Just a short update on this issue.
Different media now report about the *predesessor* of the root kit I've
mentioned below. Here's an excellent write-up on that one in paticular:
www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html
Here in Europe both the French and the German governments (both more than bleeding edge on the subject) for at least 6 months have been advising against the use of IE/OE
(as in ANY version), because of a notorious black hole of exploits, and MS not being "dedicated to solve the obvious problems". Instead users are advised to use
alternatives, such as Firefox+Thunderbird, or Opera (www.opera.no).
The local culprits are still the combo of Flash (any version), and MS JScript
(a malformed hybrid between JavaScript and Java).
Please, don't shoot the messenger :)
Soren wrote:
If I may add, there's currently a virus around that potentially manage
to mess up the BIOS of any M/B.
So, if your system or server is showing a strange date/day/year, some of
your drives aren't recognized, or your system suddently simply won't
boot, this might be the cause.
The attack appears to be a drive-by attack imbedded in Flash
(surprise!), and coming from a broad variety of web sites. Hence the
particular system user can't be blamed.
Solution: Disconnect all hdd's, and reflash the BIOS, and then set a
sensible Supervisor pwd in your BIOS before doing anything else.
Sometimes this alone will solve the problem. Remember to load & save
Setup Defaults before proceeding.
This virus is also transparantly transferred (as in "invisibly") by usb,
swapped hdd's etc., so be alert about this, and be sure to include this
matter into your back up strategies. Further, this virus also disables
the "Disable Active Scripting" facility in at least NAV.
For a clean system: As Tim says, format the boot sector, but also
include sector 64 (e.g. use IBM's original zap.com util) - then perform
a secure erase of the drive (goes for every drive in the system).
Sometimes it is enough just to rebuild the drive index file (testdisk)
after reflashing the BIOS. But milage varies due to numerous variants of
this particular virus.
This usually works:
1. format boot sector on drive, including sector 64, with drive mounted
as master on primary controller.
2. repeat step 1 for additional hdds's in the system (mount the drives
as master on a primary controller) as steps
3. use a *nix distro to define partition size on the boot drive (MS
doesn't get partition offsets right)
4. power off, reboot, and install.
5. if you're in doubt about ANY parts of the above, get new drives
instead, or turn them over to a specialist like Tim. The data on your
drives is most likely recoverable, and not nessescarily infected itself.