Re: Handling boot viruses
From: Phil Weldon (notdisclosed_at_example.com)
Date: 05/30/04
- Next message: Robert Green: "Re: Handling boot viruses"
- Previous message: Eli: "Re: Symantec Security Check Tells Me it My AntiVirus Software Isn't Up-To-Date"
- In reply to: Zvi Netiv: "Re: Handling boot viruses"
- Next in thread: Zvi Netiv: "Re: Handling boot viruses"
- Reply: Zvi Netiv: "Re: Handling boot viruses"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 30 May 2004 17:57:46 GMT
Thanks for making the effort. Could you tell us how you infected the dual
boot system with Windows 98SE installed, and if you can infect a system that
has only Windows 2000 and/or Windows XP with NTFS installed via a methhod
that could exist in-the-wild?
-- Phil Weldon, pweldonatmindjumpdotcom For communication, replace "at" with the 'at sign' replace "mindjump" with "mindspring." replace "dot" with "." "Zvi Netiv" <support@replace_with_domain.com> wrote in message news:k3tib0pof0be1fkebl4honm9qr96rclrvo@4ax.com... > "FromTheRafters" <!0000@nomad.fake> wrote: > > "Zvi Netiv" <support@replace_with_domain.com> wrote > > > > Boot viruses is where AV software always did a lousy job. Lots of false alarms, > > > misidentification of the virus, and the worst - high percentage of unsuccessful > > > "disinfection" that ended in loss of access to partition(s), or loss of self > > > boot ability. > > > > Thanks for expanding on that, Zvi. I was only suggesting, in a general way, > > that it is best to find out what one is dealing with prior to dealing with it. > > Especially when "dealing with it" concerns the use of fdisk /mbr. > > > > > Having said that, you realize that the "exact" determination of the boot virus, > > > if there is one at all, is not always possible. > > > > True, and I can see the benefits of dealing with it generically. It seems > > that one would have to be somewhat experienced with such things to > > even have a chance at recognizing the results of fdisk /status to ensure > > that disk data has not been encrypted by the virus one is attempting to > > remove. > > > > ...of course I haven't ever seen what the results of fdisk /status look like > > when the likes of Stoned Empire Monkey has written itself to the partition > > sector. I assume it looks nothing like a normal one. > > I have done it, for your benefit and of all. Below are the results of running > FDISK /STATUS on my test drive, in the following three conditions: Uninfected, > with AntiEXE in the MBR, and with Monkey. Here is how it looks: > > --- FDISK /STATUS with no boot infector, or with AntiEXE --- > > Fixed Disk Drive Status > Disk Drv Mbytes Free Usage > 1 38162 100% > C: 19077 > D: 19085 > > The drive is 40 GB, divided into two equal size partitions, with dual boot > (Win98SE and XP professional), both on FAT 32 (for inter operability of > applications under either OS). FDISK /STATUS returns the same for an uninfected > drive, or when infected with AntiEXE. FDISK /MBR is safe to run under these > conditions. > > --- FDISK /STATUS with Empire.Monkey --- > > Fixed Disk Drive Status > Disk Drv Mbytes Free Usage > 1 38162 100% > > FDISK /STATUS shows no logical partitions with Monkey's code in the MBR, as the > encrypted partition data is not recognized by FDISK. You should not run FDISK > /MBR under this condition. > > As you can see, the results are unambiguous and it's fairly simple to tell under > which condition FDISK /MBR is safe to run, after having tested with FDISK > /STATUS. > > Regards, Zvi > -- > NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew) > InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
- Next message: Robert Green: "Re: Handling boot viruses"
- Previous message: Eli: "Re: Symantec Security Check Tells Me it My AntiVirus Software Isn't Up-To-Date"
- In reply to: Zvi Netiv: "Re: Handling boot viruses"
- Next in thread: Zvi Netiv: "Re: Handling boot viruses"
- Reply: Zvi Netiv: "Re: Handling boot viruses"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
