Removing MBR infectors from DDO drives (PC)
Zvi Netiv
NetZ took care of a number of EIDE drives with Disk Manager's DDO that
were infected by partition infectors (AntiEXE, B1-NYB, WelcomeB etc.) and
couldn't boot anymore after being fixed with Ontrack's DMCFIG.EXE.
Although they could be accessed when booted of the special Disk Manager
boot floppy.
The following applies ONLY to the Ontrack dynamic boot overlay, it should
not be applied to drives using Micro House's EZ-Drive as it will ruin the
latter's DDO.
Let's first see what's the problem with DM DDOs and MBR infectors. Let's
take B1 for example, as the same principles are involved for all other MBR
infectors as well. When B1 infects the hard drive, it first relocates the
existing MBR to sector 17, head 0, track 0 (in CHS notation it's 0,0,17)
and then overwites the bootstrap program in the MBR with its own bootstrap
code. The latter's job is to pass control to the original MBR in sector
17, after the virus loaded itself to memory. On a normal hard drive,
without DDO, all will pass okay, but not on our poor EIDE.
The MBR-virus in sector 0,0,1 will start okay, then pass control to sector
0,0,17, where the original MBR now is. The latter will order to start
reading the overlay from sector 0,0,2 to sector 0,0,30! You guessed
alright that the overlay won't be able to function as one of its sectors
was overwritten. Depending on the virus and to where it relocates the
original MBR, you may either see the message saying that the DDO's
integrity was violated, or the computer may simply hang and wait forever,
unless you do something.
Many users will then turn to their Ontrack floppy and confidently run
DMCFIG. The program will then offer to overwrite the DDO, which is the
right thing to do. Then they will hit the reset button and .... nothing,
the computer still hangs and waits to eternity. Using an antivirus program
won't always help, in some instances it may simply mess with the converted
partition data, which is worse than the virus itself, in other cases it
may not recognize the minute patching in the bootstrap code.
The reason to this problem is that DMCFIG does indeed refresh the overlay,
but it doesn't touch the bootstrap code in the MBR. DM /M (disk manager in
manual mode) doesn't help either here. The virus bootstrap is stuck in the
MBR an directs the boot sequence right in the middle of the DDO, and
hangs.
The solution is simple. Just boot of a DOS floppy WITHOUT the Disk Manager
driver, as the MBR will be stealthed and you won't be able to refresh the
bootstrap program. You won't be able to see the hard drive yet. Now run
FDISK /MBR and reboot of the hard drive, it will come alive alright.
For those that have InVircible, freeware too, there is a simpler and safer
way. First, rewrite the DDO by running DMCFIG of a floppy. Then, run
ResQdisk of the floppy, and with SeeThru ON, press F1 then F4 and reboot.
Voila, it's done!
A last note to reassure the Fdisk'onoids. FDISK /MBR is effective in 99%
of MBR infection cases. More users get in trouble because of NOT using
this command than those that get hurt because they did. If in doubt, then
ask an expert, and if FDISK/MBR got you in trouble, then you would had got
into [trouble] anyway. ResQdisk can always get you out, and InVircible
will keep you from getting into. :-)
Regards, Zvi
- --------------------------------------------------------------------
NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk
Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325
CompuServe: go INVIRCIBLE ftp.netzcomp.com www.invircible.com
E-mail: ne...@actcom.co.il ne...@netzcomp.com Compuserve: 76702,3423
- --------------------------------------------------------------------
George Wenzel
In article <0028.01I8E9...@csc.canterbury.ac.nz>,
ne...@actcom.co.il says...
>A last note to reassure the Fdisk'onoids. FDISK /MBR is effective in 99%
>of MBR infection cases. More users get in trouble because of NOT using
>this command than those that get hurt because they did. If in doubt, then
>ask an expert, and if FDISK/MBR got you in trouble, then you would had got
>into [trouble] anyway. ResQdisk can always get you out, and InVircible
>will keep you from getting into. :-)
Pardonnez mon francais, mais ca, c'est BULLSHIT.
Fdisk is NOT effective in 99% of MBR infections. It will not work with
Monkey, it will not work with One_Half, and it will not work with B1/NYB.
This is only a partial list, but already it's about 10% of MBR
infections. It is NEVER necessary to use an obscure DOS utility that
knows nothing about viruses to remove a virus. Anti-virus products know
about viruses, know exactly what they do, and know exactly how to clean
that particular virus.
Zvi is totally wrong in saying that "if Fdisk/mumble got you in trouble,
then you would had got into trouble anyway". The fact is that Fdisk will
make virus problems a LOT worse in a LOT of cases. Good anti-virus
software is available free for individuals, and it's a hell of a lot
safer than using Fdisk.
Zvi, please stop recommending this unsafe method of virus removal. You
know it's unsafe, and I know it's unsafe. I'm assuming that the only
reason you're recommending it is because you have some inane need to
prove others wrong. Fdisk is NOT safe, and anybody with even just a
little experience in the virus field will tell you so.
Also, I question Zvi's statement that ResQdisk can always fix disk
problems. It would seem very convenient for him to recommend that
product, since he sells it. Whether his claims are true or not remain to
be seen, but based on his previous claims, I would think that these
claims are false.
Zvi Netiv has made numerous claims about his products in the past, and a
large number of those claims have been proven false. In my opinion, his
claims should be treated with extreme scrutiny, as should his
recommendations for data recovery.
Regards,
George Wenzel
George Wenzel
I've already responded to this post once, but I figure it'd be a good
idea to post a few more things.
>A last note to reassure the Fdisk'onoids. FDISK /MBR is effective in 99%
>of MBR infection cases. More users get in trouble because of NOT using
>this command than those that get hurt because they did.
Fdisk is well-known to anti-virus professionals NOT to be a safe method
for virus removal. Free anti-virus measures can remove boot sector
viruses, and they're much safer than using a DOS utility that knows
nothing about viruses.
>If in doubt, then
>ask an expert, and if FDISK/MBR got you in trouble, then you would had got
>into [trouble] anyway. ResQdisk can always get you out, and InVircible
>will keep you from getting into. :-)
I find it very concerning when a vendor of a data recovery product
suggests a dangerous method of virus removal, and then says that his
product will fix the problems that his bad advice causes.
I believe that the only reason that Zvi is suggesting Fdisk is not that
he believes it is safe, but because he could increase his profits through
the sale of his product if more people damage their own data using his
faulty advice.
I would suggest that anybody taking advice in this forum treat it with
caution until at least a few experts have agreed that a particular course
of action is the safest course of action.
Any true expert in the anti-virus and data recovery fields would only
recommend Fdisk if s/he knew it was safe for the case it was being
recommended for, and even so that advice would come with stern warnings
and cautions that using it can make problems much worse.
I see no such warnings or cautions in Zvi's post.
Regards,
George Wenzel
- -
|\ zz _,,,--,,_ ,) George Wenzel
/,`.-'`' -, ;-;;' <gwe...@gpu.srv.ualberta.ca>
|,4- ) )-,_ ) /\ U of A Karate Club Homepage:
<---''(_/--' (_/-' http://www.ualberta.ca/~gwenzel/
Zvi Netiv
George Wenzel <gwe...@gpu.srv.ualberta.ca> wrote:
> Fdisk is NOT effective in 99% of MBR infections. It will not work with
> Monkey, it will not work with One_Half, and it will not work with B1/NYB.
If you stayed away from the details then you wouldn't had disclosed your
ignorance. FDISK /MBR works a charm against B1-NYB as well as the MBR
portion of One_Half. Yet it doesn't cure files infected by One_Half, nor
does it decrypt the already encrypted cylinders.
In issues #98 and #101 of Virus-L, I explained a simple precaution to use
when you wish to run FDISK /MBR. Run it from the DOS directory (or from
the Win95 command's) on drive C, in real mode, and you may even try it in
Monkey's case. I'll leave it as an exercise to you figuring out the last
statement. :-)
> This is only a partial list, but already it's about 10% of MBR
> infections. It is NEVER necessary to use an obscure DOS utility that
> knows nothing about viruses to remove a virus.
