MBR rootkits don’t mean you have to wipe the drive

There’s a nasty rumor going around that if your computer gets infected with the Popureb rootkit, your only recourse is to wipe your MBR, reformat your hard drive, and reinstall (or run your factory recovery disk, which is essentially the same thing).

Not so fast.

Read more

Ghosts from the past…

Wednesday night, 6:35 PM: I was in my South St. Louis County apartment, getting ready for church, when my phone rang. I’d had at least one telemarketing call that night already, but I picked up the phone anyway.
“Hello?” I said, maybe slightly agitated.

“Dave?” a female voice asked. So much for a telemarketer. I recognized the voice but didn’t place it immediately. And obviously she knew me.

“Yes?”

“It’s Wendy.” Ah, Wendy from church. OK.

“What’s up?” I asked. She doesn’t routinely call me–she doesn’t routinely call anyone, I don’t think–so I figured she probably needed something. That’s OK. I take care of my friends.

“What’s it mean when your computer says, ‘Bad or missing command interpreter. Enter path of a valid command interpreter, e.g. c:windowscommand.com’?”

“Oh. That means one of the files your computer needs to get started is blitzed,” I said. “What happens if you type it?”

“You’re gonna hate me,” she said as she typed the filename. “You deal with this stuff all day and now I call you wanting computer advice.”

I could never hate her. She’s too nice. Besides, guys like fixing things, especially for people they like. I probably should have told her that.

“It just repeats the same thing again,” she said.

“I see.” I had her try a couple of other locations–Microsoft OSs have always installed command.com in too many places. But no go.

“Are my other files OK?”

“Hopefully,” I said. “My computer used to do this to me once a year.”

“My whole life is on this computer, Dave,” she said, sounding a little distressed. My heart melted. I hate it when bad things happen to good people. I especially hate it when bad things happen to good people and one of Bill Gates’ or Steve Jobs’ toy operating systems is involved. But sometimes it’s just a minor inconvenience. I hoped this was one of those instances.

“I just need to boot your computer off a floppy, type a command or two, and it’ll probably come right back to life,” I said.

“Do you have time to do this? I mean, really have time to do this?” She didn’t want to inconvenience me.

“Yeah, I’m on my way to church, and you’re on the way, and it should only take me a couple of minutes,” I said as I formatted a disk and copied sys.com to it.

After assuring her again that I was sure, I told her I’d be there in about 10 minutes. I hopped in my car, disk in hand, ready to go be a hero and still make it to church on time. I rang her bell, heard her dog scream bloody murder, and she opened the door. As soon as she let me in, her Labrador warmed up to me. She led me to the computer room, where I sat down and popped in a disk. She yanked on her Lab’s leash, trying to keep her away from me. She wasn’t having much luck.

“That’s OK,” I said to Wendy. “I like dogs.” Then I turned to the dog and started scratching behind her ears. “I’ll bet the most dangerous part of you is your tail. You just like people so much you thump ’em to death, don’t you?” I turned to the computer and booted off the floppy. It didn’t work. So I restarted, and when it asked for a command interpreter, I typed “a:command.com” and got a command prompt. Meanwhile, her dog grabbed onto my hand with her paw so I wouldn’t go anywhere. Shadow, the Cocker Spaniel/Irish Setter mix I had growing up, used to do that.

I ran sys.com and rebooted, expecting to be a hero. Instead, I got the dreaded invalid media type reading drive C error.

I told Wendy I’d need the heavy artillery to fix this problem. I kicked myself for not bringing any more sophisticated tools like MBRWORK. It looked like a blitzed partition table to me.

I rebooted a couple more times to try to get symptoms. The Windows logo splashed up ever so briefly. The drive didn’t make any weird noises. That was good. That meant the boot record was intact, and that some data was intact–obviously, because it was reading the Windows logo. It looked just like the time my Pentium-75 crashed and forced me to cycle power, then didn’t come back up. I didn’t know how to fix a blitzed partition table then. But that was a long time ago.

