Re: Re(2): Possible new virus?
From: Sebastian Schneider (ses_at_straightliners.de)
Date: 09/11/03
- Previous message: Larry Seltzer: "RE: Windows Server 2003"
- In reply to: Wilcox, Stephen: "RE: Re(2): Possible new virus?"
- Next in thread: Wirefire Systems Administrator: "Re: Re(2): Possible new virus?"
- Reply: Wirefire Systems Administrator: "Re: Re(2): Possible new virus?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Wilcox, Stephen" <StephenWilcox@universalcomputersys.com>, "Lee Rich" <lee.rich@wlga.gov.uk>, <security-basics@securityfocus.com> Date: Thu, 11 Sep 2003 22:46:36 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey, this is quite good an idea ; ) I guess as Matt already said, he had no
real hands-on yet. Anyways if he's going to take a "sight" seeing tour
there're quite a lot of things to be checked. As far as I recall, he didn't
say, that those machines didn't boot up as usual.
1 - So first thing's when does that message appear? After POST before starting
up the operating system? Or before/after ?
2 - What happens when booting from any bootable CD or just switching off the
hard disks in BIOS? Same message? (I guess that's much easier than
disconnecting the harddrive physically and the actual owner feels much more
comfortable).
3 a - Assuming message still appears, is the fan working properly? What about
the CPU temperature? Too hot or within normal range? What does the BIOS tell
about the temperatures, if at all?
3 b - Message is not displayed, so it must be some code executed while booting
from disk. That code might be executed when running the boot routines in MBR
or partition's boot sector or while starting the operating system (I guess
Matt said, there were no strange entries neither in config.sys nor in
autoexec.bat). Now a linux system is really helpful in doing some forensics
;-)
3 b1 - Check out the startup files like config.sys, autoexec.bat, win.ini,
system.ini and the registry entries. Keep an eye on modification dates
of the files and compare filesizes to original sizes, maybe
MD5 hashcodes. Anything strange?
3 b2 - Assuming nothing found, take a copy of the MBR and bootsector. The
tool debug (if not running linux to do that) is quite helpful in such
situations. This is not sufficient for later analysis however, since the
real code can be in any sectors on the hard disk. Now the boot code needs
to get analyzed. Boot block structure is needed, to extract the actual
code out of all that informations.
4 - Assuming message still shows up though fan is working, now it might still
be a hardware defect, a bug or a virus infecting the BIOS software. If the
BIOS shows the temperatures, issue is easier to analyze.
4 a - BIOS says, temperatures are okay. There's no hardware defect, maybe no
software bug. Try resetting the BIOS to default values. Message still
appears? Has the mainboard a jumper to protect from flashing the BIOS by
mistake? Is that jumper set to protect or to allow flashing? If no jumper
exists to control flashing, what is set in the BIOS? Is there an option at
all?
4 a1 - Jumper or BIOS is set to deny flashing. Most likely, there's some
defective hardware.
4 a2 - There's not option to control flashing. Maybe software in flash is
buggy, corrupt or changed.
4 b - BIOS provides no way to check system temperatures. So try a third-party
tool if available.
5 - In any case of 4 try to obtain the latest BIOS software and try flashing.
Don't forget to take a image before overwriting.
5 a - Flashing is denied. Maybe you can't flash at all or a virus might block
such nasty things (this is quite hard to code...). Most likely, flashing is
not possible due to any restrictions. Check up 4a again. If everythings okay,
there might be some malicious code. Analyze the image or verify your steps.
5 b - Flashing is possible and successful. After flashing the message still
shows up? So there's some hardware failure or jump to 3b above.
If that message doesn't appear this time, old flashed software might be buggy
or contains malicious code. Analyze image.
Hope these steps were right and harmonious. Please let me know, if anything's
missing or wrong.
Sebastian
On Thursday 11 September 2003 20:48, Wilcox, Stephen wrote:
> Ok, I'm sure everyone has an opinion about Chris's original email. It was
> his opinion on where he felt this email belonged, nothing more. The
> administrators of the mail list felt it could fall under this group so here
> it stays. It seems to me everyone is getting off track. Get back into
> focus and use this list for what it's intention is for. Help pointing
> people towards their resolution. I see more and more people wanting to run
> someone through the mud on their opinion then time spent on the issues of
> the original post.
>
> With that said...
>
> I would take a road trip and verify the machines sounds and entirety is in
> fact "Good Working Condition".
>
> Run the test as some have pointed out.
>
> It much harder to correctly resolve issues when it comes from a third
> party.
>
> I wish you good luck in your search for resolution to you problem
>
> Stephen
> R&D Systems Network Specialist
>
>
>
> -----Original Message-----
> From: Lee Rich [mailto:lee.rich@wlga.gov.uk]
> Sent: Thursday, September 11, 2003 4:08 AM
> To: security-basics@securityfocus.com
> Subject: Re(2): Possible new virus?
