Tech Support Forums - TechIMO.com - View Single Post

dragonb · January 16th, 2003, 12:14 AM

ok, getting the HD back tonight...

It does display the cmos thing. I had my bro read me what was in fdisk(from a boot floppy) and there were 3 partitions, 1 novell, 2 non-dos.(was a 98 machine)
It only had 1 partition before the virus.
Virus info follows from symantec's site.

Question: Is all the data irreversably gone? Is there any programs that could recover from this? Anything not expensive that would help?
thanks,
dragonb

from symantec's site.....

Under Windows 95/98/Me, the system reboot will activate the code of the compromised MBR, which performs the following actions:
It disables the keyboard input.
It reads the Seconds field from CMOS and uses that value as a key to fill a table with 63 pseudo-random numbers.
It then uses this particular table to address in CHS-format the sector locations, which are overwritten with the pseudo-random table itself.
Such data destruction is repeated for every partition of every physical drive. This results in an enormous amount of data loss. A particular sector of the physical drives is then marked to identify that the payload was performed on it.
Then, the code displays this message:

NOTICE:

Illegal Microsoft Windows license detected!
You are in violation of the Digital Millennium Copyright Act!

Your unauthorized license has been revoked.

For more information, please call us at:

1-888-NOPIRACY
If you are outside the USA, please look up the correct contact information
on our website, at:

www.bsa.org

Business Software Alliance
Promoting a safe & legal online world.

January 16th, 2003, 12:14 AM	#10 (permalink)
dragonb Senior Member Join Date: Oct 2001 Location: Utah Posts: 551	ok, getting the HD back tonight... It does display the cmos thing. I had my bro read me what was in fdisk(from a boot floppy) and there were 3 partitions, 1 novell, 2 non-dos.(was a 98 machine) It only had 1 partition before the virus. Virus info follows from symantec's site. Question: Is all the data irreversably gone? Is there any programs that could recover from this? Anything not expensive that would help? thanks, dragonb from symantec's site..... Under Windows 95/98/Me, the system reboot will activate the code of the compromised MBR, which performs the following actions: It disables the keyboard input. It reads the Seconds field from CMOS and uses that value as a key to fill a table with 63 pseudo-random numbers. It then uses this particular table to address in CHS-format the sector locations, which are overwritten with the pseudo-random table itself. Such data destruction is repeated for every partition of every physical drive. This results in an enormous amount of data loss. A particular sector of the physical drives is then marked to identify that the payload was performed on it. Then, the code displays this message: NOTICE: Illegal Microsoft Windows license detected! You are in violation of the Digital Millennium Copyright Act! Your unauthorized license has been revoked. For more information, please call us at: 1-888-NOPIRACY If you are outside the USA, please look up the correct contact information on our website, at: www.bsa.org Business Software Alliance Promoting a safe & legal online world.