On 08/12/2012 08:21 PM, David Haller wrote:
Actually, it turns out that that "fishy" sector actually does contain the first part of the Boot.Pihar Trojan/Backdoor, and I think some more stuff is between each EPBR and the actual partition/filesystem.
https://www.virustotal.com/file/1cf12d246e9a2fbe1995034366f74aa5c892fc78a21d...
I think one could "fix" the partitioning itself by just deleting the extra entry in the MBR-Partitiontable and move the real entries (now sda2/3) to sda1/2 again. The partitions and filesystems seem ok.
As it is a virus/trojan/backdoor infection, I recommended dcr do best zero the disk and reinstall.
dnh, You are the wizard. I appreciate the education that this has been for me regarding how to look at the code within the various bytes of the boot sector. I still cannot begin to fully understand precisely what happened, but I think I have gotten the big picture. There is one part of this puzzle I do not understand though. What did this malware do to cause an extra partition to be created? I think I get part of that. The first 63 sector were originally occupied by grub stage1.5 in sectors 1-19. Sectors 20-63 were originally empty. The boot tract was not considered by the system to be a partition in and of itself. The original sda1 began on sector 63 and ended on sector 315291689. Whatever was inserted into the boot tract after sector 19 caused sector 29 to appear as a complete partition to the system. Even though it was of 0 length. Sector 29 had some byte within it that caused it to be identified as a partition (a new sda1) and the original sda1 became sda2. Right? However, what I don't get is what the malware hoped to accomplish with a 1 sector entry. It gets inserted at sector 29 and the boot flag points to it. Then on boot, that code is read, and presumable triggers other code resident on what is now sda2. The reason for the quandary is I can't see enough code being inserted into a single sector (sector 29) to do much at all by itself other than scramble the disk/delete files/etc... or address code somewhere else on the disk. Meaning that I can't see enough code fitting into 1 sector to be intelligent enough by itself to conduct network activities or (phone home) for lack of better words. (I admit I could be completely wrong here, but I will take that, 512 bytes isn't much room to work with) So, I won't do it, but what your are saying is I could zero sectors 20-63 on the drive, reboot, and essentially have the original disk back with the correct partition numbering and a virus somewhere in the restored sda1 waiting to strike again -- right? Thank you again for another great bit of learning. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org