Find the answer to your Linux question:
Results 1 to 6 of 6
This question does not pertain to any specific distribution. I attempted a simple data recovery/transfer on a hard drive that appears to have been infected with an unknown virus. The ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2007
    Posts
    4

    Viruses and Data Recovery


    This question does not pertain to any specific distribution. I attempted a simple data recovery/transfer on a hard drive that appears to have been infected with an unknown virus. The infected HD was attached to the USB port via a USB-to-SATA/IDE connector, and the HD was set to slave mode. When the PC booted, the PC immediately locked up, before the memory check took place. Subsequent reboots were futile, and reproducibly identical. I strongly suspect the BIOS was corrupted/destroyed as well as the boot drive also by the virus. Can anyone provide any insight to the situation and the following questions?

    1. Anything to the identification of what might ruin BIOSs and HDs in this fashion, i.e., the type or identity of what I might be dealing with here.

    2. Not being a virus expert, are there any other damage posibilities to the MB?

    3. Most importantly, since the boot HD is probably ruined also, how I might attach it to another PC safely such that data recovery on it may be performed and GRUB can be reinstalled, and without further infections? If I understand this correctly, this virus seems to have unlimited capability, and this is similar to the redirectional virus that I encountered recently, where the infected HD when connected as Slave drive, was still identified by the PC as the boot drive despite the jumper settings.

    Any insight would be greatly appreciated.

  2. #2
    Linux Engineer rcgreen's Avatar
    Join Date
    May 2006
    Location
    the hills
    Posts
    1,134
    It is rare for a virus to corrupt the BIOS.
    I would go ahead and try mounting it as
    a slave on a computer running linux, and
    try to look at the data.

    If it locks up the computer, it's probably a
    hardware failure.

  3. #3
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    Quote Originally Posted by grayloup View Post
    The infected HD was attached to the USB port via a USB-to-SATA/IDE connector, and the HD was set to slave mode. When the PC booted, the PC immediately locked up, before the memory check took place
    If you are using it as a USB device it shouldn't be set to slave mode, it should be master - or better yet set to cable select mode. I have often seen devices set incorrectly to master/slave locking up the BIOS on old machines but I'm not sure how this would work in a USB setup.

  4. #4
    Linux Guru Jonathan183's Avatar
    Join Date
    Oct 2007
    Posts
    3,043
    Quote Originally Posted by grayloup View Post
    This question does not pertain to any specific distribution. I attempted a simple data recovery/transfer on a hard drive that appears to have been infected with an unknown virus. The infected HD was attached to the USB port via a USB-to-SATA/IDE connector, and the HD was set to slave mode.
    Disconnect all hard drives from the PC and have CD drive boot only. Boot the system from a live CD. After you have booted the system connect the USB drive ... you should then be able to mount partitions and explore the disk.

    Try booting the original machine from a live CD again with no other drives connected. If this fails disconnect all drives and try to access BIOS setup & restore factory default settings. If BIOS has been corrupted then get BIOS flash tool from the MB manufacturers site and flash BIOS.

  5. #5
    Just Joined!
    Join Date
    Jan 2007
    Posts
    4
    Quote Originally Posted by bigtomrodney View Post
    If you are using it as a USB device it shouldn't be set to slave mode, it should be master - or better yet set to cable select mode. I have often seen devices set incorrectly to master/slave locking up the BIOS on old machines but I'm not sure how this would work in a USB setup.
    Thanks to everyone for the replies. New BIOS chips have been ordered as well as new MBs as a backup. The USB setup should have worked as it has done so on many occasions before, with all the HDs set to slave mode in all instances. It isn't something that I haven't done before. It is a simple way to transfer archived data when upgrading or rebuilding. However, I am at a loss as to why anything on the USB port would destroy the BIOS immediately on bootup unless it was malicious. Again, this is an area I know little about, and it may be something quirky with the particular HD. Some time ago I had another experience with an infected PC with the usual symptoms - slow, flickers, et al - but the most unique thing was that when the HD was remounted on an identical machine as a Slave, the machine would ignore the master drive and would still boot from the slave HD. In that case the USB mount allowed me to extract the data. After the HD was reformatted and all, it worked normally again.

  6. #6
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,539
    I have had external USB drives lockup a system on me when booting if they don't have a bootable partition in them, because the BIOS was configured to boot from USB first. However, I very much doubt that you have damaged your system. If the USB drive is not connected, does it still fail to boot or display the BIOS splash screen when you power it on?

    If the BIOS/POST splash screen shows, then go into the BIOS and remove the USB drive from the boot device list. Then save the BIOS settings and reboot.

    If the BIOS/POST splash screen doesn't show, then you have nuked your system, and I can say with about 110% certainty that the USB drive didn't do it, unless you wired the drive's power supply directly to the USB controller...

    Also, what bigtomrodney said - don't set the drive to slave in your external enclosure. Most of the enclosures are wired to use either master or cable-select. Do you have the documentation for the enclosure? It should say.

    Finally, from what I think you are implying, that this drive had Windows data on it that you think might have been virus-infected. Plugging it into a Linux machine will NOT infect the Linux system. However, if it is a bootable device and your system tried to boot from it and it had a boot-sector virus, then in that case your system hard drive may have been compromised with a boot virus. Even in that case, only the most virulent and recent viruses have any capability of compromising the BIOS of the system, and AFAIK that is in theory only, though anything's possible, I suppose.

    [Conclusions]
    1. It is possible your system tried to boot from a USB drive that infected it with a boot virus. This is not terribly likely, but possible.
    2. Your BIOS is misconfigured and it is trying to boot from a USB drive with no boot sector. This is, IMO, the most likely scenario.
    3. Your USB drive is misconfigured (slave vs master/cable-select jumpered) - this could be related to #2 in causing the system to hang, because if it is a bootable USB drive, this will cause the system to hang trying to access the drive.
    [/Conclusions]
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •