Re: Web searches hijacked by malware



On Wed, 9 Dec 2009, in the Usenet newsgroup alt.computer.security, in article
<7oauj0F3nj7ptU1@xxxxxxxxxxxxxxxxxx>, Mike Easter wrote:

~BD~ wrote:

Mike Easter wrote:

I don't have one of those real MS ones

I don't normally worry about the MS media, but I don't believe I've
seen systems delivered recently with real MS media - it's all
manufacturer rescue image CDs/DVDs.

I've not carried out the install exercise for some months now (not
since I bought my iMac!) but IIRC there are no 'tools' as such -
for the likes of me, anyway!

How often does your average user do an install? Back when you had
two floppy disks to install MS-DOS 3.x, a lot more people were doing
so, and it wasn't anywhere _near_ as complicated as one of the
current versions of windoze. Installing applications could be (and
often was) complicated, but not the O/S itself.

When one elects to carry out a new install of XP (this is the Home
edition I have) one is asked to format and one can choose 'Quick'
or 'normal' (longer!).

My (very limited) understanding is that both clear the directory and
the table that translated between file name and physical location on
the disk (the FAT tables in DOS, inodes in many types of *nix). With
the "quick" format, the data remains physically present (recoverable
with a disk editor, or anything else using physical addressing).
This means that if the mal-ware is using physical addressing, it may
still be dangerous.

I'm sorry I can't recall from where I've got this notion about the
MBR remaining intact (and possibly still being infected). Perhaps
someone else will know.

The MBR is the only "known" location on a disk. The BIOS knows where
it is, and knows that there should be a bit of machine code that
starts the boot loading process. Part of that machine code is the
physical address of the rest of the boot loader and the operating
system. Thus when you do an install, the MBR will be overwritten
with the necessary data to find the rest of that code. As the
MBR is a small sector (512 bytes), and the disk system is incapable
of writing/reading individual bytes, the entire block will be
overwritten.

I'm reading that the real MS one has tools in the Recovery Console,
which includes the tools fixboot and fixmbr; and in addition that
fdisk has the undocumented command fdisk /mbr which rewrites the mbr.

I thought the 'fdisk /mbr' was DOS, win9x and winme, and was replaced
by fixmbr in XP. My understanding is that these tools are enough
to eradicate a boot sector virus. Of course, they do nothing with
the rest of the virus (originally pointed to by the MBR), but if
nothing is pointing to it, it's not likely to be runnable.

From MS's kb 314058

and how many users can find that document? More correctly, how many
would even know to _look_ for it? Most computer operating systems
are built for that 6 year old that microsoft was using to advertise
windoze 7 on US television a month or two ago. Just click this icon,
or select that menu item, and all will be fine... ``trust me''.

Old guy
.