|
Posted by cquirke (MVP Windows shell/use on May 15, 2006, 8:09 am
If you were Registered and logged in, you could reply and use other advanced thread options
>> On Thu, 11 May 2006 18:12:34 +0300, Zvi Netiv
>> >"Boot Malmo" is supposed to be the boot segment of an old multipartite virus
>> >also known as Junkie. That virus was common in the early nineties, when
>> >Windows 3x was still around.
>> The Win9x installation process replaces the boot code and retains the
>> original as an inactive file in C:\ (it may become active if you
>> uninstall Win9x, which is a highly unlikely scenario).
>Not "highly unlikely" but irrelevant in "Malmo's" case. First, the Malmo MBR
>does not contain "virus" code but a short patch of the loader that redirects to
>sectors that are normally not accessed, where the virus code resides.
OK. Too small for detection as a signature?
>Secondly, what the Win9x installation backs up is the boot sector, while
>"Malmo Boot" is supposed to be is the MBR. See the difference? ;-)
Yep! I was intentionally vague (writing about "boot code" rather than
"partition boot code") because I wasn't familiar with the specifics of
Malmo, and the original posting was also a bit indistinct about that.
So yes, with the above in mind, this generic mechanism is highly
unlikely to apply in this case.
>Lastly, in order to inherit a Malmo-Junkie boot to a Windows 2000 installation,
>which is what the OP is running under, you need to upgrade from Windows 3.x at
>latest because no PC with anything newer than W3x will ever boot with Malmo in
>its MBR and you won't be able to "upgrade".
An upgeade path Win3.yuk -> Win9x -> Win2000 is unlikely (given the
age stretch for the hardware) but possible if during the life of the
Win9x installation, it was scraped over from an old PC to a newer one.
Another way to get spurious boot infector signatures into the file
system (in inactive form) is to scrape over a Win9x HD (say, to pick
through the files for data or whatever) and thus carry over an old
install-time partition boot sector backup file.
>> So when a PC has a boot virus, and Win9x is installed on it, the
>> signature may be present and detectable in that file.
>There exists no such file for Malmo's MBR..
Agreed.
>> Although it's completely inactive, technically the PC "has"
>> the virus although it's not actively infected (may be relevant
>> in some legal contexts).
>Babble.
Not really, no - I just didn't want to make a long post longer :-)
Say there's an unreleased boot infector that is found in the partition
boot backup file if your PC is siezed on suspicion that you are
creating such malware. Although inactive as malware, the presence of
that file may undermine your plausible deniability in court.
It's such a small nit that it's hardly worth picking ;-)
>> >Yet there have been a few reports on "boot malmo" in the recent years, all
from
>> >Norton Anti Virus. All were false alarms.
>> Ah, OK. The scenario I described is likely to be pretty rare by now,
>> so it looks as if a more straightforward false positive is happening.
>Can you see the difference between rare and impossible?
Yep, sort of. The old paradox applies:
- in an infinite universe, there must be somethings that don't exist
- in an infinite universe, those things must exist somewhere/when
IOW, one could manually cut and paste from an infected MBR to a file
and then have a scanner that scans the file for the virus (even though
logically it should never be there) alert on it. One could speculate
a combination of "scan all file types" vs. saved BING partition images
etc. for "natural" cases, but these would be rarer than "pretty".
>------------------------ ---- --- -- - - - -
Can't stop what's coming
Can't stop what's on it's way (Tori Amos)
>------------------------ ---- --- -- - - - -
| 
XML site map