I thought they had more stringent requirements on statistics at the
University of Alberta. :)
FDISK /MBR isn't obscure at all, it just isn't documented in the MS-DOS
manual, like a few other switches, only in DR-DOS - see below. Follow a
couple of switches that aren't documented in MS-DOS either: FDISK /STATUS,
and FORMAT /AUTOTEST. Yet they exist and have their use. You can try the
/status switch, it won't bite. Be careful with format /autotest, it will
start formatting right away without further prompting, it's useful in a
looped batch, when you need to format a large number of floppies.
Here is what the Virus-L FAQ, section C3, says about FDISK /MBR:
4. Replace the program (code) part of the MBR by using the MS-,
or PC-DOS FDISK /MBR command. If you use DR DOS 6.0, or
later, select the FDISK menu option "Re-write Master Boot
Record".
Get this, Mr. Wenzel: If something exists then there is a purpose to it.
> Anti-virus products know about viruses, know exactly what they do,
> and know exactly how to clean that particular virus.
You posted that nonsense before, twice already, claiming that antivirus
programs could clean a virus from an inaccessible hard drive. The last
time was when you answered a post that turned to be about Hare Krsna. FYI,
your favorite antivirus programs are still unable to recover the MBR of a
Hare infected hard drive. InVircible can, of course. <g>
Antivirus products don't know anything as they have no brains. Their
producers know most of the time what they do, yet they don't always know
how to clean a particular virus. Hare's MBR portion, for example, or boot
infectors from DDO. They also often cause more damage than the virus they
are supposed to remove.
In issue #101 I have shown that antivirus products actually USE the FDISK
/MBR method, like in F-PROT for example, when handling a loop MBR
infection - to mention one. The latter doesn't even tell the user that it
did, nor asks for permission.
> The fact is that Fdisk will make virus problems a LOT worse in a LOT
> of cases. [ ... ]
>
> Zvi, please stop recommending this unsafe method of virus removal. You
> know it's unsafe, and I know it's unsafe. I'm assuming that the only
> reason you're recommending it is because you have some inane need to
> prove others wrong. Fdisk is NOT safe, and anybody with even just a
> little experience in the virus field will tell you so.
Just how little experience do you have in the virus field? It would be
fair if you could backup the many false claims and innuendo that you make
with a brief resume of your qualifications and achievements in virus or
related fields.
> Also, I question Zvi's statement that ResQdisk can always fix disk
> problems. It would seem very convenient for him to recommend that
> product, since he sells it. Whether his claims are true or not remain to
> be seen, but based on his previous claims, I would think that these
> claims are false.
InVircible and ResQdisk are available as freeware and perform quite
outstandingly even in its non-licenced state. Clearly, you didn't test
ResQdisk and you don't seem having even basic understanding about hard
disks and recovery methods. Not that you have shown great knowledge about
viruses and how to handle them, either.
> Zvi Netiv has made numerous claims about his products in the past, and a
> large number of those claims have been proven false. In my opinion, his
> claims should be treated with extreme scrutiny, as should his
> recommendations for data recovery.
Use innuendo when you havent nothing to support your case. You haven't
proven anything of your claims, only displayed dogmatism and ignorance in
virus and recovery matters.
May I recommend that you improve your knowledge before offering more
unprofessional advice on public forums. Users could be misled by your
presumptuous advice and inflict themselves real damage.
Regards, Zvi
- --------------------------------------------------------------------
NetZ Computing Ltd. Israel Producer of InVircible & ResQdisk/ResQdata
Iolo Davidson
In article <0031.01I8K4...@csc.canterbury.ac.nz>
ne...@actcom.co.il "Zvi Netiv" writes:
> You posted that nonsense before, twice already, claiming that antivirus
> In issue #101 I have shown that antivirus products actually USE the FDISK
> /MBR method, like in F-PROT for example, when handling a loop MBR
> infection - to mention one. The latter doesn't even tell the user that it
> did, nor asks for permission.
