Viren, Spyware, Datenschutz 11.222 Themen, 94.290 Beiträge

Wie entferne ich einen Bootsektorvirus bei Windos NT (NTFS)?

Heidrun / 6 Antworten / Flachansicht Nickles

Habe Win NT 4.0 und mir den Bootsektorvirus Jack Ripper eingefangen. Wie kann ich diesen Virus entfernen? Mit einer NT-Bootdiskette wird trotzdem in Win NT hochgefahren. Mit einer Win 95/98 CD könnte ich ins DOS kommen (FAT), aber der Virus ist in NTFS. Kann ich da trotzdem "fdisk /mbr" eingeben? Habe Anleitungen für die Entfernung von Bootviren gelesen, wie funktioniert das aber für NT (NTFS)?
Noch etwas: wird dieser Virus mit meinen e-mails weiterverbreitet?

bei Antwort benachrichtigen
(Anonym) Heidrun „Wie entferne ich einen Bootsektorvirus bei Windos NT (NTFS)?“
Optionen

Nachfolgend eine beschreibung des Virus (der ist ja uralt), lade dir bei www.hbedv.de antivir herunter, damit kannst du den entfernen lassen.
Virus Profile

Ripper is a Medium risk Virus
McAfee.com Clinic Members, click Here to update ActiveShield.
Click Here to perform a VirusScan Online.
Click Here to download the latest dat files for (Retail) McAfee VirusScan.



Virus Name
Ripper
Date Added
11/15/93

VIRUS FAMILY STATISTICS - Past 30 Days
Virus Name Infected
Files Scanned
Files % Infected
Computers
Ripper 11 13,911 0.00



Virus Characteristics
Ripper is an encrypting, memory resident, Master Boot Record (MBR)/Boot Sector infector. It is a "Stealth" virus. MBR/Boot Sector viruses are some of the most successful viruses. They are fairly easy to write, and they take control of the computer at a low level.
Upon infection, Ripper becomes memory resident at the top of system memory and infects the hard disk's Master Boot Record. Ripper is two sectors in length. It relocates the original boot sector to the last sector of the root directory and stores itself in the original boot sector and in the second to the last sector of the root directory.

When the Ripper virus infects diskettes, it copies the original boot sector to the last sector of the root directory. On 5.25" double density diskettes, this will be sector 11. On 5.25" high density diskettes, it is sector 17. The Ripper viral code is two sectors long, the first sector overwriting the original boot sector of the diskette, and the second sector being written to the second to the last sector of the disk's root directory.

Ripper is a destructive virus, corrupting 1 out of every 1000 disk writes to the drive, by swapping words in the write buffer. This destructive action is very slow and can go unnoticed for a long period before one notices the corruption.

Ripper is a stealth virus, and is capable of preventing a read of the viral code on the system hard disk and on diskette boot sectors when it is memory resident. When a program attempts to read either a diskette boot sector or the system hard disk master boot sector, the virus will display the original boot sector. As such it is quite difficult to detect the viral infection. If a Ripper viral infection is suspected, the system should be cold booted from a known uninfected, write-protected system diskette and then checked.

Additional Comments:
The Ripper virus was first reported in November, 1993 from Norway, and shortly later from England. Many reports of this virus were also received from sites in the United States during 1994. The sample analyzed here was isolated in April, 1995 and is from the United States. Ripper is a memory resident stealth virus which infects diskette boot sectors and the system hard disk master boot sector. It is a destructive virus. Systems become infected with the Ripper virus when they are booted or attempted to be booted from an infected diskette. At this time, the Ripper virus will become memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 2,048 bytes. Also at this time, the Ripper virus will infect the system hard disk master boot sector if it was not previously infected. If the diskette was a system diskette, then the boot will proceed, if not, then the user will be prompted for a system diskette. Once the system hard disk master boot sector has been infected with the Ripper virus, the virus will become memory resident when the system is booted from the system hard disk. Once the Ripper virus is memory resident, it will infect any non- write protected diskette which is accessed on the system. When the Ripper virus infects diskettes, it copies the original boot sector to the last sector of the root directory. On 5.25 inch double density diskettes, this will be sector 11. On 5.25 inch high density diskettes, it is sector 17. The Ripper viral code is two sectors long, the first sector overwriting the original boot sector of the diskette, and the second sector being written to the sector before the last sector of the disk's root directory. No text strings are visible within the viral code as the Ripper virus is an encrypted virus. The following two text strings are encrypted within the viral code: "FUCK 'EM UP" "(C)1992 Jack Ripper" Ripper is a stealth virus, the virus preventing a read of the viral code on the system hard disk and on diskette boot sectors when it is memory resident. When a program attempts to read either a



--------------------------------------------------------------------------------

Send This Virus Information To A Friend?

--------------------------------------------------------------------------------

Indications Of Infection
Ripper is similar to most Boot Sector infecting viruses with one major exception, it does not store a copy of the original partition sector elsewhere on the disk. The virus contains the encrypted message: "(Expletive) 'EM UP" "[C] 1992 Jack Ripper" Total system memory, as indicated by DOS CHKDSK program, decreases by 2,048 bytes. The user may experience problems running programs requiring upper memory, and difficulty accessing disk drives

Method Of Infection
The only way to infect a computer with an MBR/Boot Sector infector is to attempt to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred.

Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

Removal Instructions

Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.

To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type
BOOTSCAN C: /BOOT /CLEAN /NOMEM

Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean

Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.

This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.

bei Antwort benachrichtigen