[plug] [OT]Possible virus?

Grahame Bowland grahame at azale.net
Sat Oct 5 19:13:30 WST 2002


On Saturday 05 October 2002 10:27, Richard wrote:
> Last night I was getting some email while in windows (I have a duel boot
> windows ME/Mandrake9 system) and Norton Anti-virus opened and said that
> something had just changed my master boot record and did I want to allow
> the changes or roll it back. I opted to roll it back, clicked ok and the
> same message flashed up again. I chose the same option again and
> everything seemed ok (I didn't re-boot after the problem). This morning
> when I booted up instead of LiLo I got L99 99 99 99 99 99 99...repeated
> across the screen. I used the Mandrake 9 disk1 to restore LiLo fine
> enough, but I was just wondering if these symptoms rang a bell with
> anyone so I might get a better idea of what the problem was. My NAV
> definitions were up to date as of yesterday afternoon, and a full system
> scan was done immediately after the alerts were displayed and no virus
> was detected. Thanks.

Sounds to me like NAV decided LILO was a virus. Lilo contains information as 
to offsets into your block devices (HDDs) to files needed later in the boot 
process. These include the code to make pretty menus, etc which is too big to 
fit in the boot sector itself.

As a result you need to run 'lilo' whenever this data changes, such as when 
you install a new kenrel or upgrade 'lilo'. NAV has noticed such a change, 
reverted you to an old LILO with the wrong offsets, with the results you 
describe :-)

I highly doubt you have a boot-sector virus.

-grahame




More information about the plug mailing list