Interesting malware that had me scratching my head

Good!

BTW- While I was stupidly writing on this board my email password was changed and that was used to gain access to other money accounts. Most or my hard drives are now unreadable over 10 T of capacity, gone! My data my back up and my monthly backup all toast. 25 yrs out the window I still have them.

I assure you I don't care whaty you think of me either. I know you are all fools. Does software normally install and uninstall unattended or you computers? The BIOS Trojan was a variation of Mebromi Trojan. During the boot process your MBRs are rewritten, the windows login is altered to run extra routines and the kernel is also infected. Removing the virus makes infected disks unreadable.

 

well i don't use money accounts online,i used a prepaid visa debit card as i don't trust pcs with my bank details.
all hard drives connected to pc,i would of thought you would of had some that weren't connected to the pc incase of malware as a backup.
i'd recommend trying data recovery programs or asking @ps355528 if she can offer assistance in getting your data back,or @ddp might have some ideas if the data is still there and just unreadable.

 

Thanks for useful replies. I used to buy some things from ebay which often requires paypal. Paypal requires bank accounts. Being paranoid, I ran over to the bank as soon as I couldn't get in to my email. Paypal withdrawals are now blocked. I left one credit card as is since we were given 100% fraud protection. I got a call from them about a purchase so I know the attack was real. They didn't get very far. They called on the first bad sale. Banks are very paranoid.

DDP the drives appear unallocated because the MBR was rewritten and it is not where it should be. The offset is known. I read about it after the fact.

 

Thanks more useful info!

I looks like the recovery will be straight forward but tedious. I have tried a few of the linked products.
It looks like http://www.easeus.com/ will work. I will not know for a few more hrs till it finishes scanning the hard drive. It estimated the scan would take more than 6 hrs. but it is reading the files. I think will need to recover each file separately but I can do many at one time. I can recover up to 1 gig free and I will gladly pony up the $70 for the rest.

 

Conclusion...
The easus tool was overwhelmed by the size and complexity of the disk. I started the scan at about 11 AM and it was not complete till the next morning. It could only find about 20 of the 1500 gigs. The good part is it did find 20 of the top 25 most valuable files.

testdisk was, as far as I can tell, the solution. I will never be 100% sure that it didn't lose something because the disk was so vast. The literature states that this type of malware only rewrites the mrb/partition table, so in theory should do the trick.

I will also create a new thread for the solution. I did extensive search for this fix and didn't find any so I want to make this information findable in an internet search.

Lastly, on paranoia. Computers are not magic boxes like some of you must believe. There is a source for every action on your computer. The only 3 sources I can think of are the user initiates an action, the system initiates an action or an outside force initiates something. I have eliminated all but essential system maintenance. Updates and virus scanning and security are on. No software has the authority to uninstall or install software on my computer. That means all uninstalls and installs not initiated by me are extremely suspect.

At least once a year for the last 5 years I have seen something extremely suspicious. Installing and uninstalling sofeware was the most suspicious. Earlier this year I got a kernel error from the M$ remote access system. I have never used that system, ever! Why was it running in the first place? I also am suspicious for the timing of the last malware attack. I started using a VM for keep the hacker out of my computer. I was able to read the external disks up to about a week after I installed the VM and discovered the problem maybe a week after that. Because of what disks were infected I estimate the infection occurred about a week after I started using a VM +/- 2 days. Isn't it curious that I would be infected with about the only type of protection I was vulnerable to about a week after the security upgrade?

I do agree if you don't track down errors and don't care if software is installed and uninstalled by unknown agents I would be happier. I am taking that attitude now since there really is no way to keep malware out. I will reimage only when it is a performance issue. I will have 2 internet computers with no sensitive information and will assume my internet activity is being logged and will change my purchase habits accordingly. That is much easier to do.

 

Righty.. asked to comment so here goes.

1. Kill the os that's currently running and have a look with an os which will mount and read NTFS filesystems.. Puppy Linux is very simple and small and will boot from a cd.. see what's on the drives..

2. If the files are all intact MOVE everything EXCEPT Windows folder and root C boot files down a directory (simple command.. google basic linux shell commands.. MV .. for syntax..). Delete all Windows and rootC files EXCEPT the ones you moved down a layer.. THEN reinstall Windows (hint.. if you also move your Documents and Settings folder you can just move it back afterwards and save all your settings/bookmarks etc.. you need to know where they are)
Then do a clean install WITHOUT formatting the drive.

What if the drive looks corrupted?

Get yourself a live boot cd/dvd with windows on and custom build a live system with photorec.. which will recover EVERY file but names them file00001, file00002 etc..

Dammit Mez.. what's the name of that live windows disk builder?.. been so long it's slipped my mind.. head says nmap ffs.. similar to that..

FYI kids.. IF any exe or dll file arrives with the "run" and "system" bytes set then it will run.. with full system access and rights, which completely trump ANY "administrator" account.. sorry.. It's why we never use any microsoft insecure crap on the raw internet (but I tell websites this is xp-sp3 because it allows us to access M$ only places)

 

Thanks Ps355528 for the reply. That solution would not have worked plus, one disk had 2 TBs the another had over 1.5 TB. Too much for any special handling. All Mebromi Trojan variants rewrite the MBR on a small offset so only an infected OS can read the drive normally. A solution is Testdisk. That runs at the dot prompt for Windoz and Linux I don't remember if it does Macs and has the ability to create a new MBR by analyzing the disk partitions. That fixes the problem. I now only access the internet using scrap computers. I had been in the process of doing so when I was hit. I actually had 2 copies of the MBR but they were on effected disks.

The reason for the offset is probably so you can't boot with an optical disk and restore the MBR from a backup which I had. That is how I discovered I was infected. I was trying to recover something from a back up booting from a DVD. Most users could be infected for over a year without discovering the problem.