By now, it was 7:20. “I can go get some more tools,” I offered.

“Go to church,” she said. “I’d feel really bad if you miss church. Tell Pastor John it’s my fault.”

I did my best to reassure her that I could get her data back. I told her the odds looked like about 50/50. In reality I was more confident than that, but unless I’m about 99% certain, I won’t say the chances are any better than 50/50. There’s nothing I hate more than disappointing people.

I went to church mad at myself that I hadn’t gotten her data back. I came home from church, got ready to gather up my tools, and checked my messages. It was Wendy. She said she’d gone to school to work on a paper, that we’d worry about the computer tomorrow but it wasn’t a big deal.

Maybe it wasn’t to her. But it was to me. I hate losing, especially to a computer. I have since I was in first grade and played Atari at my neighbors’ house. True, back then I got mad when I lost at Donkey Kong, but in my mind there’s no difference. Even though it’s a different game today and I lost a lot then and I rarely lose now, it doesn’t make me hate losing any less. Especially when I’m playing with other people’s stuff. Her words echoed in my mind: “My whole life is on this computer, Dave.”

I wasn’t going to let her down. I wasn’t going to let myself down by letting her down. I was going to get that data back, and I didn’t care what I had to do to get it.

I called her back, expecting her not to be there. Her mom, Debby, answered the phone. She gave me a few more clues, told me she didn’t expect Wendy home until late, said one or the other of them would be home about 3:30 the next day. I’d been at work until close to six on Wednesday and saw the possibility of having to stay that late on Thursday. I didn’t make any hard and fast promises about when I’d be there, but I started plotting how I would escape work by 4:15.

On Thursday, I loaded up floppies containing all the standard Microsoft disk tools, plus Norton Disk Doctor, plus Spinrite, plus MBRWORK and a few other partition recovery tools, along with a Windows 98 CD, and took the whole wodge of stuff to work. At 4:20, I called. Debby answered. I told her I was leaving work and I’d probably get there in about 20 minutes.

Along the way, I listened to a bunch of punk rock, really loud, and got myself pumped up. Whether it’s stepping up to the plate in the bottom of the seventh with runners on second and third and two out, or just a tricky computer problem, I get myself into the same mental place. The world fades away and I see nothing but the challenge. By the time I got to their house, I was in the zone. I was so in the zone that I walked up to the front door of the wrong house. Wendy’s Lab was in the front yard giving me the “I know you! What are you doing over there? Get over here and pet me!” look. I didn’t notice. The neighbor pointed next door. Feeling stupid, I walked over. The dog congratulated me on getting smart, Debby greeted me, and I went another round with her computer, running MBRWORK. It recovered the partition successfully, it said. I got excited. I rebooted and the computer asked me for a command interpreter again.

Cantankerous computer 2, Dave 0.

I went home, fixed myself a little something to eat, pondered the situation, and wrote my Bible study for Friday night on my company laptop. That calmed me down enough to let me think rationally again. I packed up everything I could possibly need: Norton AntiVirus, Ghost, an extra hard drive, two laptops, a couple of Linux CDs, both versions of Windows 98, utilities disks…

I booted off my disks and tried a few things. Nothing. I booted my company laptop up with the disks–that laptop doesn’t have DOS installed–and added a couple more toys. They didn’t help. Wendy got home and asked if it was a bad sign I was there. I muttered something and probably came off as rude. I was in the zone, after all. I asked her if she had any floppies she wanted me to scan for viruses. She handed me one, and I tried to boot my laptop into Windows. It showed the very same symptoms as her computer.

I’ve said it before and I’ll say it again. Virus writers, PLEASE get a life. Get interested in girls or something. Anything!

Wendy didn’t like the look on my face. I told her what happened. She said a phrase I won’t repeat here, then apologized. There was no need. I felt like saying it too. Or something worse.

