With NAV2002, my hard disk's FAT still be erased

Discussion in 'malware problems & news' started by wowave, Oct 25, 2002.

Thread Status:
Not open for further replies.
  1. wowave

    wowave Registered Member

    Oct 25, 2002
    I had Windows ME on C drive and Windows 98 on D drive. I could boot from C or D drive. I installed Firewall and ntivirus programs on both operation systems.

    Strange things happened:
    1) Recently I had to boot my computer with start up disk; every time I wanted to use it.
    2) Last time I used Internet on C drive with Windows ME. I could listen to radio through Real Player. But I could not open almost all web page.
    3) Next day, I was unable to use Windows ME on C drive at all. I switched to D drive. But I could not boot there either.
    4) Laster, I found that my C drive became unformatted. Where is my data?
    5) Laster, I found that on D drive, my Wndows98 there, most of the folders and files under Windows folder are gone. Instead, there are many strange folder's name, like that with capital letter, ADCXMRW3, EXCZW3EH, GCOGW1PF... and so on.

    I do not understand what is wrong. It looks like my computer was infected with virus. But I already installed Norton Antivirus2002 and ZoneAlarm on my computer.

    Thank you for your help!
  2. LowWaterMark

    LowWaterMark Administrator

    Aug 10, 2002
    New England
    Well, it sounds like that system has been lost at this point. I assume that given how bad that system's condition is, that you are now posting here using a different computer - true? We may not be able to figure out exactly what damaged those different disk partitions, given how bad they have now become.

    However, I think we can discuss how to setup your Norton AV and ZA firewall to prevent damage in the future to better protect you once you've fixed the problem. It sounds like a full disk reformat and reinstall of Windows (or restore if you have a full system backup image) is now in order, if that system is currently unusable and the disks have been mostly erased.

    I'll move this thread to a place more in keeping with what you're asking about. Since you may have had a virus and need to discuss prevention, to protect your system in the future, let's go over to the Viruses and Worms Forum, and see what advice we can get there. :)

  3. wowave

    wowave Registered Member

    Oct 25, 2002
    Yes, I am using my old computer right now. I cannot just reformat and reinstall Windows because I still have lots of files on both hard drives in different partitions. But I still have a question. Should I use those files I just copied from "these two hard drives"?

    My first hard drive (I called C drive before) has 3 partitions, 1st partition with OS is unformatted status (I think the FAT is erased). 2nd one has a hidden OS, and 3rd one is data partition.

    1) I disconnected my second hard drive (I called D drive before) which has 2 partitions, 1st one with OS, and 2nd one with data.
    2) On my first hard drive I used the 2nd partition with OS, to copy most files to CDs.
    3) I added my second hard drive to the system. I found that on 1st partition, most of the folders and files under indows folder were deleted. Instead, there are many strange folders were created. That's why I could not boot from this drive at all.
    4) I copied some files from 2nd hard drive to data partition on 1st hard drive. Next day when I turned on my computer, I could not boot from C drive again. That was the same symptom I had before. Then I stop doing anything.

    I really want to know how to save my files on these two hard drives.
    Thank you for your help.

    P.S. I don't know what version of my Zone Alarm was. But I had NAV with LiveUpdate. Every time I used Internet; the virus definitions would be updated immediately.
    One more thing I have to mention:
    Before something happened, I did receive 3 emails on different days with no attachments. But the sending date were always the same (always on 12/31/1980). I had to go to the end of the email list to find them.
  4. root

