question on boot sector viruses

  • Thread starter Thread starter Rage Skywolfe
  • Start date Start date
R

Rage Skywolfe

I just got an advisory statement of a virus that is in the wild and infecting
the mbr of the hard drive. my question is if someone gets something like this
how do they get rid of it. and would a clean install of windows get rid of it.
 
This kind of virus has been around so long, it's come again 5 times at least.
just set your bios to write protect track Zero and your safe.
of course if you want to make changes to track zero again, you will have to
undo that write protect
 
Where did this "advisory statement" com from? It sounds like more of a
hoax than anything else. There are some AV software utilities that may
be able to repair this but the only way to be sure would be to boot the
computer with a utility from the disk manufacturer and zero out the
first track on the drive, for good measure I would zero out the whole
drive. You have to make sure that the boot media cannot be infected, a
cd would be fine, if using a floppy disk it should be write protected
before you stick it in the infected computer. And of course you would
want to make the cd or the floppy on a computer that is known to be
virus free. Of course it goes without saying that all the data on the
disk would be lost when you zero out the drive.

John
 
the advisory statement is from Mcafee avert labs and I was basicaly just
curious as to what they are, I have always heard about them but never really
knew anything about them. and like I said I just wondered if a clean install
of windows would get rid of something like that or if it is implanted in the
hard drive to where it needs to be replaced.
 
From: "John John - MVP" <[email protected]>

| Where did this "advisory statement" com from? It sounds like more of a
| hoax than anything else. There are some AV software utilities that may
| be able to repair this but the only way to be sure would be to boot the
| computer with a utility from the disk manufacturer and zero out the
| first track on the drive, for good measure I would zero out the whole
| drive. You have to make sure that the boot media cannot be infected, a
| cd would be fine, if using a floppy disk it should be write protected
| before you stick it in the infected computer. And of course you would
| want to make the cd or the floppy on a computer that is known to be
| virus free. Of course it goes without saying that all the data on the
| disk would be lost when you zero out the drive.

| John

Latest version of Mebroot, MBR RootKit.

This is not a Boot Sector Infector as the subject of the thread implies.
 
From: "Rage Skywolfe" <[email protected]>

| the advisory statement is from Mcafee avert labs and I was basicaly just
| curious as to what they are, I have always heard about them but never really
| knew anything about them. and like I said I just wondered if a clean install
| of windows would get rid of something like that or if it is implanted in the
| hard drive to where it needs to be replaced.

Yes, it was based upon a news article.

As replied to John John, this is a new variant of the Mebroot. It is not a virus. it is
not a Boot Sector Infector.
It is a MBR rootKit trojan - http://vil.nai.com/vil/content/v_154739.htm

Gmer's Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.0, MBR.EXE, utility will remove it
and previous variants.
 
thanks for the info. but the question still remains as to if windows can be
installed cleanly from a cd or if it has to be cleared from the boot first.
 
From: "Rage Skywolfe" <[email protected]>

| thanks for the info. but the question still remains as to if windows can be
| installed cleanly from a cd or if it has to be cleared from the boot first.

You have to wipe the hard disk first.
 
that is what I thought but wasn't real sure is there a specific way to do
that other than delete the partition?
 
From: "Rage Skywolfe" <[email protected]>

| that is what I thought but wasn't real sure is there a specific way to do
| that other than delete the partition?

If you were to go about re-installing the OS then you would delete ALL partitions on a
given disk and then recreate and then install the OS.
 
This will *NOT* remove an MBR infection, since the MBR is not part of any
partition. Neither will reinstalling with a Windows CD.

Methods of doing so:

FDISK /MBR from a DOS bootdisk

FIXMBR from the Recovery Console

Replace the MBR bootcode using Ranish Partition Manager, or do a complete
wipe of track zero using same utility. (which will effectively destroy the
partitions too)

Or various Linux utils.

There is an MBR infector currently doing the rounds, BTW, so this is not an
academic consideration.
 
From: "Anteaus" <[email protected]>


| This will *NOT* remove an MBR infection, since the MBR is not part of any
| partition. Neither will reinstalling with a Windows CD.

| Methods of doing so:

| FDISK /MBR from a DOS bootdisk

| FIXMBR from the Recovery Console

| Replace the MBR bootcode using Ranish Partition Manager, or do a complete
| wipe of track zero using same utility. (which will effectively destroy the
| partitions too)

| Or various Linux utils.

| There is an MBR infector currently doing the rounds, BTW, so this is not an
| academic consideration.

You are probably right.
 
from what I have found about Ranish is it seemd to only work on FAT-16 and
FAT-32 systems. does that mean the xp format is exempt from something like
that?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How best to deal w/ master boot record virus 6
Is there a way to LIVE BOOT from XP install CD? 10
Is there any External AV program? 14
Formatting the Entire Hard Drive 7
BOOT SECTOR VIRUS!! 6
Pendiong Sector Count Increasing (Rapidly?) 6
Can't boot or access C drive 8
I found the Source of the Sality Virus 5

Back
Top