For grins, I tried booting the laptop into Linux. It booted up like it was cool. Hmm. Boot sector viruses that kill Windows dead don’t even make Linux flinch. I owe Linus Torvalds a beer.

I tried mounting my main Windows partition. Linux reported NTFS errors. Visions of virus writers getting beaten to a bloody pulp danced in my mind.

Since I was now convinced we were dealing with a boot sector virus, I replaced the MBR. No joy. I booted off a Linux CD, switched over to a console, ran cfdisk, and viewed the partition table. One 4-gig partition, FAT32. No problems. Odd.

Wendy started fretting. “You’ve spent all this time and you’ve lost your laptop. I’m about to start to cry.”

I stopped what I was doing, turned to her, and looked her straight in the eye. “I take care of my friends.”

She looked back at me like she thought that was kind of cool.

“I don’t care about the laptop. I can fix that later. I can rewrite the Bible study that was on it. It took me 20 minutes to write, so it’ll take me 15 minutes to rewrite. I’m going to get your data back.”

The Bible study I lost indeed took me about 15 minutes to rewrite, and the second version was a lot better. But I didn’t get her data back that night. Eventually I gave up, pulled her drive, installed a new drive, and installed Windows and Office on it so they’d have a computer that was useful for something. Debby walked in as I was switching drives, noticed the dust inside the case, and gave it a disgusted look. She came back with a rag and Wendy started laughing at her.

“She can’t stand dust anywhere. I guess not even inside electronics,” Wendy said.

Debby lit up when she walked in the room and saw the Windows 98 screen on her computer. Later when Wendy walked back in, she let out a whoop and told her mom she was missing beautiful things in the computer room. I was pretty happy about it too. Windows 98 didn’t install easily–the intial reboot failed and installation didn’t continue until I booted it in safe mode, then rebooted. I gave the computer a lecture as I booted it, reminding it that I have enough spare parts at home to build a computer like it and would have no qualms about destroying it and replacing it with something else. I know it didn’t hear or understand a word I said, but I felt better afterward.

I felt bad about not getting the data back that night. Wendy and I talked for about 45 minutes about other things. I felt better afterward. I forgot to thank her. Around midnight, I packed up the stuff and drove home.

Wendy and I talked the next day over e-mail. I’d taken my disks to work and scanned them on a non-networked PC nobody cared about and found the Form virus. Wendy had taken some disks to school and had them scanned. They contained both Form and antiCMOS. Since antiCMOS resides in the MBR and Form resides on the primary partition, the two viruses can coexist. Form was relatively harmless on FAT16 drives, and although antiCMOS was potentially destructive in 1991, it’s much less so now that PCs autodetect hard drives at boot rather than relying on parameters stored in CMOS. My work the night before would have eliminated antiCMOS, which explained why it wasn’t present on my disks. I did a Dejanews search on Form and FAT32, to see if that would explain the apparent partition corruption. I found that the symptoms were exactly what Wendy was showing. And I found recovery methods that had a high success rate.

I haven’t put Wendy’s drive in one of my PCs yet to recover it. But I’m pretty confident I’ll get her data back. That’s a good thing. I’ve met nicer people than Wendy and Debby. But only once or twice. People like them don’t come around very often, so I’d like to do something nice for them.

Bringing their data back from oblivion would do.

Rare DOS disk utilities

Mailbag:

RAM disk; Your book; Mobos; Monitors; Net folders

I’ve been doing a bunch of work in DOS the past few days, and I’ve found some useful disk tools. A lot of people use the shareware WinImage or GRDUW to create images of floppy disks. That’s with good reason, seeing as floppies are so unreliable–this way, you’ve got a backup on a hard drive or CD-ROM drive, and it’s so much more convenient when you need a particular disk to just grab a blank, make a fresh copy from an image, and go do your thing. But I found some DOS utilities, some recent and others oldies but goodies, that give you the functionality of these shareware utilities but with the advantage of being free, smaller, faster, and in most cases running on a wider variety of operating systems–all good things. So they don’t have a nice clicky mousey interface… I don’t like using a mouse anyway. Maybe you’re like me, or maybe you like powerful utilities and don’t mind giving up the mouse to be able to use them.

