New "Witty" Worm

  • Thread starter Thread starter jafar
  • Start date Start date
J

jafar

Hi.

I believe I have been hit with the Witty worm rendering my windows
installation un-bootable. According to a story on /. "The worm overwrites
data on the first few sectors of the victim's hard drive, making the
machine virtually ubootable and potentially destroying much - if not all -
of the victim's data."
Strangely, my Lilo bootloader is unaffected,
Windows just refuses to boot saying "error loading operating system". I
also cannot re-install windows as on first reboot, it does the same. How
to do I recover the first few sectors? Do I need to completely re-format
the drive? That's a pain because my Linux root partition is also located
on this drive meaning I'll have to re-install two Operating Systems :(
 
Hi.

I believe I have been hit with the Witty worm rendering my windows
installation un-bootable. According to a story on /. "The worm overwrites
data on the first few sectors of the victim's hard drive, making the
machine virtually ubootable and potentially destroying much - if not all -
of the victim's data."
Strangely, my Lilo bootloader is unaffected, Windows just refuses to boot
saying "error loading operating system". I also cannot re-install windows
as on first reboot, it does the same. How to do I recover the first few
sectors? Do I need to completely re-format the drive? That's a pain
because my Linux root partition is also located on this drive meaning I'll
have to re-install two Operating Systems :(
Click to expand...

If you are able to boot into Linux, and if Windows is mounted under Linux
normally, are you able to see what is missing on the Windows half of the
system? Have you tried running, as root, /sbin/lilo as a last resort to
see if it fixes the booting process? Maybe you can, while in Linux, find a
Windows removal tool for the virus, put it on a diskette and boot from it
so you can repair things? There are still things to try.
 
If you are able to boot into Linux, and if Windows is mounted under Linux
normally, are you able to see what is missing on the Windows half of the
system? Have you tried running, as root, /sbin/lilo as a last resort to
see if it fixes the booting process? Maybe you can, while in Linux, find a
Windows removal tool for the virus, put it on a diskette and boot from it
so you can repair things? There are still things to try.
Click to expand...

I was able to back up important files in the win partition to CD in Linux
thankfully. Lilo is fine and even has the windows option there. Its just
that windows fails from there.
As and uptate: I have since found a nice tool called testdisk
http://www.cgsecurity.org/index.html?testdisk.html which appears to have
detected some anomalies in my boot sectors and has fixed them. I'll try
and do the XP install again later and see if it can boot again.
 
On that special day, jafar, ([email protected]) said...
I believe I have been hit with the Witty worm rendering my windows
installation un-bootable.
Click to expand...

Just to make the situation clearer:

Did you run one of the ISS products, like BlackIce or Real Secure
(something)? Only with one of them active on the system, the worm would
be able to attack you. Also, the worm does random writes on hard disks,
*regardless* of the present OS, which means, the Linux system might have
been hit, too (although maybe the reiser journaling filesystem may have
warded off the effect).


Gabriele Neukam

(e-mail address removed)
 
You are looking at a data recovery scenario with little hope
of success I think. This payload writes sort of "willy-nilly" to
randomly selected sectors (and multiple disks) with fairly
contiguous data from a DLL image in RAM.

Nasty payload - and there was no call for it. Why couldn't
they just be happy with creating a worm that depends on
a so-called security program to propagate.
 
jafar said:
Hi.

I believe I have been hit with the Witty worm rendering my windows
installation un-bootable. According to a story on /. "The worm overwrites
data on the first few sectors of the victim's hard drive, making the
machine virtually ubootable and potentially destroying much - if not all -
of the victim's data."
Strangely, my Lilo bootloader is unaffected,
Windows just refuses to boot saying "error loading operating system". I
also cannot re-install windows as on first reboot, it does the same. How
to do I recover the first few sectors? Do I need to completely re-format
the drive? That's a pain because my Linux root partition is also located
on this drive meaning I'll have to re-install two Operating Systems :(
Click to expand...

It can be fixed. But the cost runs $100 plus - if you don't do it yourself.

-*MORT*-
 
It can be fixed. But the cost runs $100 plus - if you don't do it yourself.
Click to expand...

Cost? For what? What can I do myself? :)
All I need to do is get WinXP to accept my hardware and
install as it has done many times before.
 
On that special day, jafar, ([email protected]) said...


Just to make the situation clearer:

Did you run one of the ISS products, like BlackIce or Real Secure
(something)? Only with one of them active on the system, the worm would
be able to attack you. Also, the worm does random writes on hard disks,
*regardless* of the present OS, which means, the Linux system might have
been hit, too (although maybe the reiser journaling filesystem may have
warded off the effect).
Click to expand...

Yes. Never again BlackIce. My Linux system is very happy and undamaged.
Even my old ext3 /home partition is still fine :) Just the NTFS. I'ts a
pain but I think I can live without XP for a little while. At least until
I buy a new hard-drive and try a re-install for the few games I can't get
to run on Linux ;)
 
Hi.

I believe I have been hit with the Witty worm rendering my windows
installation un-bootable. According to a story on /. "The worm overwrites
data on the first few sectors of the victim's hard drive, making the
machine virtually ubootable and potentially destroying much - if not all -
of the victim's data."
Strangely, my Lilo bootloader is unaffected,
Windows just refuses to boot saying "error loading operating system". I
also cannot re-install windows as on first reboot, it does the same. How
to do I recover the first few sectors? Do I need to completely re-format
the drive? That's a pain because my Linux root partition is also located
on this drive meaning I'll have to re-install two Operating Systems :(
Click to expand...

When a friend had this on his system I just used gdisk (fdisk will be
fine) and reset the MBR and set partition 1 as active and it was ok.

With fdisk you could try "fdisk /mbr" as that should fix the MBR
straight away however it is possible the virus buggers things up when
you next load windows so I suggest you find a way of removing it
quickly :)
 
With fdisk you could try "fdisk /mbr" as that should fix the MBR
straight away however it is possible the virus buggers things up when
you next load windows so I suggest you find a way of removing it
quickly :)
Click to expand...

Thanks for the advice Morgan. I'm am actually planning to put windows on
the old 10 gig drive which currently holds my Linux /home partition, but
that will have to wait (a couple of months?) until I whittle down the data
there and migrate it to a new partition on my main drive.
I'll see if that works :)
 
Back
Top