[prev in list] [next in list] [prev in thread] [next in thread] 

List:       forensics
Subject:    RE: The "unplug the cord" dilemma
From:       "Bruce P. Burrell" <bpb () umich ! edu>
Date:       2003-04-01 19:49:03
[Download RAW message or body]

On 30 Mar 2003 Omar Herrera <oherrera@prodigy.net.mx> wrote:

> Also, a clean shut down might be required by a backdoor or a virus; I
> remember an old virus (boot-437 I think) that would encode the file
> system's table on disk so that restoring the boot sector/mbr with fdisk
> would wipe the virus along with the decoding routine, rendering the hard
> disk useless.

   Not Boot-437.  You're probably thinking of One-Half, though one could
decrypt that with FreeWare utilities even after FDISKing the MBR.

   Also,  the Stoned.Empire.Monkey family appeared to have a similar loss
of data, because it (a) didn't preserve the data in the partition table
and (b) "encrypted" the copy of the MBR.  This was trivial to undo,
though, if you know what you're doing.

   In either of these cases, the encryption was done whether or not there
was a clean shutdown.  So while I agree that in theory this might be a
problem, I don't recall a case where it actually *WAS*, for malware.  The
case of encryption software installed on purpose is a different issue, of
course.

   -BPB

University of Michigan...
  AntiVirus Team Leader      <http://www.umich.edu/~virus-busters/>
  Data Recovery Team Leader  <http://www.umich.edu/~wwwitd/data-recovery/>
PGP 2.6.2 key fingerprint:  0D A5 98 3C 91 DA E0 DD  9C 6D FA 8F 4D 34 95 ED


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

[prev in list] [next in list] [prev in thread] [next in thread]