Re: Rootkit???? Have tried everything...literally...
From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 09/20/05
- Next message: David H. Lipman: "Re: Rootkit???? Have tried everything...literally..."
- Previous message: Chana C: "Re: Rootkit???? Have tried everything...literally..."
- Maybe in reply to: David H. Lipman: "Re: Rootkit???? Have tried everything...literally..."
- Next in thread: David H. Lipman: "Re: Rootkit???? Have tried everything...literally..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 19 Sep 2005 19:46:22 -0400
From: "Chana C" <ChanaC@discussions.microsoft.com>
Replies are again inline...
| Then you had better tell Microsoft Research that. Since rootkits CAN infect
| both the BIOS and the
| EEPROM of a system. In fact, their advice is to format the hard disk - but
| with the caveat that since rootkits can infect firmware, including the BIOS
| in this case - there is a limit to what a format can do. And since corruption
| could concevably account for partition disruption - a BIOS flash WAS called
| for. And was hardly a "waste of time".
This subject has been discussed over and over in the alt.comp.virus News group. There is
NO virus or any kind of infector that "infects" a BIOS. The closest that has come to this
is the CIH ( Aka, Chernobyl -- http://vil.nai.com/vil/content/v_10300.htm ) and subsequent
copycats ( such as the Kriz -- http://vil.nai.com/vil/content/v_10255.htm ). The problem is
there are numerous different chips that a BIOS may be programmed on. There s NO way that a
virus can code the wide varietry of possible chips and thus the closest that they come is to
wipe the BIOS or corrupt it. However, this is mitigated by setting a jumper of the
motherboard to "read-only" mode. Most motherboards get shipped with the Read-Only jumpered.
As for controller cards, this would be even /*more*/ difficult as not only would they have
to know the specifics of how to access the code of the onboard controllers access point but
the chip used on that.
If a Microsoft research technician told you otherwise then you received bad information from
a poorly trained technician working for minimum wage. PERIOD.
Chernobyl -- http://vil.nai.com/vil/content/v_10300.htm
"The viruses contain a very dangerous payload, who's trigger date depends on the variant. On
this date, they attempt to overwrite the flash-BIOS. If the flash-BIOS is write-enabled (and
this is the case in most modern computers with a flash-BIOS) this renders the machine
unusable because it will no longer boot"
W32/Kriz.3863 -- http://vil.nai.com/vil/content/v_10255.htm
"The virus also has a payload which activates when an infected file is run on December 25th.
When it does it will attempt To erase the computer's CMOS information, which contains
information such as date and time, and the type of hard disk the computer uses. This virus
will also attempt to directly erase disk sectors. It will attempt to flash the BIOS with
garbage. This only works on certain types of BIOSes. If this succeeds, the computer will not
boot. This is similar to the action taken by the CIH virus"
To "infect" the BIOS means to insert code into the BIOS such that the BIOS not only deals
with the original code for hardware I/O functions needed for the given motherboard's
chip-set but would also execute the routines of the virus to perform some payload function.
There is NO virus that can perform an insert of code into the BIOS without corrupting the
BIOS and rendering the computer impudent.
>> Did you run an anti virus Boot Sector infector cleaner ?
>> No viruses will exist after a re-partition and reformat unless they are Boot Sector
>> Infectors.
>> http://www.invircible.com/iv_tools.php#Ivinit
>>
| Wrong again. Look up a little data on rootkits. Also, viruses are known to
| live in bad clusters and sectors as well as outside of the actual partition
| table. The Pakistani Brothers virus - one of the first ever created did just
| that.
If you really think that way then I suggest using a program such as Symantec/Norton
Gdisk.exe using the /dodwipe switch parameter and not just remove partition, re-partition
and reformat but to actually overwrite *every* spot on the hard disk becuase the
funtionality isn't based on tables but based upon drive geometry.
I ahve never heard of the "Pakistani Brothers" virus. However, I accessed a few virus
libraries and looked up "Pakistani Brothers". I could find no virus called "Pakistani
Brothers". A search of Google found an article about "...two Pakistani brothers, Amjad and
Basit Farooq Alvi..." who created the Brain virus.
Assuming THIS is what you mean by "Pakistani Brothers virus"
Brain -- http://vil.nai.com/vil/content/v_221.htm
"Brain is a stealth, memory resident, Boot Sector infecting virus. The original version of
Brain only infected diskettes, however variants to the virus also infect hard disks. "
The Brain is nothing more than a Standard Boot Sector Infector that Zvi Netiv's IVINIT would
handle with ease.
http://www.invircible.com/iv_tools.php#Ivinit
If you are lucky, Zvi might even pop into this thread. Albeit, I haven't seen Zvi post in
many weeks.
>> Beside>> s Norton AV a Sysinternal's RootKit Revealer, what anti virus scanners have you
used ?
|
| McAffee, Sophos, CA, Avast and F-Prot
|
>> Have you booted from DOS and scanned the PC using a Command Line Scanner from a vendor
>> like Sophos or McAfee ?
>>
>> If it is NTFS have you done so using NTFS4DOS ?
|
| Yes. And Yes.
>>
If you scanned outside the OS using NTFS4DOS and DOS to run a Command Line Scanner from
McAfee and/or Sophos it certainly would have found any "stealth" virus.
Please explain EXACTLY the process(es) you went through to scan the NTFS drive in DOS.
Please describe the anti virus tool used and the command line switches used to perform the
scan.
-- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
- Next message: David H. Lipman: "Re: Rootkit???? Have tried everything...literally..."
- Previous message: Chana C: "Re: Rootkit???? Have tried everything...literally..."
- Maybe in reply to: David H. Lipman: "Re: Rootkit???? Have tried everything...literally..."
- Next in thread: David H. Lipman: "Re: Rootkit???? Have tried everything...literally..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
