LISTSERV - PCBUILD Archives - LISTSERV.ICORS.ORG

PCBUILD Archives

Personal Computer Hardware discussion List

PCBUILD@LISTSERV.ICORS.ORG

	LISTSERV Archives
	PCBUILD Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Monkey Virus on 386
From:	Ernie Goens <[log in to unmask]>
Reply To:	PCBUILD - PC Hardware discussion List <[log in to unmask]>
Date:	Fri, 17 Apr 1998 19:29:49 GMT
Content-Type:	text/plain
Parts/Attachments:	text/plain (60 lines)

On Thu, 16 Apr 1998 22:10:03 -0700, you wrote:

>there are 2 methods to resolve this 1 use Norton Utilities and do
>a NDD /rebuild (that forces NDD into rebuilding the partition tables) or do
>an FDISK /MBR that will also get you to the same place then you can boot to
>a floppy and make sure that the virus is gone. the methods described above
>will not work if you have a drive overlay program(for drives larger than
>514 Megabytes)

This is not a good idea.. At least according to Dr. Solomon at:
http://www.drsolomon.com/products/avtk/tnotes/tn009.html

I quote:
"FDISK /MBR [the /MBR parameter is available in MS-DOS 5.x onwards]
replaces the partition executable code, without changing the partition
data. Since most partition sector viruses replace [or modify] the
partition executable code, leaving the partition table unchanged,
FDISK /MBR is often considered to be an easy way of removing partition
sector viruses. However, FDISK /MBR is not a virus removal utility and
its use for this purpose may result in loss of data, as the following
examples show.

FDISK makes no check of the partition table [to ensure that it
contains valid data]; it assumes that anything in this location is a
valid partition table. If any virus has overwritten the partition
table, the use of FDISK /MBR will render the disk inaccessible. Empire
Monkey virus encrypts the partition sector and re-locates it to
cylinder 0, head 0, sector 3; it then replaces the partition sector
with its own code. When the PC is booted from the hard disk, Empire
Monkey loads into memory, decrypts the partition sector and the PC
boots normally. However, if the PC is booted from a clean DOS system
disk, the hard disk is inaccessible [the user will see the message
'Invalid drive specification' if he or she attempts to access the hard
disk]. If FDISK /MBR is used, most of the virus code is replaced with
good partition executable code [a 'stub' is left, which FDISK assumes
to be a valid partition table]. In effect, FDISK removes the only
mechanism available for decrypting the good partition sector.

If any disk management software, or security software, is installed on
the hard disk, the partition sector may have been modified [or
re-located]. If FDISK /MBR is used, in an attempt to remove a
partition sector virus, the disk management software may be damaged
and the drive may become inaccessible.

One-Half virus writes its code into the partition executable code and
leaves the partition table unchanged. On the face of it, it would
appear that FDISK /MBR could be used to remove the virus successfully
[the virus code would be replaced with good executable code; and the
partition table would be unchanged]. However, One-Half also encrypts
data on the disk [every time the PC is booted, one cylinder is
encrypted]. The virus decrypts this data 'on-the-fly' when the
infected PC is booted. Since the virus is the only mechanism available
for decrypting this data, FDISK /MBR will result in data loss.

So, this is just provided for your information, and because I had to
deal with this particular virus about a month ago.. :)

Ernie Goens

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG