Virus(?) erases Windows harddrive and replaces with Novell screen

[Eric]

Hi - I have an issue, four months or so ago, I think i got a virus.

I would be working online, with Windows ME, connected to a DSL line.
One day, my harddrive light came on and stayed on. the PC would slow
down or just stop.
I then would reboot, and a after the initial screen of memory/HDD
info, a NOVELL NETWARE screen comes up. I never put Novell on my PC.
Also, my harddrive was erased.

I since reloaded XP - worked a couple of weeks, and them WHAM! - same
thing. Then I tried 98SE. Every time, I then erased the hdd, did
fdisk and fdisk /mbr, with a (hopefully) clean boot disk. Something's
not right. Now it has gotten so bad, I took out memory and unplugged
it for 2 days, per someone's suggestion. Still, I fdisked (2x - once
with mbr), reboot, and whammo - Novell screen. It also does not see
the CD ROM. I have never seen anything like this. Anyone heard of
this? If so, what is the solution????

Eric

 

[FromTheRafters]

Hi - I have an issue, four months or so ago, I think i got a virus.

I would be working online, with Windows ME, connected to a DSL line.
One day, my harddrive light came on and stayed on. the PC would slow
down or just stop.
I then would reboot, and a after the initial screen of memory/HDD
info, a NOVELL NETWARE screen comes up. I never put Novell on my PC.
Also, my harddrive was erased.

What do you mean by "my harddrive was erased"?

I since reloaded XP - worked a couple of weeks, and them WHAM! - same
thing. Then I tried 98SE. Every time, I then erased the hdd,

What do you mean by "I then erased the harddrive"?

did fdisk

What do you mean by "I [...] did fdisk"?

and fdisk /mbr,

I know what this means, but why did you feel it was safe to do so?
What model computer is this? Do you use a disk overlay?

with a (hopefully) clean boot disk.

Boot disk for which OS?

Something's
not right. Now it has gotten so bad, I took out memory and unplugged
it for 2 days, per someone's suggestion.

Did you remember to chant and wear you underwear inside out?
(it just a suggestion)

Still, I fdisked (2x - once
with mbr), reboot, and whammo - Novell screen.

What kind of partitions did fdisk say that you had?
(thinking opas.k payload here, but Novell screen?)

It also does not see
the CD ROM. I have never seen anything like this. Anyone heard of
this? If so, what is the solution????

Have you looked at the CMOS setup?

Did you remove a partition?
(were you able to?)

Did you create a partition?
(were you able to?)

Did you obtain this PC from a business that
might have installed Novell Netware on it?

Did the CMOS revert to a different boot device than what
you had it previously set to.

Do you know how many physical harddrives are in the box?

Were you running without any anti-virus program and with
a blank or weak admin password? Were you running an
unpatched Windows box on the internet (which sort of will
equate even the strongest of passwords to a single character)?

Maybe you got opaserv's payload blues?

With more information, maybe someone else will be able to
help you ~ ya got me stumped.

Good luck.

 

[Joep]

Hi - I have an issue, four months or so ago, I think i got a virus.

I would be working online, with Windows ME, connected to a DSL line.
One day, my harddrive light came on and stayed on. the PC would slow
down or just stop.
I then would reboot, and a after the initial screen of memory/HDD
info, a NOVELL NETWARE screen comes up. I never put Novell on my PC.
Also, my harddrive was erased.

I since reloaded XP - worked a couple of weeks, and them WHAM! - same
thing. Then I tried 98SE. Every time, I then erased the hdd, did
fdisk and fdisk /mbr, with a (hopefully) clean boot disk. Something's
not right. Now it has gotten so bad, I took out memory and unplugged
it for 2 days, per someone's suggestion. Still, I fdisked (2x - once
with mbr), reboot, and whammo - Novell screen. It also does not see
the CD ROM. I have never seen anything like this. Anyone heard of
this? If so, what is the solution????

A Novell Screen, right ... what is 'a Novell Screen', what *exactly* does
the screen look like?

You don't mention if you do use any anti virus software and if you used a
scanner to diagnose this and what the results of diagnosis were (if any).

I suggest, before installing XP again to write zeros to the entire hard
drive, do this with a utility that can be started from a bootflop, make sure
the flop is clean and write protected.

Once you have installed XP, patch it (so plug security holes), install an up
to date virus utility, a firewall (make it block everything inntially) and
see if events occur again. Carefully log all software you install. Carefully
monitor all processes that do actaully run.

 

[Eric]

Hi - I have an issue, four months or so ago, I think i got a virus.

What do you mean by "my harddrive was erased"?

OK - When I checked fdisk, I think it showed that the partition was
erased. I haven`t seen it for a while, but I can not access any of my
files.

What do you mean by "I then erased the harddrive"?

OK, I worked with IT support for a few years. I did what I learned
there, run fdisk, erase the partition, then create a new one. Then
format c:, and start over.

did fdisk

What do you mean by "I [...] did fdisk"?

I ran the fdisk utility, from DOS.

I know what this means, but why did you feel it was safe to do so?
What model computer is this? Do you use a disk overlay?

Yes I feel it was safe. This cleans the Master Boot Record.

Boot disk for which OS?

I have one for ME, and for 98 SE. I think I used the ME 1st. (I have
done this many times, and use one then the other)

Did you remember to chant and wear you underwear inside out?
(it just a suggestion)

Not yet.

What kind of partitions did fdisk say that you had?
(thinking opas.k payload here, but Novell screen?)

Unknown. Now remember, I am not a Novell person. I never(italics)
installed Novell. It came out of Nowhere.

Have you looked at the CMOS setup?

Yes, I did autodetect. It does not see it.

Did you remove a partition?
(were you able to?)

Yes, as mentioned above, with fdisk.

Did you create a partition?
(were you able to?)

Yes again.

Did you obtain this PC from a business that
might have installed Novell Netware on it?

Not that I know of. The company is gone. I bought it new, and it
came with Windows 98 and drivers only.

Did the CMOS revert to a different boot device than what
you had it previously set to.

Sometimes it does. Like, if I reboot it warm, (without shutting it
off completely) it may not even detect any hdd. Again, odd.

Do you know how many physical harddrives are in the box?

Opened it up, and found one.

Were you running without any anti-virus program and with
a blank or weak admin password?

Norton 2002 AV. No password - this is a single user machine

Were you running an unpatched Windows box on the internet (which sort
of will
equate even the strongest of passwords to a single character)?

I ran ME and 98 with no password. I also kept the windowsupdate
current.

Maybe you got opaserv's payload blues?

what is dis? Again, I am not a Novell guy, in case that is Novell
lingo.

With more information, maybe someone else will be able to
help you ~ ya got me stumped.

Good luck.

Thanks.

 

[Eric]

A Novell Screen, right ... what is 'a Novell Screen', what *exactly* does
the screen look like?

OK - I boot up, the "normal" happens: memory count, IDE info,
searches boot device, then...
Clear screen, and in the upper right hand corner it says:
Novell Netware (and I think `firmware`is mentioned), and some lines of
info NOT Windows related.
Then I get some invalid BOOT info. Then it asks me for a boot disk.
I am like, "Where did Windows go??" Then I curse to myself and hided
in my room.

I will go home and write dwn more info, so I can share exactly what it
says.

You don't mention if you do use any anti virus software and if you used a
scanner to diagnose this and what the results of diagnosis were (if any).

I had Norton 2002 (from System Works bundle) and the latest defns.
Still did not see it, nor help me in any way .

I suggest, before installing XP again to write zeros to the entire hard
drive, do this with a utility that can be started from a bootflop, make sure
the flop is clean and write protected.

Allright, I'll come clean. It's a crack copy of XP. But, before
anyone blames my XP copy, I used 98 most recently, after my XP install
crashed.

By the way, what is this utility you mentioned?

Once you have installed XP, patch it (so plug security holes), install an up
to date virus utility ((which I have)) , a firewall

((I don't have, what do ppl recommend? Also, I moved and am using dial
up, not DSL))
(make it block everything inntially) and see if events occur again.
Carefully log all software you install. Carefully
monitor all processes that do actaully run.

I plan on either using 98 or my bootleg XP (I actually paid for a copy
of XP via ebay, and got another bootleg copy, but that`s another
story).

But anyway, I am dead in the water, as now I get errors when I format,
and I still do not see the CDROM. Is this a hardware problem, and/or
a virus?

 

[FromTheRafters]

OK - When I checked fdisk, I think it showed that the partition was
erased. I haven`t seen it for a while, but I can not access any of my
files.

No Novell partitions?

OK, I worked with IT support for a few years. I did what I learned
there, run fdisk, erase the partition, then create a new one. Then
format c:, and start over.

Delete partition and create partition worked okay?
(again no Novell partition?)

did fdisk

What do you mean by "I [...] did fdisk"?

I ran the fdisk utility, from DOS.

I understand now, but running fdisk can mean just displaying
the partition information. You have deleted *all* partitions
and created a single new DOS partition the same size as the
drive?

Yes I feel it was safe. This cleans the Master Boot Record.

This rewrites the area where the Master Boot Record is normally
found with what it determines to be the correct data and code for
the OS. Some systems have non-standard (as far as Microsoft is
concerned) data and code in that area, and fdisk /mbr will hose
the system good if used (it is an *undocumented* switch for a
reason). Some Dynamic Drive Overlay's (DDO) are an example
of this.

I have one for ME, and for 98 SE. I think I used the ME 1st. (I have
done this many times, and use one then the other)

They may be the same, I'm not sure. I suppose it doesn't matter in this case.

Not yet.

I guess at this point you are willing to try anything.. :O)

It nust be coming from somewhere, is it a logo?
I still don't quite understand what you mean by "Novell screen".

Unknown. Now remember, I am not a Novell person. I never(italics)
installed Novell. It came out of Nowhere.

Part of Opas.k's payload (crap it writes to disk overwriting the users
data) is interpreted by the fdisk program as a "Novell" partition if I am
remembering correctly. This is why I keep mentioning it, but it won't
conjure up a "Novell screen" as far as I know.

(I am likely to be barking up the wrong tree wrt opas.k)

Yes, I did autodetect. It does not see it.



Yes, as mentioned above, with fdisk.

Yes again.

Not that I know of. The company is gone. I bought it new, and it
came with Windows 98 and drivers only.

Sometimes it does. Like, if I reboot it warm, (without shutting it
off completely) it may not even detect any hdd. Again, odd.

Have you replaced the CMOS battery lately? A failing battery
can cause some very strange problems.

(grasping at straws)

Opened it up, and found one.

Okay.
(never known a virus to *physically* hide a drive)

Norton 2002 AV. No password - this is a single user machine

Were you running an unpatched Windows box on the internet (which sort
of will
equate even the strongest of passwords to a single character)?

I ran ME and 98 with no password. I also kept the windowsupdate
current.

Does Fdisk show that you have a Novell partition?
Is there a partition that Fdisk cannot delete?

I'm sorry if I have wasted your time, it doesn't seem that I will
be able to help you with this problem ~ (

what is dis? Again, I am not a Novell guy, in case that is Novell
lingo.

It's not Novell lingo, but it is a side effect of a worm's
payload that I was referring to.

Thanks.

As far as I know, the "Novell screen" *must* be on the harddrive
that you supposedly have "erased", I can't think of where else it
could come from.

 

[FromTheRafters]

OK - I boot up, the "normal" happens: memory count, IDE info,
searches boot device, then...
Clear screen, and in the upper right hand corner it says:
Novell Netware (and I think `firmware`is mentioned), and some lines of
info NOT Windows related.
Then I get some invalid BOOT info. Then it asks me for a boot disk.
I am like, "Where did Windows go??" Then I curse to myself and hided
in my room.

I will go home and write dwn more info, so I can share exactly what it
says.

Now there's a novel idea (notice I *didn't* say Novell), give
accurate information to people who are trying to help you.

Allright, I'll come clean. It's a crack copy of XP. But, before....

....oh yeah, and telling the truth might be helpful too...

Do you lie to your doctor about those PCP laced marijuana
cigarettes too. ;o)

 

[FromTheRafters]

Just as an aside, this is what the Opas.k payload writes
to the harddrive:

NOTICE:

Illegal Microsoft Windows license detected!
You are in violation of the Digital Millennium Copyright Act!

Your unauthorized license has been revoked.

For more information, please call us at:

1-888-NOPIRACY
If you are outside the USA, please look up the correct contact information
on our website, at:

www.bsa.org

Business Software Alliance
Promoting a safe & legal online world.

 

[Zvi Netiv]

Hi - I have an issue, four months or so ago, I think i got a virus.

I would be working online, with Windows ME, connected to a DSL line.
One day, my harddrive light came on and stayed on. the PC would slow
down or just stop.
I then would reboot, and a after the initial screen of memory/HDD
info, a NOVELL NETWARE screen comes up. I never put Novell on my PC.
Also, my harddrive was erased.

I since reloaded XP - worked a couple of weeks, and them WHAM! - same
thing. Then I tried 98SE. Every time, I then erased the hdd, did
fdisk and fdisk /mbr, with a (hopefully) clean boot disk. Something's
not right. Now it has gotten so bad, I took out memory and unplugged
it for 2 days, per someone's suggestion. Still, I fdisked (2x - once
with mbr), reboot, and whammo - Novell screen. It also does not see
the CD ROM. I have never seen anything like this. Anyone heard of
this? If so, what is the solution????

The computer was obviously hit by the payload of Opaserv.K. Check the following
articles/threads for more details:
http://groups.google.com/groups?q=opaserv.k+author:zvi+author:netiv

Read page www.invircible.com/item/19 and www.invircible.com/item/64 for what you
have been doing wrong.

Regards, Zvi

 

[Frank Murphy]

Have you updated\flashed the bios recently?
Have you a previous bios to restore?

Frank

What do you mean by "my harddrive was erased"?

OK - When I checked fdisk, I think it showed that the partition was
erased. I haven`t seen it for a while, but I can not access any of my
files.

What do you mean by "I then erased the harddrive"?

OK, I worked with IT support for a few years. I did what I learned
there, run fdisk, erase the partition, then create a new one. Then
format c:, and start over.

did fdisk

What do you mean by "I [...] did fdisk"?

I ran the fdisk utility, from DOS.

I know what this means, but why did you feel it was safe to do so?
What model computer is this? Do you use a disk overlay?

Yes I feel it was safe. This cleans the Master Boot Record.

Boot disk for which OS?

I have one for ME, and for 98 SE. I think I used the ME 1st. (I have
done this many times, and use one then the other)

Did you remember to chant and wear you underwear inside out?
(it just a suggestion)

Not yet.

What kind of partitions did fdisk say that you had?
(thinking opas.k payload here, but Novell screen?)

Unknown. Now remember, I am not a Novell person. I never(italics)
installed Novell. It came out of Nowhere.

Have you looked at the CMOS setup?

Yes, I did autodetect. It does not see it.

Did you remove a partition?
(were you able to?)

Yes, as mentioned above, with fdisk.

Did you create a partition?
(were you able to?)

Yes again.

Did you obtain this PC from a business that
might have installed Novell Netware on it?

Not that I know of. The company is gone. I bought it new, and it
came with Windows 98 and drivers only.

Did the CMOS revert to a different boot device than what
you had it previously set to.

Sometimes it does. Like, if I reboot it warm, (without shutting it
off completely) it may not even detect any hdd. Again, odd.

Do you know how many physical harddrives are in the box?

Opened it up, and found one.

Were you running without any anti-virus program and with
a blank or weak admin password?

Norton 2002 AV. No password - this is a single user machine

Were you running an unpatched Windows box on the internet (which sort
of will
equate even the strongest of passwords to a single character)?

I ran ME and 98 with no password. I also kept the windowsupdate
current.

Maybe you got opaserv's payload blues?

what is dis? Again, I am not a Novell guy, in case that is Novell
lingo.

With more information, maybe someone else will be able to
help you ~ ya got me stumped.

Good luck.

Thanks.

 

[Eric]

No Novell partitions?

No. Never.

Delete partition and create partition worked okay?
(again no Novell partition?)

sometimes. lately the format ran through, then the verification on
the format failed at around 16%.

did fdisk

What do you mean by "I [...] did fdisk"?

I ran the fdisk utility, from DOS.

I understand now, but running fdisk can mean just displaying
the partition information. You have deleted *all* partitions
and created a single new DOS partition the same size as the
drive?

Correct. Standard DOS re-creation of a harddrive.

This rewrites the area where the Master Boot Record is normally
found with what it determines to be the correct data and code for
the OS. Some systems have non-standard (as far as Microsoft is
concerned) data and code in that area, and fdisk /mbr will hose
the system good if used (it is an *undocumented* switch for a
reason). Some Dynamic Drive Overlay's (DDO) are an example
of this.

good pt.

They may be the same, I'm not sure. I suppose it doesn't matter in this case.

very close as far as i think. This may be the case - perhaps,
perhaps, one of the boot disks is infected. might need to get a new
one. hopefully that is all it is. i created a boot disk when i
thought my PC was clean, but maybe, it was not clean.

I guess at this point you are willing to try anything.. :O)


It nust be coming from somewhere, is it a logo?
I still don't quite understand what you mean by "Novell screen".


Part of Opas.k's payload (crap it writes to disk overwriting the users
data) is interpreted by the fdisk program as a "Novell" partition if I am
remembering correctly. This is why I keep mentioning it, but it won't
conjure up a "Novell screen" as far as I know.

(I am likely to be barking up the wrong tree wrt opas.k) May not be that then.



Have you replaced the CMOS battery lately? A failing battery
can cause some very strange problems.

(grasping at straws)

mmmm, that sounds like quite a long shot, but it may help.

Okay.
(never known a virus to *physically* hide a drive)


Does Fdisk show that you have a Novell partition?
Is there a partition that Fdisk cannot delete?

I'm sorry if I have wasted your time, it doesn't seem that I will
be able to help you with this problem ~ (

no - thanks for you help. all insight is helpful, and although i may
not know what is the exact source, I am glad to have people posting
who are intent on helping.

It's not Novell lingo, but it is a side effect of a worm's
payload that I was referring to. oh. thanks for that


As far as I know, the "Novell screen" *must* be on the harddrive
that you supposedly have "erased", I can't think of where else it
could come from.

that is the unknown thing. i am surprised that nothing comes up when
i have performed a search.


Thanks again for trying.

 

[Eric]

Now there's a novel idea (notice I *didn't* say Novell), give
accurate information to people who are trying to help you.


...oh yeah, and telling the truth might be helpful too...

Do you lie to your doctor about those PCP laced marijuana
cigarettes too. ;o) -- very clever. your wit amuses me.

Just so you know, the Original occurrance of this *Novell* activity
was when I had Windows ME loaded - a store-bought copy by me. I tried
XP as an alternative to ME. I then bought a *supposedly* legal copy
from ebay - it arrived as a cracked copy, and the person never
refunded my money, even after returning the copy of XP.

Also, ever heard - "if you have nothing nice to say, say nothing at
all?" this is a good case of when to apply this idea. Keep your
mouth shut.

 

[Eric]

The computer was obviously hit by the payload of Opaserv.K. Check the following
articles/threads for more details:
http://groups.google.com/groups?q=opaserv.k+author:zvi+author:netiv

Read page www.invircible.com/item/19 and www.invircible.com/item/64 for what you
have been doing wrong.

Regards, Zvi

Thanks Zvi - I looked at the articles, and I did not see anything that
related to exactly what I had experienced. Again, what mine did was
freeze up, then upon reboot, it displays a screen saying "Novell
Firmware - rev. 1.00" and several lines of text, asking me to insert
a boot disk. Is that in the article that I may have missed?

 

[Eric]

Now there's a novel idea (notice I *didn't* say Novell), give
accurate information to people who are trying to help you.


...oh yeah, and telling the truth might be helpful too...

Do you lie to your doctor about those PCP laced marijuana
cigarettes too. ;o)

Just so you know, the Original occurrance of this *Novell* activity
was when I had Windows ME loaded - a store-bought copy by me. I tried
XP as an alternative to ME. I then bought a *supposedly* legal copy
from ebay - it arrived as a cracked copy, and the person never
refunded my money, even after returning the copy of XP.

Also, ever heard - "if you have nothing nice to say, say nothing at
all?" this is a good case of when to apply this idea. That's kind of
talk is really not helping.

 

[Eric]

Now there's a novel idea (notice I *didn't* say Novell), give
accurate information to people who are trying to help you.


...oh yeah, and telling the truth might be helpful too...

Do you lie to your doctor about those PCP laced marijuana
cigarettes too. ;o)

Just so you know, the Original occurrance of this *Novell* activity
was when I had Windows ME loaded - a store-bought copy by me. I tried
XP as an alternative to ME. I then bought a *supposedly* legal copy
from ebay - it arrived as a cracked copy, and the person never
refunded my money, even after returning the copy of XP.

Also, ever heard - "if you have nothing nice to say, say nothing at
all?" this is a good case of when to apply this idea. That kind of
talk is really not helping.

 

[FromTheRafters]

Just so you know, the Original occurrance of this *Novell* activity
was when I had Windows ME loaded - a store-bought copy by me. I tried
XP as an alternative to ME. I then bought a *supposedly* legal copy
from ebay - it arrived as a cracked copy, and the person never
refunded my money, even after returning the copy of XP.

Also, ever heard - "if you have nothing nice to say, say nothing at
all?" this is a good case of when to apply this idea. That kind of
talk is really not helping.

Maybe not the kind of help you wanted..

My apologies, it was just to point out that help can only be as good
as the information given. My dad would complain about pain in his
abdomen, but when visiting the doctor he would have no complaints.
He's dead now...and I will keep my mouth shut about your problem
from now on.

Maybe someone else will help you.

 

[Tim Downie]

Just so you know, the Original occurrance of this *Novell* activity
was when I had Windows ME loaded - a store-bought copy by me. I tried
XP as an alternative to ME. I then bought a *supposedly* legal copy
from ebay - it arrived as a cracked copy, and the person never
refunded my money, even after returning the copy of XP.

If you chase hard enough, e-bay will take action against fraudsters. I
know, I've had success in getting a refund for faulty goods that were
inaccurately described. (Warranty expired despite sellers claims).

Tim

 

[Eric]

Thanks Zvi - I looked at the articles, and I did not see anything that
related to exactly what I had experienced. Again, what mine did was
freeze up, then upon reboot, it displays a screen saying "Novell
Firmware - rev. 1.00" and several lines of text, asking me to insert
a boot disk. Is that in the article that I may have missed?

OK - news - I found that whatever this is, it changes the BIOS.
1)It does erase my c:\, and the formatting is gone.

So, when I reboot, the sequence usually goes as dictated in the BIOS -
from device to device. It does not see anything on the boot record,
so it tries to "Boot from other device", then it tries to boot from
the network and Novell Netware appears on the screen.
So really, I think this thing erases the hdd, then goes after BOIS
settings.

2)It activates and disables settings in the BIOS. This is odd, it
changed all my boot options in my AmisBIOS to 'disabled'. That was
really wierd.

 

[Gabriele Neukam]

On that special day, Eric, ([email protected]) said...

So, when I reboot, the sequence usually goes as dictated in the BIOS -
from device to device. It does not see anything on the boot record,
so it tries to "Boot from other device", then it tries to boot from
the network and Novell Netware appears on the screen.

Does your computer have a network card with a chip inserted? Such chips
are used for booting PCs in terminal mode, loading the OS from some
remote server instead of the hard disk.

This would mean it isn't a Novell OS loading, but your computer cannot
find anything to boot from (broken hard disk?), and tries to fetch the
OS from outside via said network card, and the network card contains a
chip with a very basic Novell OS, but can't go on, as there is no server
available.


Gabriele Neukam

(e-mail address removed)

 

[Eric]

On that special day, Eric, ([email protected]) said...


Does your computer have a network card with a chip inserted? Such chips
are used for booting PCs in terminal mode, loading the OS from some
remote server instead of the hard disk.

This would mean it isn't a Novell OS loading, but your computer cannot
find anything to boot from (broken hard disk?), and tries to fetch the
OS from outside via said network card, and the network card contains a
chip with a very basic Novell OS, but can't go on, as there is no server
available.


Gabriele Neukam

(e-mail address removed)

Ahh, this may be true. Symton are: my PC just freezes, and then all
this happens. Also, the BIOS sometimes loses settings. Maybe it's as
simple as a broken harddrive*, and, by default, it goes on to load
from a chip on the motherboard/network card since it can't read
anything on the hdd. (In my case, the network card is integrated with
the mainboard)
Well, that sounds like it may be it. Just a broken hdd.
I hope it's that simple.

*I'm sure I have a bad CMOS battery - it loses time frequently.

Eric