Nor need it do so. F-Prot can tell which virus is involved, and
therefore knows whether simply replacing the code portion of the
MBR will disinfect that virus or make things worse. FDISK knows
nothing about viruses and just goes ahead and does the
replacement whether it wiil effect a cure or make the disk
unreadable.
> > Fdisk is NOT safe, and anybody with even just a
> > little experience in the virus field will tell you so.
>
> Just how little experience do you have in the virus field? It would be
> fair if you could backup the many false claims and innuendo that you make
> with a brief resume of your qualifications and achievements in virus or
> related fields.
Wenzel is right, and you are wrong.
> May I recommend that you improve your knowledge before offering more
> unprofessional advice on public forums. Users could be misled by your
> presumptuous advice and inflict themselves real damage.
I understood that you trained in psychology, not computing, and
your main claim to fame seems to be that everyone else in the
field disagrees with almost everything you say, and that you
have made personal attacks on almost all of them. I don't think
you have any room at all to sneer at the professionalism of
others.
- -
ON A HIGHWAY AD NOW GLAD HE
HE SPIED IT TRIED IT
BOUGHT A JAR Burma-Shave
George Wenzel
In article <0031.01I8K4...@csc.canterbury.ac.nz>,
ne...@actcom.co.il says...
>> Fdisk is NOT effective in 99% of MBR infections. It will not work with
>> Monkey, it will not work with One_Half, and it will not work with B1/NYB.
>
>If you stayed away from the details then you wouldn't had disclosed your
>ignorance. FDISK /MBR works a charm against B1-NYB as well as the MBR
>portion of One_Half. Yet it doesn't cure files infected by One_Half, nor
>does it decrypt the already encrypted cylinders.
So what you're saying, is that it doesn't work to remove the viruses I
listed. If the partition table is corrupted, Fdisk does nothing to fix
it, and it can make problems worse. It is your advice that is ignorant,
Zvi - not mine.
>In issues #98 and #101 of Virus-L, I explained a simple precaution to use
>when you wish to run FDISK /MBR. Run it from the DOS directory (or from
>the Win95 command's) on drive C, in real mode, and you may even try it in
>Monkey's case. I'll leave it as an exercise to you figuring out the last
>statement. :-)
It makes really no difference where you run Fdisk from. As a rule, if
you run it after clean booting, and can still access the hard drive using
a dir, it *should* be alright. Problem is, there are still cases where
that precaution won't work. My point is, what is the use of using Fdisk
to remove a virus when there is free anti-virus software that will safely
do the job?
By suggesting using Fdisk to remove a Monkey infection, you are indeed
showing total ignorance to your customers' problems. It's quite often
that I hear about people who have tried what you suggest, and they cannot
access their drive. Using a simple anti-virus program (i.e. killmonk)
can remove Monkey safely. Fdisk cannot.
>> This is only a partial list, but already it's about 10% of MBR
>> infections. It is NEVER necessary to use an obscure DOS utility that
>> knows nothing about viruses to remove a virus.
>
>I thought they had more stringent requirements on statistics at the
>University of Alberta. :)
I'm judging based on what I've seen of various virus prevalence tables,
and the regularity of hearing about certain viruses in alt.comp.virus.
Fdisk does not work in 99% of MBR infections, as you claimed. It will
work in certain circumstances with certain viruses, but to figure out if
it's safe, one must use an anti-virus program. If you have an anti-virus
program, why not use THAT to remove the virus?
>FDISK /MBR isn't obscure at all, it just isn't documented in the MS-DOS
>manual, like a few other switches, only in DR-DOS - see below.
Yes, it is indeed undocumented. It's not obscure because people like you
suggest it in anti-virus measures.
>Follow a
>couple of switches that aren't documented in MS-DOS either: FDISK /STATUS,
>and FORMAT /AUTOTEST. Yet they exist and have their use. You can try the
>/status switch, it won't bite. Be careful with format /autotest, it will
>start formatting right away without further prompting, it's useful in a
>looped batch, when you need to format a large number of floppies.
