[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Virus of some kind?



I subscribed to this list yesterday and started getting messages 
today...  I noticed some people replying to a worrying message.

After reading all the directions, I downloaded the debian files and 
rawrite2.exe.  I made the disks, switched from OS/2, and started up DOS.  
The first thing I noticed was that LILO wasn't showing up any more.  I 
figured it was some accidental thing, but wasn't that big of a deal.  
After switching to DOS, I rebooted with the disk in the drive, and it 
started chugging away.  However, after reading for a few seconds, the 
hard drive light flickered, the screen cleared, the disk drive light went 
off, and I got the message "PRESS A KEY TO REBOOT."  After doing so, I 
noticed that LILO still wasn't starting.  (Skipping a few steps here.)  I 
fired up Norton's Disk Editor and checked the MBR of drive 1, which is 
where I had LILO.  I noticed the usual assembled gibberish, complete with 
the world "LILO" at the top.  Then I checked the rest of the MBR and saw 
something ominous, even if I didn't catch it at the time: the words, "I 
am Li Xibin."  I figured this was some kind of odd LILO error message.  I 
didn't catch on to the fact that this was a virus until after I'd checked 
the boot record for the Debian disk - it sported the same phrase, which 
was NOT located in the BOOT1440.BIN image file.  As it is, I still 
thought it might only be a LILO thing until I saw that it was cutting off 
an error message for the boot disk.  (Remember, I'm used to Slackware 
Linux, which uses LILO even for bootkernel disks.)

Using fdisk/mbr fixed the MBR, even if it did blast away the last traces 
of LILO, and using diskedit to manually copy a single sector cleaned the 
bootkernel disk.  (Then I got a flash of inspiration and used an old copy 
of LOADLIN and a distribution kernel to boot Linux instead.)

So, what I'm trying to say is: this trouble ONLY showed up after using 
RAWRITE2 and the Debian stuff.  Using RAWRITE seems to work (except when 
the MBR is already infected).  In fact, the one time I managed to get the 
bootkernel working from DOS is when I used RAWRITE on an older version of 
the bootkernel image.  This is a little suspicious to me.

I thought it was possible that the virus came in earlier, but I find this 
unlikely for the following reasons.  First, I made the original images 
under OS/2, and since OS/2 doesn't even allow read access to a given 
sector on the hard disk, it's unlikely that my MBR was infected there.  
However, it's possible that the disk was infected, and when I tried to 
boot the disk, it did bad things to my MBR (this is confirmed; the virus 
spreads to disks on read or write access which goes through DOS, and to 
the hard disks when an infected disk is started).

I'm probably very incorrect in all these statements, and wronging a large 
number of people as well, but someone who can get at the FTP site from 
the administrator's side might want to check this out.  The virus SEEMS 
to be gone, though; we'll see if it reappears without use of any Debian 
stuff.

Sorry to be writing such a long message that may very well be 
inappropriate.  However, this may be of interest to at least the Win95 
user who seemed to have the same problem.

------------------------------------------------------------------
Barid Bel Medar                               icarus@berkshire.net
Knights of the Cosmos            Shayol Ghul Resort and Health Spa
------------------------------------------------------------------
"I  am  returning  this otherwise good typing paper to you because
someone has printed gibberish all over it and  put  your  name  at
the top." - English Professor, Ohio University
------------------------------------------------------------------



Reply to: