[plug] [OT]Possible virus? To Richard

James Elliott James.Elliott at wn.com.au
Sat Oct 5 16:15:31 WST 2002 

Hi Richard

I have been intermittently playing around with Power Quests Partition Magic
and Debian Linux ... doing things like reducing my windows partition to half
of its original and loading Linux onto the newly created space, and I often
get those messages from my Norton.  It especially happens if you have
loaded, edited, or reconfigured a boot loader.  At first I panicked too, but
after mucking up a couple of hard disks by rolling back I have realised that
it is better to think very hard before rolling back ... if you have been
installing Linux or doing something that involves the boot loader, don't
roll back.  Update Norton and scan your hard disk.   BTW I have found it
better to:
1.  take the HDD out of the machine;
2.  change the jumper from Master to Slave;
3.  put the HDD into my second computer (as Slave);
4.  scan this now Slave disk for viruses.

Why?

Depending on the ability and skill of the virus author, the virus might try
and prevent you from installing antivirus updates by:
disabling the FDD
disabling the CD-ROM
disabling your Internet connection (or rather lets you connect, but nil
else)
and so on.
Also, it might hide itself, or replace itself every time you boot up (like
some Klez variants), so you can delete it all you like and when you re-boot,
hey-presto!, there it is again!

However, a passive disk being scanned by another computer - not by its own
operating system - has very little defence against a thorough "search and
destroy" mission.  I have often found viruses this way on HDD scanned and
cleaned by their own copy of Norton.

ALSO doing it this way will check your boot record (on drive D:\, the slave
disk) without giving you the error message you write about ("Boot record has
been changed")  because the boot record on D:\  is just another boot record
and Norton on computer #2 has no idea what the Slave disks boot record used
to be like or if it has been changed. but it does know if it contains virus
code (hopefully).

Kind regards

James Elliott
----- Original Message -----
From: "Richard" <rbarnes at westnet.com.au>
To: <plug at plug.linux.org.au>
Sent: Saturday, October 05, 2002 10:27 AM
Subject: [plug] [OT]Possible virus?


> Last night I was getting some email while in windows (I have a duel boot
> windows ME/Mandrake9 system) and Norton Anti-virus opened and said that
> something had just changed my master boot record and did I want to allow
> the changes or roll it back. I opted to roll it back, clicked ok and the
> same message flashed up again. I chose the same option again and
> everything seemed ok (I didn't re-boot after the problem). This morning
> when I booted up instead of LiLo I got L99 99 99 99 99 99 99...repeated
> across the screen. I used the Mandrake 9 disk1 to restore LiLo fine
> enough, but I was just wondering if these symptoms rang a bell with
> anyone so I might get a better idea of what the problem was. My NAV
> definitions were up to date as of yesterday afternoon, and a full system
> scan was done immediately after the alerts were displayed and no virus
> was detected. Thanks.
> Richard
>
>
>

More information about the plug mailing list