Yes, that is the purpose of those switches. The purpose of Fdisk's /mbr
switch is to overwrite the executable portion of the MBR (i.e. not the
partition table) with generic code contained within the program itself.
It's purpose is NOT to remove viruses.
>Here is what the Virus-L FAQ, section C3, says about FDISK /MBR:
>
>4. Replace the program (code) part of the MBR by using the MS-,
> or PC-DOS FDISK /MBR command. If you use DR DOS 6.0, or
> later, select the FDISK menu option "Re-write Master Boot
> Record".
If you'd read more of that section, you'd see the cautions that are
placed there regarding the /mbr switch. I would hope that Nick will be
updating the FAQ in version 2.01, to remove that section. There are too
many cases where Fdisk isn't safe, to make it a method that should be
publically recommended.
>Get this, Mr. Wenzel: If something exists then there is a purpose to it.
And Fdisk's purpose is to partition drives. It's not an anti-virus
product. It knows nothing of viruses.
>> Anti-virus products know about viruses, know exactly what they do,
>> and know exactly how to clean that particular virus.
>
>You posted that nonsense before, twice already, claiming that antivirus
>programs could clean a virus from an inaccessible hard drive.
I think you're somewhat confused, Mr. Netiv. A hard drive infected with
Monkey (for example) will not be visible after a clean boot, when the
virus is not in memory. Just because the hard drive cannot be accessed
by DOS, doesn't mean it can't be accessed by an anti-virus program. AV
programs know about this little trick, so they use BIOS calls to access
the hard drive, and remove the virus.
>The last
>time was when you answered a post that turned to be about Hare Krsna. FYI,
>your favorite antivirus programs are still unable to recover the MBR of a
>Hare infected hard drive. InVircible can, of course. <g>
I take it you're referring to Dr. Solomon's Anti-virus Toolkit, and your
claim that it can't recover a MBR infected with Hare. This is nonsense.
The evaluation version of FindVirus cannot recover from that particular
problem, but the Cleanpar utility (included with the full Toolkit) can do
so with no problems. Command Software's F-Hare can do the same.
>Antivirus products don't know anything as they have no brains. Their
>producers know most of the time what they do, yet they don't always know
>how to clean a particular virus.
As a rule, anti-virus products cannot clean viruses that they don't know
about. If removal hasn't been programmed into their database for a
particular virus, then they can't remove it. That's why they update
their programs to deal with new viruses.
>Hare's MBR portion, for example, or boot
>infectors from DDO. They also often cause more damage than the virus they
>are supposed to remove.
Can you provide details here? You're making accusations about products,
but you don't state the exact circumstances of the damage.
Hare's MBR portion can easily be cleaned with anti-virus utilities, as
can a drive that uses DDO, infected with a BSV.
>In issue #101 I have shown that antivirus products actually USE the FDISK
>/MBR method, like in F-PROT for example, when handling a loop MBR
>infection - to mention one. The latter doesn't even tell the user that it
>did, nor asks for permission.
I question this statement... I believe that F-prot DOES tell the user
exactly what it's going to do, says specifically that it's the equivalent
of running Fdisk/mbr, and asks permission. We'll have to let Frisk
confirm this.
>> The fact is that Fdisk will make virus problems a LOT worse in a LOT
>> of cases. [ ... ]
>>
>> Zvi, please stop recommending this unsafe method of virus removal. You
>> know it's unsafe, and I know it's unsafe. I'm assuming that the only
>> reason you're recommending it is because you have some inane need to
>> prove others wrong. Fdisk is NOT safe, and anybody with even just a
>> little experience in the virus field will tell you so.
>
>Just how little experience do you have in the virus field? It would be
>fair if you could backup the many false claims and innuendo that you make
>with a brief resume of your qualifications and achievements in virus or
>related fields.
Why don't you counter my above statements, Zvi, rather than trying to
attack my credibility? If you can't counter my statements with facts, it
is your credibility that people will be questioning.
