is replace the hard drives with another old one that I had with a clean install, I also flashed the motherboard bios before powering it on and reset the router. This might not be enough if it’s some sophisticated malware but since I’m not even sure if it’s malware I don’t want to go overboard.
What I find strange is that from what I’ve read a lot of malware comes in compressed files with office related document format files but never plain text as supposedly you can’t execute code that way. It might be that the malware is deployed by uncompressing the rar, but then why add the strange large text file? It seems like some kind of taunting ironic message, if this was some kind of malware meant to steal information it would be made to be as discrete as possible to remain undetected and keep the victim oblivious while it steals as much data as possible, wouldn’t it? The strange text just makes anyone that isn’t too computer savvy like me freak out and think something’s wrong.
Then there’s the possibility that this was some ransomware but I don’t see any sign of it like encrypted files and ransom notes.
What are your thoughts on it? Have you heard of a similar occurrence? Some possibilities I’ve considered if it isn’t malware:
- It’s some kind of prank, a harmless file uploaded with malicious intent. An antivirus wouldn’t pickup a simple compressed txt file but people like me with not much technical knowledge could get scared and waste time formatting their hard drives or taking the computer to a tech shop. However creating a blog with various entries and waste time uploading the files just for this seems a bit over the top.
I tested this out by creating a txt file myself of similar size with the same sentence and opening it. It did behave similarly with notepad becoming unresponsive for a while but once the text loaded I could swiftly reach the bottom without any lag. Could it be that because I created and edited this file it was stored in the ram and ran more smoothly?
- Another possibility is the blog creator makes money from the filehost from people downloading files and purchasing premium but instead of using roms that could be removed and get him in legal trouble he uploads this fake compressed files. This sounds a bit contrived and seems less probable, it would also be pointless to add the large text file and if this was monetary oriented they probably would also use a link shortener between the blog and the filehost link.
I have an old computer around that I’ve hooked to my tv and been using as a secondary pc, pretty much just use it to watch movies, play old games and browse the net. Main hardware is q6700 processor on a p35 motherboard with a rx480 gpu (the only somewhat modern thing on it) and two hdds (one old 256gb ssd for the os and a secondary 1tb mechanical drive for storage)
It has windows 7 installed (I know the os doesn’t receive updates anymore and is unsafe but I don’t use personal accounts or do anything sensitive on it so I couldn’t bother moving to win10) with up to date Kaspersky internet security and Firefox with ublock origin as browser.
Now, as for the incident with the suspected malware, I was browsing around websites with emulation resources and end up in some blog with external links to download romsets from filehosts. So I downloaded one to try out, it was a rar file uploaded in late November that supposedly contained roms but upon inspection it just contained a large txt file (about 60mb) with the same name as the rar.
This was probably reckless but since I was curious and this is a secondary pc with nothing of value stored on it I went ahead and uncompressed the file with 7zip. I also scanned the rar with KIS and later the uncompressed txt file and both came clean, this probably doesn’t mean much since I don’t expect any av to be infallible but I think it’s worth mentioning.
I also have the windows option to hide known extensions disabled and the file had a notepad icon so it seems that the file was a legit plain text unless the uploader used some other trick I don’t know about to hide the true file extension.
So curious as I was I opened the txt file with notepad, the program became unresponsive for a while which isn’t that alarming since it was a large txt file and the computer is old, when the text started appearing there was just a strange and out of context sentence written over and over “happiness and blessed days for you!”, as I scrolled down notepad started to become laggy and the text seemed to continuously load more lines so I freaked out a bit and closed it before trying to reach the bottom. I disconnected the computer from the net and deleted the files, I guess it would have been better to keep them to get more information now that any possible damage was done but I guess I wasn’t thinking straight. I did a full scan with KIS to see if it would catch anything but the results were clean other than some warnings for potentially harmful software from a recovery live cd with tools I had in my downloads.
At this point I turned off the computer, disconnected the secondary drive and powered it back on to do another full scan, this time with the admin account. I expected to be greeted by some ransomware affecting my files after logging in but to my surprise everything seemed fine, the scan came clean too. I plugged back the secondary drive and ran another full scan which also came clean. I used the computer a few hours afterwards and there were no obvious signs of malware infection. Maybe if I went online it would have started to act up?
While everything seemed fine I was still wary so what I did is replace the hard drives with another old one that I had with a clean install, I also flashed the motherboard bios before powering it on and reset the router. This might not be enough if it’s some sophisticated malware but since I’m not even sure if it’s malware I don’t want to go overboard.
What I find strange is that from what I’ve read a lot of malware comes in compressed files with office related document format files but never plain text as supposedly you can’t execute code that way. It might be that the malware is deployed by uncompressing the rar, but then why add the strange large text file? It seems like some kind of taunting ironic message, if this was some kind of malware meant to steal information it would be made to be as discrete as possible to remain undetected and keep the victim oblivious while it steals as much data as possible, wouldn’t it? The strange text just makes anyone that isn’t too computer savvy like me freak out and think something’s wrong.
Then there’s the possibility that this was some ransomware but I don’t see any sign of it like encrypted files and ransom notes.
What are your thoughts on it? Have you heard of a similar occurrence? Some possibilities I’ve considered if it isn’t malware:
- It’s some kind of prank, a harmless file uploaded with malicious intent. An antivirus wouldn’t pickup a simple compressed txt file but people like me with not much technical knowledge could get scared and waste time formatting their hard drives or taking the computer to a tech shop. However creating a blog with various entries and waste time uploading the files just for this seems a bit over the top.
I tested this out by creating a txt file myself of similar size with the same sentence and opening it. It did behave similarly with notepad becoming unresponsive for a while but once the text loaded I could swiftly reach the bottom without any lag. Could it be that because I created and edited this file it was stored in the ram and ran more smoothly?
- Another possibility is the blog creator makes money from the filehost from people downloading files and purchasing premium but instead of using roms that could be removed and get him in legal trouble he uploads this fake compressed files. This sounds a bit contrived and seems less probable, it would also be pointless to add the large text file and if this was monetary oriented they probably would also use a link shortener between the blog and the filehost link.