    root Registered Member

    Feb 19, 2002
    Missouri, USA
    This may not sit well with some people, but I have to call it the way I see it. I do not know what version of NAV you have, but I have over the course of time read of many instances where Nortons fell down on the job.
    It seems do do great work for most people, but on some systems, for some strange reason, I know Norton will miss the most basic viruses.
    I use Dr Web right now, but at this point in time it has yet to prove itself to me.
    There are two AVs in my opinion that are beyond reproach and they are NOD32 and KAV. KAV definitely has better anti trojan protection, NOD32 better virus detection.
    As for anti trojan, TD3 is the answer.
    If I were in your shoes, and those files are important to you, I would download NOD32 or KAV and TDS3 trial versions, update them and check the files out before transferring them somewhere for use later.
    I agree with LWM, it sounds like your best bet is format and reinstall. Anything else will never guarantee stability.
    No matter what AV I use, I always use a backup AV scanner.
    It would be great if you could use one of the other avs to scan your bad drives and find out what the bug was. It would be nice to know how you got infected, so it doesn't happen again.
  5. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    You can save any vital irreplacable data, but it sounds like your OS and all applications will need to be reinstalled. I'm sure you know that applications have to be reinstalled, because they not only install to program directories but they make changes to inifiles, the registry, etc.

    Also, if your partitions are changed for some reason, your driveletters may change (different drive mappings), which of itself would necessitate reinstalling applications. There are some programs like PartitionMagic's DriveMapper, which will allow you to fix the problems caused by new drive mappings due to partition changes.

    But I agree with lowwatermark: sounds like that system has unfortunately been trashed. I would recommend an online scanner like Panda or HouseCall, but this requires internet access that you no longer have on the trashed system.
  6. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    Hi root, wowave indicated in his thread title that he has NAV 2002.

    Warmly, Ran
  7. Primrose

    Primrose Registered Member

    Sep 21, 2002
    Hybris most likely....

    Hi wowave,

    I have some bad news for you..You are infected with Hybris and maybe some others...But for sure this one. You have all the symptoms and the tip off are all those 8 letter files you found...do you have your PC set up to show all the file extentions even..even the hidden ones....that sure would help sometimes. ;)

    NAME: Hybris
    ALIAS: IWorm_Hybris, I-Worm.Hybris
    ALIAS: Snow White, SnowWhite, SnoWhite

    Hybris is an Internet worm that spreads itself as an attachment to email messages. The worm works under Win32 systems only. The worm contains components (plugins) in its code that are executed depending on what worm needs, and these components can be upgraded from an Internet Web site. The major worm versions are encrypted with semi-polymorphic encryption loop.

    The worm contains the following encrypted text strings:

    (c) Vecna

    The main worm's target on computes it tries to infect is the WSOCK32.DLL library. While infecting this DLL the worm:

    - writes itself to the end of last file section - hooks "connect", "recv", "send" functions - modifies DLL entry routine address (a routine that is activated

    when DLL file is being loaded) and encrypts original entry

    If the worm is not able to infect WSOCK32.DLL at its startup (in case it is in use and is locked for writing) the worm creates a copy of this library (a copy of WSOCK32.DLL with random name), infects it and writes "rename" instruction to WININIT.INI file. As a result WSOCK32.DLL will be replaced with an infected one on next Windows startup.

    The worm also creates its copy with random name in Windows system directory and registers it in RunOnce registry key:

    {Default} = %WinSystem%\WormName


    {Default} = %WinSystem%\WormName

    where %WinSystem% is Windows system directory, and "WormName" is random name, for example:


    There is only one possible reason to register additional worm copy in "RunOnce" registry key: in case WSOCK32.DLL was not infected on first worm run, and its infected copy was not created because of some reason, the "RunOnce" worm copy will complete the task on next Windows restart.

    Being active the worm intercepts Windows function that establish a network connection, including Internet. The worm intercepts data that is sent and received, and scans it for email addresses. When address(es) is detected, the worm waits for some time and then sends an infected message to that address(es).

    The worm functionality depends on the plugins that are stored in a worm body encrypted with RSA-like strong crypto algorithm with 128 bits key. There are up to 32 plugins can be found in different worm versions. These plugins perform different actions, they can be updates from a Web page located at VietMedia.com website.

    The complete worm functionality depends only on its host that is able to upgrade plugins from the Web page. The plugins are encrypted with a RSA-like crypto too.

