Posted 26 February 2011 - 01:57 PM
Following on from my comments above, firstly on censorship. I started entering
my comments to Elise25 and MrBruce 1959 within 12 hours of their posting.
As I neared the end of what I was writing, the page was closed. So I started
again from memory of what I had just written. The machine I was using lost
connection with the internet and several attempts to re-connect failed.
I followed this with a re-boot to find I was now infected with a virus and I
quickly shut down the machine. I used what software I had off-line to look at
the hard drive which I had zeroised prior to its install into my father's
I am used to finding several BAD SECTORS when I get infected, and the kind that
makes HDDErase fail on a Security Clean. They seem to have a security level much
higher than maximum, and can't be accessed. They weren't there before.
It was then I noticed that the Smartdrive had warnings and looked at the data
recorded for Smartdrive analysis. I remebered when I wiped it before using it,
that it had run for some 23912 hours, approximately 3 years. There were some
errors in the totals, but nothing large or critical.
But upon this inspection it seemed that my drive had become critical in the
Re-allocted Sector Count (100)
Relocation Event Count (87)
Off-line Uncorrectable Sector Count (87)
Ultra DMA CRC Error Rate (100)
Soft Read Error Rate (100)
And most importantly it had now run for 2,846,062 hours (328 Years
approximately), which isn't bad for for a drive built in Nov, 2003!
This is from an attack accross the web, and an easy way of destroying someone's
hard drive! Its sneaky, since there was nothing damaged in the drive, but the
failure of the drive will happen some time later and not at the time of the
Rather than put yet another Hard drive into the pile of failed hard drives, I
am now looking for software that can
___________________reset the Smartdrive recorded data.
At this point I don't have an operating machine out of three.
When I went to use a public computer (paying a few of the endless collection of
bills) I thought I would enter my comments to Elise25 and MrBruce1959. I got the
first one to Elise25 done and was answering MrBruce1959 when the system told me
to stop what I was doing (can't remember the exact words). The page froze but
otherwise everthing was working so I opened another TAB and quickly typed in my
first reply to MrBruce1959 (short version).
My father's machine now has an altered BIOS as well as the Hard Drive
infection and some of the things I have run warn me of a "dummy BIOS"
I don't know yet whether I have a beacon installed to alert whoever it is, to
where I am, or they are simply tracking my IP when I go on the web. Or maybe
they pick me up when I try to add comment at www.bleepingcomputer.com.
The above was notes were from two days ago and should have appeared before my
first note to MrBruce1959
Since the notes (immmediately above) I have made two more attempts to update the
Intel BIOS while I was off-line. While neither attempt eliminated "InitDiskno",
I noticed that the machine was finally recognising the Hard Drive and the CD
reader, which would allow me to install.
Install I did, and without a problem.
I ran the machine for a couple of hours to see if there was anything to indicate
that I was infected again. Nothing happened except what I expected to happen. I
even played 17 games of Freecell, before I dared to go on the web. I even had
made a list of the things I needed to download before I went on the web.
I downloaded Internet Explorer 8, InfraRecorder, Outpost Security Suite Free 7.1
(the best I could find, but it doesn't detect the virus either, just its actions)
and just started to download Ubuntu (which can run off a CD).
As I clicked the Ubuntu screen to download an ISO, I recieved a message that the
page (that I was actually viewing at the time) was not available, and Internet
Explorer 6 then proceeded to wipe the page I was looking at and put up the
traditional 403 page (web site not found/available).
End of my day again.
Studying the hard drive agfterwards, I found no "Magic Bad Sectors" (yet), but the
data table for Smartdrive had 100 against every table entry except:
Spin-up Time (142)
Power-on Hours Count (99) for 9,258 hours (About right?)
HDA Temperature (127) for 109 degrees F
Ultra DMA CRC Error Rate (200)
Eight hard drive stuffed for this bleep to have his fun!!
_________Again need some means to reset or alter the Smartdrive data to realism.
Summary of Symptons
Before the attack, no BIOS infection, then things work fine.
1. The first thing to notice that you have an infection, even if it is only the
BIOS, is that the mouse will jump around the screen. (Hence playing a mouse
dependent game like freecell is a good test, even offline). More prevelent as
the infection grows.