>
>
> Chris, in a later posting, Matt has stated that 'another' machine has been
> reported to have the same symptoms; these machines may be just a small
> handful of machines who have the same problem but have not been reported
> yet due to the area covered by 'Internet' Technical support.
>
> Also, the idea that the message and beeping may be a red herring should not
> be cast aside. For all these systems to suffer the same fault dispite
> manufacurer or warranty state. Seems a little iffy to me andI wouldn't be
> surprised if there is actually nothing wrong with the cooling system.
> Saying it's a hardware problem would assume that each firmware reports an
> identical message for the problem. Not to mention that some firmware may
> not even be able to report such an issue.
>
> -Lee Rich
> security@wlga.gov.uk
>
> -----Original Message-----
> From: Chris Berry <compjma@hotmail.com>
> To: security-basics@securityfocus.com <security-basics@securityfocus.com>
> Sent: 10/09/2003 23:51
> Subject: Re: Possible new virus?
>
>
> From: "Lee Rich" <lee.rich@wlga.gov.uk>
>
> > > "I'm not sure how it made it on to the list"
> >
> >And please don't forget, this is 'security-basics'.. which means to me,
> >that it's not all security experts
> >here, it's people breaking into the field aswell. So you should expect
> >questions that may be simple to
> >yourself, but to others, it's part of a learning curve.
>
> Oh, I wasn't complaining because it was basic, I was complaining because
> it's not a security issue. To the best of my knowledge (which on this
> particular subject is fairly extensive since I'm originally from a hardware
> background), there is no possible way for software to interfere with the
> CPU cooler no matter how malicious it is, there just isn't any interface.
> (though I suppose if you had a motherboard with variable fan speed control
> and you somehow got an infected firmware update for your BIOS, then maybe,
> but thats a real long shot) However, as always I'm willing to fess up if
> I'm wrong, is there anyone here who knows differently? I'd be happy to
> help the original poster, I was just trying to point out that this isn't
> the correct forum for hardware questions.
>
> Chris Berry
> compjma@hotmail.com
> Systems Administrator
> JM Associates
>
> "Conciousness: that annoying time between naps."
>
> _________________________________________________________________
> Get a FREE computer virus scan online from McAfee.
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
> ---------------------------------------------------------------------------
> Captus Networks
> Are you prepared for the next Sobig & Blaster?
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Precisely Define and Implement Network Security
> - Automatically Control P2P, IM and Spam Traffic
> FIND OUT NOW - FREE Vulnerability Assessment Toolkit
> http://www.captusnetworks.com/ads/42.htm
> ---------------------------------------------------------------------------
>- ***************************************************************
> SAVE PAPER - THINK BEFORE YOU PRINT!
> I ARBED PAPUR - PWYLLWCH CYN PRINTIO!
> ***************************************************************
> ***************************************************************
> SAVE PAPER - THINK BEFORE YOU PRINT!
> I ARBED PAPUR - PWYLLWCH CYN PRINTIO!
> ***************************************************************
>
> ---------------------------------------------------------------------------
> Captus Networks
> Are you prepared for the next Sobig & Blaster?
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Precisely Define and Implement Network Security
> - Automatically Control P2P, IM and Spam Traffic
> FIND OUT NOW - FREE Vulnerability Assessment Toolkit
> http://www.captusnetworks.com/ads/42.htm
> ---------------------------------------------------------------------------
>-
>
>
> ----------------------------------------
> The information transmitted in this message is intended only for the person
> or entity to whom it is addressed and may contain confidential and/or
> privileged material. Any review, retransmission, dissemination or other
> use of, or taking of any action in reliance upon this information by
> persons or entities other than the intended recipient is prohibited. If
> you received this in error, please contact the sender and destroy any
> copies of this document.
>
> ---------------------------------------------------------------------------
> Captus Networks
> Are you prepared for the next Sobig & Blaster?
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Precisely Define and Implement Network Security
> - Automatically Control P2P, IM and Spam Traffic
> FIND OUT NOW - FREE Vulnerability Assessment Toolkit
> http://www.captusnetworks.com/ads/42.htm
> ---------------------------------------------------------------------------
>-
- --
Sebastian Schneider
straightLiners IT Consulting & Services
Metzer Str. 12
13595 Berlin
Germany
Fon: +49-30-3510-6168
Fax: +49-30-3510-6169
www.straightliners.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/YN8sQ7mOWZBxbPcRAiX9AJ9cxdgX6tA1k04cI9cxNwUt72mt/QCgsMx2
8MlSJxxG1i8J53GAtyQHkxY=
=e/AG
-----END PGP SIGNATURE-----
---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Precisely Define and Implement Network Security
- Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW - FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------
- Previous message: Larry Seltzer: "RE: Windows Server 2003"
- In reply to: Wilcox, Stephen: "RE: Re(2): Possible new virus?"
- Next in thread: Wirefire Systems Administrator: "Re: Re(2): Possible new virus?"
- Reply: Wirefire Systems Administrator: "Re: Re(2): Possible new virus?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
