Rootkits and the BIOS
in [Windows XP]
|
From: Daave on 14 Feb 2010 09:49 There has been a *lot* of talk lately about KB977165! Many of us have seen ANGELKISSES420's nearly incoherent ramblings. I'm not 100% convinced she is attempting to boot off the CD correctly. But in the event she *is* having the problems she is claiming to have, specifically this one: the inability to boot off the CD unless she removes the problematic hard drive and replaces it with a new one .... what might be going on? MowGreen seems to think that the interaction of KB977165 along with malware already present on the old hard drive (quite possibly the Win32/Alureon.A rootkit) is causing this occurence. But I don't understand how this is possible. When a PC is first turned on, Windows doesn't even load yet! So, assuming the keyboard is correct and working, one *can* normally enter the BIOS! The malware-induced situation should not prevent this unless the malware has somehow invaded the BIOS (and I would imagine only certain BIOSes would be affected if this were the case, no?). Once one is in the BIOS, one can rearrange the boot order so the CD-ROM drive is first. So the next time the PC is turned on, as long as there is a bootable CD in the CD drive, the option to boot off the Windows installation CD is presented, the "anykey" is pressed, and the boot from the CD is successful. So, if ANGELKISSES420 is correct and she is unable to the above, what might be going on? If somehow the malware entered the BIOS, why can she boot off the CD after swapping hard drives?
From: David H. Lipman on 14 Feb 2010 11:19 From: "Daave" <daave(a)example.com> < snip > | So, if ANGELKISSES420 is correct and she is unable to the above, what | might be going on? If somehow the malware entered the BIOS, why can she | boot off the CD after swapping hard drives? /* There is NO malware that infects the BIOS. */ -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: 20100214 on 14 Feb 2010 11:28 I wouldn't take any notice of Mo green because her knowledge of computers per se is incomplete and anyone trying to correct her is likely to be branded a troll and his or her messages deleted from these newsgroups. I have always argued with her on many things under the name of ANONYMOUS and now M$ have black listed me because I reported Mo Green is a fat smelly tart and she didn't like this at all.!! "Daave" <daave(a)example.com> wrote in message news:%23Dc$8TYrKHA.4492(a)TK2MSFTNGP05.phx.gbl... > There has been a *lot* of talk lately about KB977165! > > Many of us have seen ANGELKISSES420's nearly incoherent ramblings. I'm not > 100% convinced she is attempting to boot off the CD correctly. But in the > event she *is* having the problems she is claiming to have, specifically > this one: > > the inability to boot off the CD unless she removes the problematic hard > drive and replaces it with a new one > > ... what might be going on? MowGreen seems to think that the interaction > of KB977165 along with malware already present on the old hard drive > (quite possibly the Win32/Alureon.A rootkit) is causing this occurence. > But I don't understand how this is possible. When a PC is first turned on, > Windows doesn't even load yet! So, assuming the keyboard is correct and > working, one *can* normally enter the BIOS! The malware-induced situation > should not prevent this unless the malware has somehow invaded the BIOS > (and I would imagine only certain BIOSes would be affected if this were > the case, no?). > > Once one is in the BIOS, one can rearrange the boot order so the CD-ROM > drive is first. So the next time the PC is turned on, as long as there is > a bootable CD in the CD drive, the option to boot off the Windows > installation CD is presented, the "anykey" is pressed, and the boot from > the CD is successful. > > So, if ANGELKISSES420 is correct and she is unable to the above, what > might be going on? If somehow the malware entered the BIOS, why can she > boot off the CD after swapping hard drives? >
From: Daave on 14 Feb 2010 11:37 David H. Lipman wrote: > From: "Daave" <daave(a)example.com> > > < snip > > >> So, if ANGELKISSES420 is correct and she is unable to the above, what >> might be going on? If somehow the malware entered the BIOS, why can >> she boot off the CD after swapping hard drives? > > /* There is NO malware that infects the BIOS. */ Assuming this is correct (and I believe that it is), is the following assertion by MowGreen possible?: <quote> If you have entered the system's setup and configured it to boot from the CD/DVD first and it still will not load the CD, it's a clear indication that there is a root kit present. What happened is that the update broke the root kit's 'functionality' which in turn affected the CD player. </quote> (The above is from: http://groups.google.com/group/microsoft.public.windowsupdate/msg/dfc513f1ecb625ed?hl=en ) Mow has consistently provided high-quality advice, but this particular assertion confuses me. As long as the rootkit's damage is limited to Windows and the hard drive, why couldn't a person successfully boot off a CD?
From: PA Bear [MS MVP] on 14 Feb 2010 11:28 Without physical (or remote) access to ANGELKISSES420's computer, answering your question would be a rhetorical exercise at best. References: <QP> ....Alureon is among the Top 10 threats that Microsoft�s various security technologies � including its �malicious software removal tool� � regularly detect on Windows systems. According Microsoft�s own Security Intelligence Report, Microsoft�s security products removed nearly 2 million instances of Alureon from Windows systems /in the first half of 2009 alone/, up from a half million in the latter half of 2008. Barnes said �atapi.sys� makes an attractive target for a rootkit because it is a core Windows component that gets started up early as Windows is first loading. �It�s started up every early in the boot process, and because of that it makes these kinds of threats sometimes very hard to detect and remove,� Barnes said in an telephone interview with krebsonsecurity.com. </QP> Source: http://www.krebsonsecurity.com/2010/02/rootkit-may-be-culprit-in-recent-windows-crashes/ BIOS Rootkit talks�.. | SophosLabs blog: http://www.sophos.com/blogs/sophoslabs/v/post/5716 BIOS-level rootkit attack scary, but hard to pull off [March 2009] http://arstechnica.com/security/news/2009/03/researchers-demonstrate-bios-level-rootkit-attack.ars Daave wrote: > There has been a *lot* of talk lately about KB977165! > > Many of us have seen ANGELKISSES420's nearly incoherent ramblings. I'm > not 100% convinced she is attempting to boot off the CD correctly. But > in the event she *is* having the problems she is claiming to have, > specifically this one: > > the inability to boot off the CD unless she removes the problematic hard > drive and replaces it with a new one > > ... what might be going on? MowGreen seems to think that the interaction > of KB977165 along with malware already present on the old hard drive > (quite possibly the Win32/Alureon.A rootkit) is causing this occurence. > But I don't understand how this is possible. When a PC is first turned > on, Windows doesn't even load yet! So, assuming the keyboard is correct > and working, one *can* normally enter the BIOS! The malware-induced > situation should not prevent this unless the malware has somehow invaded > the BIOS (and I would imagine only certain BIOSes would be affected if > this were the case, no?). > > Once one is in the BIOS, one can rearrange the boot order so the CD-ROM > drive is first. So the next time the PC is turned on, as long as there > is a bootable CD in the CD drive, the option to boot off the Windows > installation CD is presented, the "anykey" is pressed, and the boot from > the CD is successful. > > So, if ANGELKISSES420 is correct and she is unable to the above, what > might be going on? If somehow the malware entered the BIOS, why can she > boot off the CD after swapping hard drives?
|
Next
|
Last
Pages: 1 2 3 4 Prev: Microsoft Compression Client Pack 1.0 for Windows XP Next: Search Results ?? |