So here goes.

Creating disk images. My favorite is  Diskwarez DF — of course I like this utility, seeing as it bears my initials. DF is a short and sweet utility for creating and writing disk images compatible with Rawrite and the Unix dd utility. Runs under DOS and under Windows 9x and NT in a command window. There are dozens of DOS disk imaging utilities out there, but this one has the advantage of being compatible with a very common cross-platform standard. Check out the Diskwarez site, as it’s got tons of info on disk programming, as well as some other utilities like free disk editors. Despite the name, it’s not a pirate site–Diskwarez software is distributed under a free license somewhat similar to the GPL.

If you prefer self-extracting images, you can use the similarly named DOSDF to create them.

Bigger, faster, better floppies. The other feature of GRDUW is to format high-capacity floppy disks and floppies that give faster access than disks formatted with Windows Explorer or the DOS format utility. Enter FDFORMAT . You can do that and plenty of other cool things with this utility. You can gain more usable space on a 1.44-meg floppy without resorting to weird disk formats just by reserving fewer root directory entries. For example, FDFORMAT A: /D:16 gives you the maximum available space on a 1.44-meg floppy by reserving just 16 root directory entries (if you’re storing large files you don’t need more than 16 anyway, probably).

For extra speed, use Sector Sliding: FDFORMAT A: /X:2 /Y:3 speeds up the disk by 50-100 percent by arranging the tracks in a more optimal order. Supposedly you can gain even more speed by playing around with the gap length, but the author says disks are less reliable when you do this. If you’re more interested in speed than in reliability, add the /G:32 switch to the command listed above.

And by default, the boot sector on disks formatted by FDFORMAT automatically try to boot to the hard drive rather than giving you the dreaded “Non-system disk or disk error” message. Why couldn’t Microsoft think of that?

And of course you can also format high-capacity disks. Use the /F168 option to format a 1.68-MB floppy, and the /F172 option to format a 1.72-meg floppy. These switches can be combined with the others as well. Keep in mind that extra-capacity disks aren’t bootable.

FDFORMAT’s downside is it won’t run from inside Windows NT or Windows 9x. The best thing to do with it is to format a disk with it on a PC booted into DOS (DOS mode from Windows 9x’s boot menu is sufficient), then take that disk and use the aforementioned DF or DOSDF utilities to make an image of that disk, then when you need to format a new high-speed disk or a new disk that won’t give you errors when you leave it in the drive, use the image.

Formatting bad disks. And finally, for those dreaded Track 0 Bad errors that render a disk unusable, there’s FR , which uses workarounds to try to make the disk usable again. Typically I get rid of floppies with bad sectors pretty quickly, but if it’s an emergency, this program might bail you out. I used to get around Track 0 errors by formatting the disk in my Amiga–for some reason the disk always worked after that–but seeing as I usually don’t have my Amiga set up, this is an alternative.

And wouldn’t you know it, as soon as I wrote that I found a better way. SmartFormat also does Track 0 workarounds, uses the date and time to create unique disk serial numbers (instead of Microsoft’s license-plate method), provides a fast format that’s up to 60% faster than Microsoft’s method, and can optionally format 1.72-meg disks. SmartFormat runs within Windows, usually.

Mailbag:

RAM disk; Your book; Mobos; Monitors; Net folders

Praying about depression, and a common Mac no-no

Sorry, not thinking much about computers tonight. Short version of the story: I was at church Wednesday night, and I sat near the front. I never do that–that’s the last remnant of “Good Lutheran” in me. (I’m a very, very bad Lutheran, partly because I believe a guitar’s proper place is near the altar.) I was staring off into space before the service when I happened to turn around, and there was a lady my age sitting behind me. I’d seen her at Wednesday services a couple of times before but we’d never been introduced.
I’m usually one of two twentysomething males present. The other plays keys for the praise team and isn’t very accessible because he’s always busy. She seemed to want to talk to a twentysomething male. More on that in a second.

