Re: NT Partitions

From: Duncan Gray <administrator(at)arciris.co.uk>
Date: Thu May 15 2003 - 11:41:45 EDT

David:

I'd suggest that under the right circumstances this could happen very easily.

Typically a virus will drop it's payload on a pre-determined date, or after it has infected a number of machines, so I wouldn't normally expect one to kill a machine from the outset, and as you have indicated; the machine was protected by virus software.

It occured to me though that there is a very easy way that this could have happened.

If someone left a floppy disk in the machine which was infected with a boot sector or partition virus, and as a result of some issue with the server, restarted it without checking the floppy drive.

The machine attempts to boot from the floppy, the virus gets control (outside of any virus software protection) and attempts to infect the boot secor of the first HDD it finds. I would suggest that overwriting the boot sector of an NT drive with a Win98 boot sector (which is basically what the virus would do) is likely to result in a non-bootable system - it will not even attempt to load NTLoader, and will instead start looking for MSDOS.SYS, IO.SYS, etc.

This could explain how a virus got onto a protected machine, and how come it killed the machine immediately, as opposed to sitting dormant until payload date. In short, the virus failed to infect the machine, but killed the boot loading process in it's attempting to infect.

Obviously I cannot say this is what happened, but it is a simple exaplanation which would appear to match the circumstances. If this is what occured, I would expect the drive to still be readable, but not bootable.

Check in the BIOS to see if your floppy is set at a higher presidence than your HDD. If it is, it confirms that this is a _possible_ cause (while you are there, disable floppy boot). If floppy boot is disabled, then you can safely assume this is _not_ what happened.

If you still have the HDD in it's dead state - you might try reading the first 512 bytes off the drive (sorry, I only know how to do this under *nix, but others here may be able to offer suggestions on how to read the boot sector under another OS). If the boot sector more closely matches a Win9x boot sector that an NT boot sector, then I think this hypothesis is likely to be the cause.

Kind Regards.

Duncan Gray

p.s. If this is what happened, I would expect the NT4 repair option to be able to fix it (assuming you have a repair disk)

• Original Message ----- From: "David Brown" <dave@mrbonzi.co.uk> To: <focus-virus@securityfocus.com> Sent: Monday, May 12, 2003 10:41 PM Subject: NT Partitions

Is there a virus that wipes out NT partitions ?? I have been off work for a while and whilst I was off our system crashed. I have been told that the partitions had been wiped by a virus, can this be ? I did have virus protection running to download new dats in the morning and to scan at night and now am getting the blame for the crash. The crash happened on 28th February.

Dave

---

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-focus-virus

---

---

• Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-focus-virus

---

Received on Thu May 15 12:26:43 2003