Re: virus trashing LILO?

To: Gustaf Erikson <f92-ger@nada.kth.se>
Cc: Debian User Mailinglist <debian-user@lists.debian.org>
Subject: Re: virus trashing LILO?
From: " Raymond A. Ingles" <inglesra@frc.com>
Date: Mon, 17 Nov 1997 13:09:49 -0500 (EST)
Message-id: <Pine.SUN.3.91.971117124439.6448I-100000@loach>
In-reply-to: <199711170419.FAA01476@hyrax.mech.kth.se>

On Mon, 17 Nov 1997, Gustaf Erikson wrote:

> This is something I saw on Usenet: that a virus can infest the boot
> sector of a Win95/Linux machine and trash Linux via LOADLIN.
> 
> Am I being terribly naive in thinking that the same might apply when
> you boot via LILO? As far as I can remember, my LILO resides on the
> bootable part of my Linux partition, and handles boot to Win95 from
> there. Can the MBR be subverted by a virus and wreak havoc on Linux?

 Actually, the original information "on Usenet" seems a bit off. So far 
as I know, this is how it works:

 PC hard drives have a "boot sector" in a defined place on the drive. 
When the PC boots up, the BIOS goes to the boot sector and runs the code 
that it finds there. This normally takes care of loading the operating 
system and so on.

 Some viruses, however, can infect the boot sector of a hard drive or 
floppy, and try to spread whenever the system boots (and perhaps do other 
damage depending on how pathologically malajusted the author is). Usually 
they will fire up, try to spread, and then start the operating system up 
themselves so the user doesn't know the virus is there.

 However, boot sector viruses universally assume a DOS/Win type of 
environment. (At least, I've never heard of one that knew about Linux.) 
This usually means that whne the virus tries to infect a boot sector that
has LILO installed, the virus screws up the boot sector and the PC 
suddenly won't boot. This is actually a good way of detecting the 
presence of such a virus. (A lot of failed Linux installations are due to 
this sort of problem, and often the newbie never finds out why "Linux 
doesn't work on my PC.".)

 If you've got a boot floppy handy, this is no big deal. You just boot 
off the floppy, reinstall LILO, and then work on disinfecting the Windows 
side of things. (Deleting the insecure OS is a good start. :-> ) If you 
don't have a boot floppy, you may have a problem.

 If the virus mucks with the partition table (whether because the virus 
was badly written or because the goofball who wrote it actually planned 
it) then you may have a larger problem, though. Then you may need to 
restore from backup. (If you don't keep backups, why not?)

 If you use LOADLIN instead of LILO, the boot sector virus has already 
run. Generally LOADLIN will work just fine, until the virus does 
something vicious to your system. LOADLIN starts running as a Windows 
application, though, and thus could itself be infected by an application 
virus, with the normal unpredictable results.

 Sincerely,

 Ray Ingles         (248) 377-7735          ray.ingles@fanucrobotics.com

        Screwing things up is *easy*. People do it by *accident*.
          If think you're clever, try *improving* something.
                                - Me

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

References:
- virus trashing LILO?
  - From: Gustaf Erikson <f92-ger@nada.kth.se>

Prev by Date: StarOffice31 setup problem
Next by Date: Re: xmcd_2.2-4.deb problems
Previous by thread: virus trashing LILO?
Next by thread: The continuing laptop video saga...
Index(es):
- Date
- Thread