>> Also, I question Zvi's statement that ResQdisk can always fix disk
>> problems. It would seem very convenient for him to recommend that
>> product, since he sells it. Whether his claims are true or not remain to
>> be seen, but based on his previous claims, I would think that these
>> claims are false.
>
>InVircible and ResQdisk are available as freeware and perform quite
>outstandingly even in its non-licenced state.
I would expect such a statement from the author of both of those
programs. Independent evaluations of those products haven't exactly
shown the same praise.
>Clearly, you didn't test
>ResQdisk and you don't seem having even basic understanding about hard
>disks and recovery methods.
I know what I've used to clean viruses, and I know what's safe and what's
not. I may have not tested ResQdisk, but I have tested IVX (InVircible's
Macro detection tool), only to find that it was a substandard program.
Rather than accept my evaluation and try to fix the problems, you accused
me of being biased, and the test of being flawed. The fact was, the test
was easily reproduced, and others verified my results.
>Not that you have shown great knowledge about
>viruses and how to handle them, either.
More accusations against my integrity. Why don't you just counter my
arguments, instead of trying to attack my credibility?
>> Zvi Netiv has made numerous claims about his products in the past, and a
>> large number of those claims have been proven false. In my opinion, his
>> claims should be treated with extreme scrutiny, as should his
>> recommendations for data recovery.
>
>Use innuendo when you havent nothing to support your case.
I have plenty to support my case. You made claims about IVX that I
proved false. You've claimed that InVircible never needs updates, yet it
is already past version 6.11. The reason I didn't state all of your
claims that have been proven false, is because I was attempting to have a
mature debate with you. It seems you're not capable of that.
>You haven't
>proven anything of your claims, only displayed dogmatism and ignorance in
>virus and recovery matters.
More attacks on my character. I'll let the readers of this forum judge
whether or not I've proven anything in my claims. They can also judge
who's advice is the safest to use.
>May I recommend that you improve your knowledge before offering more
>unprofessional advice on public forums. Users could be misled by your
>presumptuous advice and inflict themselves real damage.
Odd... I can't think of better advice that I'd give you, Zvi. Users
could be mislead by your presumptuous advice, and inflict themselves real
damage (i.e. using your suggestion of removing Monkey with Fdisk).
Gene Wirchenko
Zvi Netiv <ne...@actcom.co.il> wrote:
>George Wenzel <gwe...@gpu.srv.ualberta.ca> wrote:
>
>> Fdisk is NOT effective in 99% of MBR infections. It will not work with
>> Monkey, it will not work with One_Half, and it will not work with B1/NYB.
>
>If you stayed away from the details then you wouldn't had disclosed your
>ignorance. FDISK /MBR works a charm against B1-NYB as well as the MBR
>portion of One_Half. Yet it doesn't cure files infected by One_Half, nor
>does it decrypt the already encrypted cylinders.
This looks as if you are claiming that despite losing the data
that is encrypted, "fdisk /mbr" "works a charm". <understatement>I
don't think that anyone who loses data in this way is too likely to
agree with you.</understatement>
[snip]
>> Zvi Netiv has made numerous claims about his products in the past, and a
>> large number of those claims have been proven false. In my opinion, his
>> claims should be treated with extreme scrutiny, as should his
>> recommendations for data recovery.
>
>Use innuendo when you havent nothing to support your case. You haven't
You have used this tactic, yes.
>proven anything of your claims, only displayed dogmatism and ignorance in
>virus and recovery matters.
Very well. I will be explicit. Where is your reply to
Bontchev's paper? You have been publicly asked many, many times by
many people.
>May I recommend that you improve your knowledge before offering more
>unprofessional advice on public forums. Users could be misled by your
>presumptuous advice and inflict themselves real damage.
That would seem to apply to you far more than to George.
Sincerely,
Gene Wirchenko
C Pronunciation Guide:
y=x++; "wye equals ex plus plus semicolon"
x=x++; "ex equals ex doublecross semicolon"