    The worm also updates its plugins by using alt.comp.virus newsgroup. The worm being active on a machine connects to a news server (by using one of randomly selected servers - there are more than 70 addresses in the list), converts its plugins to newsgroup messages and post them there. Worm's messages have random Subject, for example:

    encr HVGT GTeLKzurGbGvqnuDqbivKfCHWbizyXiPOvKD
    encr CMBK bKfOjafCjyfWnqLqzSTWTuDmfefyvurSLeXGHqR
    text LNLM LmnajmnKDyfebuLuPaPmzaLyXGXKPSLSXWjKvWnyDWbGH
    text RFRE rebibmTCDOzGbCjSZ

    where first four characters represent plugin "name" and following four characters represent the encoded plugin "version". As well as sending, the worm reads such messages from alt.comp.virus, gets plugin "name" and "version" and compares with plugins that are currently used by the worm. In case a newsgroup has a message with higher plugin version, the worm extracts it and replaces existing one.

    The worm drops its plugins to disk as files in Windows sytem directory. They also have random name, but the worm is able to access them. The names may look as follows:


    There are several different plugins known:

    1. Infect all ZIP and RAR archives on all available drives from C: till Z:. While infecting the worm renames EXE files in archive with .EX$ extension and add its copy with .EXE extension to the archive (companion method of infection).

    2. Send messages with encoded plugins to "alt.comp.virus" neewsgroup, and gets new plugins from there.

    3. Spread virus to remote machines that have SubSeven backdoor trojan installed. The plugin detects such machines on the net, and by using SubSeven commands uploads worm copy to the machine and spawns it in there.

    4. Encrypt worm copies with polymorphic encryption loop before sending the copy attached to email.

    5. Affects DOS EXE and Windows PE EXE files. The worm affects them so that they become worm droppers. When run, they drop worm's EXE file to TEMP directory and execute it.

    While affecting DOS EXE file the plugin adds dropper code and worm body to the end of a file. These files are can be cured.

    While affecting Windows PE EXE file the plugin overwrites file code section (if is has enough size). The plugin doesn't touch file header (including entry point address), and does not increase file size. Moreover, it has a anti-CRC (chechsum) routine that fill special data in plugin code so that file CRC becomes the same for few common used CRC algorithms. That means, that some integrity checkers will not detect changes in affected files: the file length and file body CRC stay the same as on clean file.

    6. Depending on system date and time (on September 16 and 24, and on 59 minute of each hour starting from 2001 - in known plugins) the "spirale" effect is run. It looks like that:


  8. controler

    controler Guest

    If drives have been removed, maybe the BIOS doesn't even see them now. It all depends on the motherboard. All that data is recoverable with DOS.
  9. wowave

    wowave Registered Member

    Oct 25, 2002
    Hi everyone! I'm wowave.

    Thank you all helping me. I'm still fixing my computer!

    I used my old PC's hard drive(8GB) and put it into my new PC. Something looked strange again.

    Before I put my hard drive(8GB) back into my old PC as a secondary drive, I used another old hard drive(2GB) as a primary drive with new virus definition updated (NAV).

    When I ran virus scan, there were two files under a folder "Temporary Internet Files" with virus "JS.ExceptionExploit" on my hard drive (8GB).

    With Firewall and Anti-virus programs, it doesn't mean you are secure! I afraid to use my computer. I worry about my information which is stolen by hackers. I think that there are a lot more viruses on my computers' hard drives.

    I think both PCs with virus infected. It is the first step I need to do: format my 8GB hard drive, reinstall OS, and programs and run full virus and trojan scans...

    Thanks again.

    P.S. If only my FAT was deleted, and the data is still there. How can I reformat this hard drive without erasing those data on this hard drive? Anyone know how to recover those data?
  10. controler

    controler Guest

    Go to Google.Com and type

    DOS file recovery

    and try this program out maybe

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.