On 30 Mar 2003 Omar Herrera <oherreraat_private> wrote: > Also, a clean shut down might be required by a backdoor or a virus; I > remember an old virus (boot-437 I think) that would encode the file > system's table on disk so that restoring the boot sector/mbr with fdisk > would wipe the virus along with the decoding routine, rendering the hard > disk useless. Not Boot-437. You're probably thinking of One-Half, though one could decrypt that with FreeWare utilities even after FDISKing the MBR. Also, the Stoned.Empire.Monkey family appeared to have a similar loss of data, because it (a) didn't preserve the data in the partition table and (b) "encrypted" the copy of the MBR. This was trivial to undo, though, if you know what you're doing. In either of these cases, the encryption was done whether or not there was a clean shutdown. So while I agree that in theory this might be a problem, I don't recall a case where it actually *WAS*, for malware. The case of encryption software installed on purpose is a different issue, of course. -BPB University of Michigan... AntiVirus Team Leader <http://www.umich.edu/~virus-busters/> Data Recovery Team Leader <http://www.umich.edu/~wwwitd/data-recovery/> PGP 2.6.2 key fingerprint: 0D A5 98 3C 91 DA E0 DD 9C 6D FA 8F 4D 34 95 ED ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Apr 01 2003 - 19:32:31 PST