We ended up in the same prayer team. We break into groups of about seven to talk about what’s going on in our lives and pray as a group for those individual needs, for pastor, and for the church. Her big concern: Her brother. He’s depressed. OK, what twentysomething male isn’t sometimes? He’s not very receptive to God. Again, what twentysomething male isn’t? So after we prayed, I asked her a little more about her brother. From what she told me and others, I got a bit of a picture. Twenty-one, depressed, doesn’t have a girlfriend and thinks that means there’s something horribly wrong with him.

I know a certain someone who was in that very same boat, right down to the age. He was deathly afraid to tell anyone about it. So he wrote a column about it and published it in the student newspaper at the University of Missouri-Columbia where potentially 20,000 people could read all about it. He’s a good friend of mine. His name’s Dave.

I didn’t get to talk to her a whole lot more about it because I had to go put together a slideshow after the service, but that’s just as well because I think it’s good that I’ve thought about it some. I need to think the situation over a little bit more.

Some things are more important than computers, after all.

Yes, some things are more important. Let’s fast-forward to when I was 23. Maybe as you read this, you think, “Dave just found himself a target.” Well, you know, when I was 23 and not very different from how I was at 21, some people saw me as a target, and they did just that. They messed me up even more. But there were a couple of guys who were different: an ex-Marine named Cannon, and a guitar player named Mark, and an artist/guitarist/anthropologist named Charlie. They saw a guy who needed a friend. Cool guys. All Christian, but they weren’t fake. Their approach worked pretty well.

So of course I have to change it. What I needed most at that time was to know that someone had been there before. All the rest could come later. In Mark and Cannon, I saw two guys, one of them a couple of years older than me, who’d kinda sorta been there before.

So. This could be my chance to give something back.

———-

From: Dan Bowman

Subject: FWIW (Macintosh maintenance)

Mac Buyer’s Tip: On our new dual-processor G4, the cruddy DHTML animation at Happy Cog runs as smoothly as a Flash movie. And our crisp, new, widescreen Cinema display reveals the terrible imperfections of the artwork we’ve foisted on the public for years. One freelance gig can pay for this system. We recommend it highly. But don’t buy the latest versions of Norton Utilities and Tech Tool Pro yet. They won’t boot the dual-processor G4. And Norton has actually caused hard drive problems we were only able to repair with Apple’s built-in Disk First Aid app. Installing these two power-user must-have programs was the cause of most of our installation woes.

via Zeldman: http://www.zeldman.com/coming.html October 17 post.

dan

———-

Amen, brother!

Rule #1: Never, ever, ever, EVER install Norton Utilities and Tech Tool Pro. Not even if Steve Jobs holds a gun to your head. Boot off them in emergencies in order to fix or defrag your hard drive. You have to boot off the CD to do that anyway (the OS won’t let you fix or defrag the drive you booted from), and those tools cause more problems than they solve when they’re installed. Installing serves no useful purpose. Buy them and store them away except for that one day a month when you do disk maintenance.

Rule #2: Don’t rely only on NU and TTP. Also get DiskWarrior, from Alsoft. When something goes wrong, run DiskWarrior. Then run TTP. Then run NU. Then run Apple’s Disk First Aid. Why? All of them fix a lot of disk problems. None of them fix all of them. DW and TTP catch things NU won’t. NU catches minor things they don’t. And Disk First Aid fixes what NU breaks.

To get around the dual G4 boot problem, partition the drive and install just a minimal Mac OS 9 to it. When maintenance calls, boot off that partition, then run your disk tools off their respective CDs (or copy the CDs’ contents to that partition if you have the space).

This problem occurs every time Apple changes their architecture.