Re: Do I have a virus?
- From: 1PW <barcrnahgjuvfgyr@xxxxxxx>
- Date: Wed, 12 Nov 2008 22:02:49 -0800
On 11/12/2008 03:19 PM, ~BD~ sent:
"1PW" <barcrnahgjuvfgyr@xxxxxxx> wrote in messageUnreservedly, yes. Healthy skepticism is your best friend at this
news:gfdjnn$9nc$1@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
On 11/11/2008 06:06 PM, FromTheRafters sent:
Snip, snip...
[whatever he said] with *strict adherence* to [what he said] would...and of course reflashing would render new/good checksums for both
have to include reflashing EEPROMs with the proper code.
BIOS and CMOS, *individually*. Malware that /had/ flashed an EEPROM,
would have had to account for the current configuration and many custom
values, only usable then and there. The amount of code to support such
activities, even if written in assembler, would make the size of the
malware much greater and much more noticeable.
Might not the required malicious code be introduced to a machine via a
'set-up' CD (or even a floppy disk) which has been 'doctored' shall I say?
Or maybe a program deliberately and consciously downloaded and installed by
the user, albeit unwittingly?
point. A good technician would have vetted their own tools before using
them on a client's system.
Malware only has a few places to hide. Careful cleaning of all those
places will make the problem cease to exist. In everyday practice,
most malware just lives on one's hard disk drive.
I note your precision, Pete - and I unreservedly apologize for my doubts.
I'm sorry and trust you will forgive me.
Healthy doubts are your best ally. No apology is required at all.
Now, replace that feeling with the knowledge that you've gained. FTR,
I have been trying to remember if I have ever seen folk visiting 'help'
forums being given 'advice' on cleaning data which is *not* on their hard
disks.
I must have seen reference to clearing the CMOS because I can remember
carrying out the instructions set out here (or similar!)
http://forum.msi.com.tw/index.php?PHPSESSID=7170e23956e93c782bff169e47006061&threadid=31222&sid=
It is quite some time since I've done so - I ended up scraping my previous
machine because I was convinced that a 'gremlin' remained within it!
It seems he chose his words carefully.
Indeed it seems so! Now I feel somewhat foolish. :(
David H. Lipman, Malke and others are a wonderful source of knowledge
and experience.
The statement is slightly inaccurate. Anything brought back to the
He also didn't suggest bringing back any programs from outside of
the "known good media". At that point it is as free of malware as it
was when new. His statement is correct.
I accept that Pete's statement is correct.
I confess, though, that I am not sure what was/is meant by "bringing back
any programs from outside of the known good media". Further advice would be
appreciated.
subject PC must be done /through/ known good media. All reasonable
steps must be taken to vet the process. MD5 checksums are certainly one
of them. Re-installing from the provider's media is another. "Here
there be dragons!"
With every keystroke, I was besieged by multitudes of attorneys... :-)
Comedy aside, I'm sure you'd agree that if a flawless procedure isn't
adhered to, an exercise in futility might result.
From what you have said (and reading between the lines for me!) all the work
carried out to 'clean' a hard disk *could* be rendered useless if action is
not taken to flash the EEPROM as well.
Perhaps this step can be bypassed if an investigation shows that the
infection(s) was/were limited to the hard disk drive(s).
Your point is not lost on me. However, the bad guy must have written
effective code and that code needs to accomplishes many clever things.
This would need to be done with practical knowledge of /that/
system's architecture and BIOS and/or CMOS. Very challenging indeed.
A question though. If a machine is infected in this way, is it not possibleThe manufacturer's site is probably the best source. The extra benefit
that in trying to use same to obtain replacement BIOS information,
redirection to a 'spoof' site might occur? Would you recommend obtaining the
up-to-date BIOS details from a known clean machine? (i.e. not use the
infected machine at all).
might be an updated BIOS.
Now - how do we tell the world?
I'm not sure if you meant this as a serious question but, as a start, it
could be mentioned by all the 'resident' advisers here on the Microsoft
security newsgroups (folk like Robear Dyer, David H Lipman, Malke and Frank
Saunders - to name a few) at the time when they recommend folk visit the
'expert' forums.
They hide their candles. Amongst our peers they *are* our experts.
Now that you are one of the experts, you may contribute from a point of
experience and authority.
The "From" address is ROT13 encoded and the one a few lines above is a
@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
My expertise in code-breaking has lapsed somewhat, Pete. Will you share with
me the significance of your signature block? ;)
ROT47 encode. Both are meant to increase the degree of difficulty for
harvesters and are an email address I use to divert scams and phishing
messages to. However, I do check it frequently for content.
Bless you
Dave
Peace be with you Dave.
--
1PW
@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
.
- Follow-Ups:
- Re: Do I have a virus?
- From: FromTheRafters
- Re: Do I have a virus?
- References:
- Do I have a virus?
- From: Øyvind Granberg
- Re: Do I have a virus?
- From: Bill Ridgeway
- Re: Do I have a virus?
- From: FromTheRafters
- Re: Do I have a virus?
- From: Øyvind Granberg
- Re: Do I have a virus?
- From: FromTheRafters
- Re: Do I have a virus?
- From: Øyvind Granberg
- Re: Do I have a virus?
- From: FromTheRafters
- Re: Do I have a virus?
- From: ~BD~
- Re: Do I have a virus?
- From: FromTheRafters
- Re: Do I have a virus?
- From: ~BD~
- Re: Do I have a virus?
- From: FromTheRafters
- Re: Do I have a virus?
- From: 1PW
- Re: Do I have a virus?
- From: ~BD~
- Do I have a virus?
- Prev by Date: Re: Do I have a virus?
- Next by Date: dnsChange virus
- Previous by thread: Re: Do I have a virus?
- Next by thread: Re: Do I have a virus?
- Index(es):
Relevant Pages
|
Loading
