New "Witty" Worm

Hi.

I believe I have been hit with the Witty worm rendering my windows
installation un-bootable. According to a story on /. "The worm overwrites
data on the first few sectors of the victim's hard drive, making the
machine virtually ubootable and potentially destroying much - if not all -
of the victim's data."
Strangely, my Lilo bootloader is unaffected,
Windows just refuses to boot saying "error loading operating system". I
also cannot re-install windows as on first reboot, it does the same. How
to do I recover the first few sectors? Do I need to completely re-format
the drive? That's a pain because my Linux root partition is also located
on this drive meaning I'll have to re-install two Operating Systems

--
Jafar As-Sadiq Calley
Senior 1st Officer
Livewire Airlines
http://www.livewireairlines.com/

On Sun, 21 Mar 2004 09:09:51 +0100, jafar wrote:

> Hi.
>
> I believe I have been hit with the Witty worm rendering my windows
> installation un-bootable. According to a story on /. "The worm overwrites
> data on the first few sectors of the victim's hard drive, making the
> machine virtually ubootable and potentially destroying much - if not all -
> of the victim's data."
> Strangely, my Lilo bootloader is unaffected, Windows just refuses to boot
> saying "error loading operating system". I also cannot re-install windows
> as on first reboot, it does the same. How to do I recover the first few
> sectors? Do I need to completely re-format the drive? That's a pain
> because my Linux root partition is also located on this drive meaning I'll
> have to re-install two Operating Systems

If you are able to boot into Linux, and if Windows is mounted under Linux
normally, are you able to see what is missing on the Windows half of the
system? Have you tried running, as root, /sbin/lilo as a last resort to
see if it fixes the booting process? Maybe you can, while in Linux, find a
Windows removal tool for the virus, put it on a diskette and boot from it
so you can repair things? There are still things to try.

On Sun, 21 Mar 2004 08:16:25 +0000, Dan Shackelford wrote:

> If you are able to boot into Linux, and if Windows is mounted under Linux
> normally, are you able to see what is missing on the Windows half of the
> system? Have you tried running, as root, /sbin/lilo as a last resort to
> see if it fixes the booting process? Maybe you can, while in Linux, find a
> Windows removal tool for the virus, put it on a diskette and boot from it
> so you can repair things? There are still things to try.

I was able to back up important files in the win partition to CD in Linux
thankfully. Lilo is fine and even has the windows option there. Its just
that windows fails from there.
As and uptate: I have since found a nice tool called testdisk
http://www.cgsecurity.org/index.html?testdisk.html which appears to have
detected some anomalies in my boot sectors and has fixed them. I'll try
and do the XP install again later and see if it can boot again.

--
Jafar As-Sadiq Calley
Senior 1st Officer
Livewire Airlines
http://www.livewireairlines.com/

On that special day, jafar, (me@home.fr) said...

> I believe I have been hit with the Witty worm rendering my windows
> installation un-bootable.

Just to make the situation clearer:

Did you run one of the ISS products, like BlackIce or Real Secure
(something)? Only with one of them active on the system, the worm would
be able to attack you. Also, the worm does random writes on hard disks,
*regardless* of the present OS, which means, the Linux system might have
been hit, too (although maybe the reiser journaling filesystem may have
warded off the effect).


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A good, too valuable these days, to give it away, just
so, at no cost.

"jafar" <me@home.fr> wrote in message newsan.2004.03.21.08.09.50.560680@home.fr...

You are looking at a data recovery scenario with little hope
of success I think. This payload writes sort of "willy-nilly" to
randomly selected sectors (and multiple disks) with fairly
contiguous data from a DLL image in RAM.

Nasty payload - and there was no call for it. Why couldn't
they just be happy with creating a worm that depends on
a so-called security program to propagate.

"jafar" <me@home.fr> wrote in message
newsan.2004.03.21.08.09.50.560680@home.fr...
> Hi.
>
> I believe I have been hit with the Witty worm rendering my windows
> installation un-bootable. According to a story on /. "The worm overwrites
> data on the first few sectors of the victim's hard drive, making the
> machine virtually ubootable and potentially destroying much - if not all -
> of the victim's data."
> Strangely, my Lilo bootloader is unaffected,
> Windows just refuses to boot saying "error loading operating system". I
> also cannot re-install windows as on first reboot, it does the same. How
> to do I recover the first few sectors? Do I need to completely re-format
> the drive? That's a pain because my Linux root partition is also located
> on this drive meaning I'll have to re-install two Operating Systems
>

It can be fixed. But the cost runs $100 plus - if you don't do it yourself.

-*MORT*-

On Mon, 22 Mar 2004 14:04:13 +0000, Morton Davis wrote:

> It can be fixed. But the cost runs $100 plus - if you don't do it yourself.

Cost? For what? What can I do myself?
All I need to do is get WinXP to accept my hardware and
install as it has done many times before.

--
Jafar As-Sadiq Calley
Senior 1st Officer
Livewire Airlines
http://www.livewireairlines.com/

On Sun, 21 Mar 2004 17:47:43 +0100, Gabriele Neukam wrote:

> On that special day, jafar, (me@home.fr) said...
>
>> I believe I have been hit with the Witty worm rendering my windows
>> installation un-bootable.
>
> Just to make the situation clearer:
>
> Did you run one of the ISS products, like BlackIce or Real Secure
> (something)? Only with one of them active on the system, the worm would
> be able to attack you. Also, the worm does random writes on hard disks,
> *regardless* of the present OS, which means, the Linux system might have
> been hit, too (although maybe the reiser journaling filesystem may have
> warded off the effect).

Yes. Never again BlackIce. My Linux system is very happy and undamaged.
Even my old ext3 /home partition is still fine Just the NTFS. I'ts a
pain but I think I can live without XP for a little while. At least until
I buy a new hard-drive and try a re-install for the few games I can't get
to run on Linux

--
Jafar As-Sadiq Calley
Senior 1st Officer
Livewire Airlines
http://www.livewireairlines.com/

On Sun, 21 Mar 2004 09:09:51 +0100, jafar <me@home.fr> wrote:

>Hi.
>
>I believe I have been hit with the Witty worm rendering my windows
>installation un-bootable. According to a story on /. "The worm overwrites
>data on the first few sectors of the victim's hard drive, making the
>machine virtually ubootable and potentially destroying much - if not all -
>of the victim's data."
>Strangely, my Lilo bootloader is unaffected,
>Windows just refuses to boot saying "error loading operating system". I
>also cannot re-install windows as on first reboot, it does the same. How
>to do I recover the first few sectors? Do I need to completely re-format
>the drive? That's a pain because my Linux root partition is also located
>on this drive meaning I'll have to re-install two Operating Systems

When a friend had this on his system I just used gdisk (fdisk will be
fine) and reset the MBR and set partition 1 as active and it was ok.

With fdisk you could try "fdisk /mbr" as that should fix the MBR
straight away however it is possible the virus buggers things up when
you next load windows so I suggest you find a way of removing it
quickly
--
Morgan R. Pugh
http://www.mpugh.com (e-mail address on site)

On Sat, 27 Mar 2004 21:47:56 +0000, mrp wrote:

> With fdisk you could try "fdisk /mbr" as that should fix the MBR
> straight away however it is possible the virus buggers things up when
> you next load windows so I suggest you find a way of removing it
> quickly

Thanks for the advice Morgan. I'm am actually planning to put windows on
the old 10 gig drive which currently holds my Linux /home partition, but
that will have to wait (a couple of months?) until I whittle down the data
there and migrate it to a new partition on my main drive.
I'll see if that works

--
Jafar