This article was posted to the Usenet group alt.hackers in
1995; any technical information is probably outdated.
Parent
Re: DOS FDISK and it's hoops.
Article: 7851 of alt.hackers From: js10039@thor.cam.ac.uk (J. Sullivan) Newsgroups: alt.hackers Subject: Re: DOS FDISK and it's hoops. Date: 21 May 1995 19:46:44 GMT Organization: University of Cambridge, England Lines: 47 Approved: yup Message-ID: 3po5b4$5kh@lyra.csx.cam.ac.uk NNTP-Posting-Host: hammer.thor.cam.ac.uk Status: RO
Ben Cantrick (alias Macky Stingray) <cantrick@rintintin.Colorado.EDU> wrote: > Imagine my surprise, then, after hacking a hard disk wiping program all >morning, when it didn't work at all. Or rather, when it worked, and didn't >help any. Even after I completely wipe a computer's, MBR and DOS Boot sectors >then netprep it (bafdisk and all...) some of them still come up with virus >warnings within the next couple of boots. > > So I'm thinking 3 things... > > 1) The virus is a never before seen file-infector and has worked it's way >onto our netprep disks. > > 2) The scanning software is seeing a virus where there isn't one, and >giving us a false positive. > > 3) The machines somehow "know" that people are running MSWindbloze on them >and are correctly telling us we have the biggest virus ever known on our >systems. ;] Some viri bypass the bios routines, such that reading the partition/boot sector gives you a normal uninfected sector (even though the virus *is* still there), and of course disallow (silently) writes to these sectors. A toolkit such as solomon will be able to defeat this mechanism, however it may still take some ingenuity to remove. Once virus we had recently copied itself into the partition sector, and stored an encrypted for of the old partition sector in sector 3 of the hard drive. Solomon has an option to search for substitutions like this and replace the proper MBR with the one the virus has hidden away, but it couldn't handle the encrypted form. I eventually saved out the encrypted sector, knocked up a qbasic proglet to decrypt it (it was only a constant value exclusive-or encoding), and used Norton utilities to write it back to sector 4 (which was not used by the virus so it didn't bother to disallow this. Now Solomon finds a replacement partition table in sector 4 and asks if you would like to copy it to sector 0 and reboot. This has to be done with some form of anti-stealth mechanism enabled, or you won't get anywhere. Once clean you should check *all* your floppies. John -- 'Who says that? When has that ever been true? It's never been true! It's the kind of thing people without power say to make it all seem less bloody awful, but it's just *words*, it never makes any *difference*--'
Parent