2. It likes to replace audio drivers in memory, (especially if its a C-Media).
Hence no sound. I think it may also try the boot CMOS in LAN card and USB Host
3. I was originally concerned that the modem I used was infected, being a Huawei
3G USB Modem (it attaches to the machine as a USB CD-ROM). But the attack on
the public computer, leads me to doubt that, though they could be using all 4
methods proposed so far.
4. Now that I realise that these attacks are external, I must say that "InitDiskno"
appearence must have been more defence aginst a BIOS attack rather than part of
the virus. Unless of course, if it is acting as the beacon.
5. It takes a couple of boots after the attack to bring the infection up to full
strength as an internal infection(s).
6. I have not found a virus scanner that will detect the virus. Ad-aware v8.3
used to stop several attacks from the same source and list the IP. Unfortunatly
I didn't write it down. The newer version 9 does not.
7. For virus scanning, Agnitum's Outpost Security Suite Free 7.1 is the best that
I have found. Like all the others it does not find the infection, but it does
detect some of it's action in modifying executables from modules in memory.
8. The virus is very good at taking down Microsofts Firewall. Note that Agnitum's
comes with a good firewall of its own.
9. Normal downloads fail if they are large (124MB for Ad-Aware always fail). If
you are installing multiple machines (my 3 soon I hope) and want SP3 for XP
update as one file (324MB), it fails.
10.Downloading by utorrent succeeds quite well for a while, I suppose the sheer
volume of data transfer makes it hard for an attack. I have had it go as long
as two hours before an attack got through.
11.If a torrent file exists for your desired file (for ubuntu it does), use it in
preference to a direct download. You can usually get it down. If it is an ISO
file, you will seldom get a good burn when you are infected (see more below).
12.The virus will infect or blank BIOS's. If the BIOS is not a plug-in, goodbye
13.When making normal changes to your BIOS (after entering setup by using the
DEL key or F1 or F2 or ALT-CRTL-ESC) the virus will sometimes hang the
14.After making changes to your BIOS to change the boot order of floppies, CDs,
Hard drives, LAN cards, the virus can either change your settings so that it
boots first, or from the moment of your hard drive being sensed by the machine,
take over your machine and boots first, irregardless of your settings. This
means that it also infects the MBR (Master Boot Record) of a hard drive.
15.If you try and save your data, you will find that you have an incredible
amount of faulty floppy diskettes. Just from switching to a clean machine I
only threw out 7 of the 40 diskettes deemed faulty by the infected machine.
16.If you try to burn a data CD/DVD to save your data, it also seldom work's.
(eg your hard drive runs out of disk space, or file is corrupt, or this
directory does not meet Windows naming standards, this directory has seven
parent directories, etc)
17.If try to burn video DVD's (even your own legal stuff) there are corrupt
spots that stops the video player and even hangs the video player. (I was
transferring VHS tapes of my parents before their death. Gone is the machine,
the converted & editted AVIs and the DVDs are stuffed. Now looking for the
VHS tapes I haven't thrown out.)
18.If you try and burn an ISO onto a CD/DVD you can find errors internally to
the ISO. I once burnt 4 copies of Ubuntu from the one execution: two had
missing files, two appeared to install the virus.
19.Add a second hard drive to an infected machine, it is infected.
20.Add an external hard drive to and infected machine, it is infected.
21.Add an infected hard drive to a clean machine, The clean machine is infected.
22.Add a bootable USB drive, it generally gets infected (Ubuntu install), but
don't know yet if it infects non-bootable. I certainly blame the virus for
the lost of two 16GB USBs and one 8GB, that have come up either not readable
or simply ceased to function.
23.Small, quick, simple burners of ISOs (like infraRecorder, there are other
good ones but I have lost them) are the best. Time is short if your machine
haven't been infected yet.
24.Your time and date are occasionally reset.
25.The good thing about the latest Ubuntu (there are lots of good things, but in
this context the is one above that is very important) it runs from a CD. An
already burnt CD can't be infected. You can't save any data, except onto and
infected drive but you can communicate and call for help.
The ISP's (Internet Services Providers) with 3G USB Modems offer NO help in
getting the modem to work for LINUX which makes it quite hard to establish
much less memorise so you can quickly setup.
26.Some ISP's sheild their customers from this attack,notably Australia's Telstra,
but not Optus, Dodo or Eon Net.
27.Several other virus seem to find the breach into your machine and join in.
That of course means that all of the above may not be just the one virus.