Virus of some kind?
I subscribed to this list yesterday and started getting messages
today... I noticed some people replying to a worrying message.
After reading all the directions, I downloaded the debian files and
rawrite2.exe. I made the disks, switched from OS/2, and started up DOS.
The first thing I noticed was that LILO wasn't showing up any more. I
figured it was some accidental thing, but wasn't that big of a deal.
After switching to DOS, I rebooted with the disk in the drive, and it
started chugging away. However, after reading for a few seconds, the
hard drive light flickered, the screen cleared, the disk drive light went
off, and I got the message "PRESS A KEY TO REBOOT." After doing so, I
noticed that LILO still wasn't starting. (Skipping a few steps here.) I
fired up Norton's Disk Editor and checked the MBR of drive 1, which is
where I had LILO. I noticed the usual assembled gibberish, complete with
the world "LILO" at the top. Then I checked the rest of the MBR and saw
something ominous, even if I didn't catch it at the time: the words, "I
am Li Xibin." I figured this was some kind of odd LILO error message. I
didn't catch on to the fact that this was a virus until after I'd checked
the boot record for the Debian disk - it sported the same phrase, which
was NOT located in the BOOT1440.BIN image file. As it is, I still
thought it might only be a LILO thing until I saw that it was cutting off
an error message for the boot disk. (Remember, I'm used to Slackware
Linux, which uses LILO even for bootkernel disks.)
Using fdisk/mbr fixed the MBR, even if it did blast away the last traces
of LILO, and using diskedit to manually copy a single sector cleaned the
bootkernel disk. (Then I got a flash of inspiration and used an old copy
of LOADLIN and a distribution kernel to boot Linux instead.)
So, what I'm trying to say is: this trouble ONLY showed up after using
RAWRITE2 and the Debian stuff. Using RAWRITE seems to work (except when
the MBR is already infected). In fact, the one time I managed to get the
bootkernel working from DOS is when I used RAWRITE on an older version of
the bootkernel image. This is a little suspicious to me.
I thought it was possible that the virus came in earlier, but I find this
unlikely for the following reasons. First, I made the original images
under OS/2, and since OS/2 doesn't even allow read access to a given
sector on the hard disk, it's unlikely that my MBR was infected there.
However, it's possible that the disk was infected, and when I tried to
boot the disk, it did bad things to my MBR (this is confirmed; the virus
spreads to disks on read or write access which goes through DOS, and to
the hard disks when an infected disk is started).
I'm probably very incorrect in all these statements, and wronging a large
number of people as well, but someone who can get at the FTP site from
the administrator's side might want to check this out. The virus SEEMS
to be gone, though; we'll see if it reappears without use of any Debian
stuff.
Sorry to be writing such a long message that may very well be
inappropriate. However, this may be of interest to at least the Win95
user who seemed to have the same problem.
------------------------------------------------------------------
Barid Bel Medar icarus@berkshire.net
Knights of the Cosmos Shayol Ghul Resort and Health Spa
------------------------------------------------------------------
"I am returning this otherwise good typing paper to you because
someone has printed gibberish all over it and put your name at
the top." - English Professor, Ohio University
------------------------------------------------------------------
Reply to: