1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Disk failure or Virus?

Discussion in 'Hardware' started by Trentham, Oct 8, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Trentham

    Trentham Thread Starter

    Joined:
    Nov 9, 2002
    Messages:
    308
    Can anyone put forward any ideas about a recent problem I had with one of my client's machines?

    The machine is running Win 2000 pro and has a 60Gb disk drive formatted as a single FAT32 partition. As it turns out, no antivirus software was working on the machine, nor was a firewall in operation. The machine connects to the internet via another machine which provieds the internet connection sharing and is firewalled.

    From what was reported, the machine had been working OK and left for a while and when they came back to it to shut it down, it was showing a blank blue screen. The following day it started OK but later 'froze up' and then wouldn't reboot. So much is what I was told.

    When I investigated I discovered that the boot sector had been corrupted - but in a very organised way. Only every 8th byte was affected, starting with the 6th byte and only the 6th bit of that byte was affected (except for one byte).

    of the 42 bytes affected (of the possible 64 8th bytes), 40 had bit 6 switched on (OR 0x40), 1 had that bit switched off. The other byte was the exception mentioned above but it is possible that its differing value was legitimate - I don't know quite enough about FAT32 boot sectors to say! The way I ascertained the 'correct' values was by comparing with the spare boot sector copy stored at sector +6.

    The only sector I could find with any error was this boot sector.

    I restored the duff sector to its copy and the machine rebooted reasonably adequately (there was actually an inaccuratly recorded free space message) but I was able to reboot the system and get at the data. Since then it has been working fine.

    My immediate thought was that it looked like the result of a virus, however a full scan of the disk showed nothing and searching on the net revealed no messages about a virus which showed this behaviour (though I could well have missed it).

    I thoroughly checked out various bits of hardware - the disk, the cable (which I replaced anyway), the memory. I wasn't in position to be able to do very much with the disk controller.

    So what are your theories as to what happened?

    What I'd like most is for someone to say that this was exactly what virus XXXX does - or failing that suggest what component could have misbehaved in such an organised way.

    I can't see why anything *should* have been writing to the boot sector for it to get it wrong! Needless to say the machine now has adequate protection.
     
  2. moebius

    moebius

    Joined:
    Oct 7, 2003
    Messages:
    1,741
    there can be only two answers:
    1) Your hard disk decided to play roulette
    2) This was a targeted attack, not a virus
     
  3. omegax

    omegax

    Joined:
    Jan 27, 2003
    Messages:
    15
    You could have had a bad sector, which just happened to be the boot sector. It's consistent to what you described atleast, can't really say for sure though, not seeing it myself. I would think that a boot sector virus could accomplish the same thing, but I wouldn't think it would be that precise, not like what you described. A regular scan doesn't scan the boot sector, this is usually an extra "feature" some scanners don't even offer. I think Housecall scans the boot sector though, over at www.antivirus.com

    ----------------------------------------------
    omegax
    www.computer-discounts-guide.com
     
  4. GeekGawd

    GeekGawd

    Joined:
    Apr 9, 2003
    Messages:
    177
    I believe the BIOS has an "anti virus" setting. This is basically there to prevent any write access to the boot sector.
    Issue arise when someone gets errors while trying to doa low level format. This is because that setting is on, which is restricting access to wipe out the boot sector.
    You could also see if you can use that setting.
    And there are many viruses which behave in an organised way. There is always some sort of goal in mind.

    ~Gg~
     
  5. Trentham

    Trentham Thread Starter

    Joined:
    Nov 9, 2002
    Messages:
    308
    I'll have a look to see if it has such a setting. It'd be nice for peace of mind, though is it the boot sector (of which there can be several) or the MBR that it protects?
     
  6. GeekGawd

    GeekGawd

    Joined:
    Apr 9, 2003
    Messages:
    177
    It protects the MBR

    from what i understand. It will protect the MBR. since the MBR looks at the boot sector of the partition. The boot sector is from teh OS is loaded to the RAM.

    ~Gg~

    you can read about boot viruses on any anti virus website.
     
  7. Trentham

    Trentham Thread Starter

    Joined:
    Nov 9, 2002
    Messages:
    308
    That's what I thought. I couldn't really see the BIOS protecting the various boot sectors.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/170555

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice