Question Regarding Viruses?

[mar122999]

If I have a PC in front of me with a virus loaded onto it and I just want to perform a clean format and re-install to get rid of the virus, can that virus reside itself in memory and re-launch itself after the clean installation finishes? I know that worms hide in memory, but is this possible. I always thought that wiping the partition out, creating a new partition, and formating the drive will wipe all viruses off. Kinda curious b/c I had a friend tell me that I need to run a complete virus scan before I format the drive.

[Steve R Jones]

Can you not remove the virus?

http://www.symantec.com/avcenter/vinfodb.html


Free on-line scanner
http://housecall.antivirus.com/housecall/start_corp.asp

[mar122999]

No. It is not a actual PC. I was just wondering if this could happen. Thanks.

[OuTpaTienT]

Yes it is possble. Most virus programs aren't so sneaky, and a clean format will kill most of them. But some of the more nasty ones are capable of hiding themselves in parts of memory or even in the bios.

Awe Steve, you're no fun! If you have a box you can reformat, why not poke at the virus a bit and see what it does?
Watch it replicate and change names or stuff!
Just depends on the type of virus. Steve R Jones is right you should identify it first.
If Symantec is having trouble with it, and or you think it might be a Trojan I recommend you try The Cleaner.

Edit... oh hypothetical virus...(that's what I get for starting an answer then leaving, and coming back! )
Then change the above answer to maybe.

[mar122999]

The reason why I asked this is somtimes you can come up to systems and notice that they have a virus by running an AV. You also notice that they have every Adware/Spyware file known to man b/c some kid wanted to download every file off of Kazaa or click on every pop up link within porn sites. Anyway, their system is so bogged down with trash that it is more logical to wipe everything off and start fresh again (I don't need them coming back, and they probably almost always will if you try to fix a problem that is too deep). So, is it good to run a AV before formating in this type of situation, or just format and don't worry about it?

[jmichna]

Reformating, or even dropping the partition table and re-partitioning are NOT a guarenteed way to get rid of a virus.

If you use a write-protected floppy with a zero-write utility like Killdisk (self-contained OS), boot to the floppy drive as the first device from a cold boot, zero-write the drive, then shut down the system completely, you have eliminated any virii except those that write themselves into BIOS... these are extremely rare, since script-kiddie types normally don't have the skill to create one of these.

While shut down, and if you're really paranoid, I suppose you could pull the battery to kill power to the BIOS chip (I don't know if any virii write into CMOS), replace the battery, and then reflash the BIOS using a write-protected floppy.

[elmers]

"Most virus programs aren't so sneaky, and a clean format will kill most of them. But some of the more nasty ones are capable of hiding themselves in parts of memory or even in the bios."

If were talking hypothetically then lets at least assume a couple of things. Assume a stock mobo, win os and a single hd with a single partition on it. First off bios is hardcoded. Its a set of basic io routines. This is how the post screen is able to be shown without a hd. There is another small chip that can be changed tho. People call this firm ware. If this is where the virus could be saved (wich is ulikely becaise of the small size of the memory) it would cause the pc not to boot ( because of the bios having hard pointers to it) wich is bad for the virus as it cant spread from a dead pc.

The windows os depends on what they call a boot sector to load the basic routines needed to load the os. There have been a lot of viruses that exploit this part of the hd to boot before the os. This was an issue with dos. Ive never heard of a boot sector virus that will run on win95 and a higher. If there were such a virus it would be very hard to code.

Everything else is on the "data" part of the hd. This is checked as "empty" on the fat during a reformat. It is posible for the theoretical boot sector/win95+ virus to survive a reformat, but highly unlikely as it would be difficult to store the entire virus on the boot sector. Finally you rewrite the boot sector, format the hd and there iz zero chance of a virus still being able to run itself off the hd.

About the memory. Just like your hd there is a part of memory thats used to store info on what is stored where in memory. Anything stored in memory has to have a pointer to it in this part. After the boot process this part is written and rewriten to a bunch of times. As the boot process alocates fresh memory even if the ram held the information during your pressing the reset button there is zero chance of it being ever referenced as a piece of code to execute.

In other words if you boot of a winxp install cd and then delete all partitions on your hd then reinstall windows there is ZERO chance of a virus still being on your pc.

BTW if anybody has a counter example of any kind I would love to hear it. It would make for great geek talk.

[jmichna]

Quote:

Originally posted by elmers
...The windows os depends on what they call a boot sector to load the basic routines needed to load the os. There have been a lot of viruses that exploit this part of the hd to boot before the os. This was an issue with dos. Ive never heard of a boot sector virus that will run on win95 and a higher. If there were such a virus it would be very hard to code....

Elmers,
I just did a brief search of Symantec's library, using search terms: "boot virus"+"windows."

Search returned about 3600 items (many not relevant), I just looked at a few from the first 20 listed:

Quote:

Ravage (b)
Also Known As: Dodgy, Ravage
Type: Zoo Virus
Infection Length: 1,024 bytes
When infecting the hard drive, the virus attempts to bypass BIOS antivirus protection by modifying the CMOS and sending the letter "Y" to the keyboard buffer.
While in memory, if any program that has the file name RAV* is executed, there is a 1 in 256 chance the virus will display this message:

RAVage is wiping data! RP&muRphy

The virus then begins erasing sectors of the hard drive. If you are working in Windows when this happens, the action does not occur until you exit Windows. This payload routine is also triggered three months after infecting the disk.
In addition, the virus deletes the file System\Iosubsys\Hsflop.Pdr. This file should be replaced with a known clean, backup file.

Quote:

Eek (b)
This is an encrypted boot virus, capable of infecting the Master Boot Record and the Boot Sector of hard disks on target computers. It is not destructive.
Also Known As: WYX.b
Type: Virus
Infection Length: 5 Sectors

Systems Affected: Windows 3.x, Windows 95, Windows 98
Systems Not Affected: Microsoft IIS, Macintosh, UNIX, Linux

Quote:

W97M.Killboot
W97M.Killboot is a macro virus that infects the currently active document and the Microsoft Word Normal.dot template when an infected document is closed. So, once the Normal.dot is infected, clean documents will be infected when they are closed.

W97M.Killboot creates the file C:\Setver.exe, which the Symantec antivirus products detect as Trojan.Killboot. If Trojan.Killboot is run, it writes the viral code into the Master Boot Record (MBR); this code can overwrite the MBR on all the physical hard drives with zeroes. Symantec antivirus products detect the viral code in the MBR as Killboot.145 (b).

Type: Macro
Systems Affected: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP

I suppose we could quibble regarding the precise definition of a "boot sector virus" in at least one of these examples, but I'm sure with a few hours spent searching, we could turn up many boot sector virii that attack Windows systems.

Maybe I'm being paranoid, but if I suspect a problem, it only adds one extra step to zero-write a drive, before (re)partitioning and (re)formatting.

PS Edit: I seem to recall a boot virus named "Junkie" that affected Win3.0/W3.1, from some years back.

[jmichna]

From Trendmicro site...
Anticmos.A* boot sector virus:

Quote:

Title: The OfficeScan client machine is infected with the Anticmos.A* boot sector virus, and OfficeScan is set to "Leave Alone." However, after manual scanning was completed, no virus was detected.

Problem: The default scan action for boot viruses will always be “Leave Alone” on the Windows NT client. For the Windows 95 client, it will do the clean action. The reason for this is that Windows NT Workstations can be installed either in a FAT or NTFS partition. If the file system happens to be NTFS, it would be very risky and difficult to clean the boot virus once the Windows NT Workstation is active, because it might destroy the information in the boot sector and may render the disk unusable.

Solution: There is, however, a way to clean this boot sector virus using Trend's Emergency Rescue Disk. Take note that the Emergency Rescue Disk cannot scan NTFS partitions. See the solution below if primary boot partition (Drive C is NTFS.

Perform the following procedure to create the Emergency Rescue Disk and clean infected workstations:

1. Create the Emergency Rescue Disk (four diskettes) on a virus-free Windows 95/98 machine.

2. Using same computer, go to this URL: www.antivirus.com

3. Follow all instructions on the web page to create the disks, and use new diskettes in creating the Emergency Rescue Disk.

4. After creating the Emergency Rescue Disk, go to the Windows NT 4.0 Workstation that has the boot virus, and modify the CMOS setup to make the floppy drive (A the primary boot drive.

5. Power OFF that computer. Do not just reset or reboot, because some viruses may remain intact in the computer's memory.

6. Insert Disk 1 of the Emergency Rescue Disk in drive A: and power on the machine.

7. When prompted, insert Disk 2 and type the following at the command prompt:
pcscan /p

8. Insert Disk 3 when prompted and press Enter.

9. Insert Disk 4 when prompted and press Enter.

10. After scanning is completed, power off the machine again.

11. Insert Disk 1 of the Emergency Rescue Disk in drive A: and power on the machine.

12. When prompted, insert Disk 2 and type the following at the command prompt:
pcscan /a /v /c

13. Insert Disk 3 when promted and press Enter.

14. Insert Disk 4 when prompted and press Enter.

15. After scanning is completed, power off the machine again.

16. Power on the machine again and let it boot from the hard drive.

If there is an infection on a Windows 2000 or NT machine and the C:\ drive was partitioned using either Fat16 or Fat32, use the Emergency Rescue Disk to clean that computer. However, if the C:\ or the primary boot drive is formatted using NTFS, the Emergency Rescue Disk will NOT be able to scan the boot sector as well as the files contained in that drive.

Note: The Emegency Clean Disks will not scan NTFS partitions.

To be able to clean the boot virus on a computer with Windows NT Workstation or Windows 2000 Professional installed on the primary boot partition C:\ with NTFS partition, do the following:

1. Select a Windows NT Workstation or Windows 2000 Professional machine that is free of virus infection.

Note: If the infected machine due for cleaning is a Windows 2000 Professional machine, only another Windows 2000 machine can read its file system when cleaning the virus.

2. Get the hard drive of the workstation that detected the boot virus and connect it to another clean Windows NT or Windows 2000 Professional workstation using the NTFS file system. Make the "infected" hard drive a slave and turn on that computer. Run the OfficeScan client and do a Manual scan of the slave drive. This will effectively clean the boot virus if found.