Kitz Forum
Computer Software => Security => Topic started by: dave.m on January 11, 2008, 07:58:23 PM
-
Serious reading from the BBC:
http://news.bbc.co.uk/1/hi/technology/7183008.stm
dave
-
Interesting that that article states
"Although the password-stealing programs that Mebroot installs can be found by security software, few commercial anti-virus packages currently detect its presence. Mebroot cannot be removed while a computer is running."
Yet most of the security software companies I just looked at say their product detects it.
McAffe states "the risk assessment of this threat has been updated to Low-Profiled due to media attention".
Its interesting to note that Elia Florio from symantec whose name they quoted, has this article on the symantec site (http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=1).
Trojan.MebrootRisk
Level 1: Very Low
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Moderate
Removal: Easy
During our tests, running the "fixmbr" command from within the Windows Recovery Console successfully removed the malicious MBR entry.
Dunno if Im being blase since MBR viruses arent anything new and maybe I place too much trust in the simple stuff like ensuring your o/s patches and AV definitions are kept up to date.
-
Mebroot cannot be removed while a computer is running."
During our tests, running the "fixmbr" command from within the Windows Recovery Console successfully removed the malicious MBR entry.
?
Have I miss-read something here?
-
No you haven't - they mean it can't be removed whilst a computer is running in its normal operation i.e. while windows is running. You boot into recovery console with the XP CD and it loads a special version of a Windows command prompt from the CD, which enables you to do stuff to the PC that Windows wouldn't normally let you do.
Hope that helps :)
-
Thanks Chris,
I thought for a moment that people were contradicting each other. (from the sources that is)
-
>> I thought for a moment that people were contradicting each other.
tbh OF I'm not surprised, and I too could also see the average bod thinking by that statement it meant that you'd have to take the whole PC into a repair shop or something.
Also, to me the original article seemed to make things out to be much more serious than they perhaps were.
ok so a MBR virus isn't nice... but the fact that it can be picked up by AV software.... and so you have to go into the recovery console to do an MBR fix.
But Ive encountered many trojans or malware that would take much longer than that to fix.
>> "the risk assessment of this threat has been updated to Low-Profiled due to media attention".
I think that says it all really... maybe it was a slow reporting week in the IT industry and there wasnt much exciting news around to report on. ;)
-
.... and so you have to go into the recovery console to do an MBR fix.
If that's the same recovery console (which I think it is) as the console to carry out a Windows repair, then I for one would be up the creek without the proverbial paddle, "because I can't get to use the recovery console as it asks for a administrators password of which I do not have, even though I am the only person to use this PC.
This is even after I have re-installed Windows myself.
-
OF - if you didnt set an administrator password, then you should be able to proceed without entering any password.
-
Yeah - during the Windows installation routine, you would have been asked for an Administrator password. Like Dave says, if you don't remember providing one, it's probably blank.
If by any chance that doesn't work, and you had a 'old fogy moment' ;) when installing Windows, and can't remember what password you put in, you can do the following to quickly reset the password to blank (assuming of course that the user account you use normally is a computer administrator, which I presume it is)
Go to command prompt (Start - Run - cmd) and then type
net user administrator "" [Enter]
It should say "The command completed successfully.", and then the Administrator password will now be blank
Similarly you can type net user administrator "newpassword" and it will set it to whatever you type. Note that the quotes aren't strictly necessary, but they are when blanking the password and putting in a password that contains spaces.
Hope this helps :)
-
OF - if you didnt set an administrator password, then you should be able to proceed without entering any password.
during the Windows installation routine, you would have been asked for an Administrator password.
Like Dave says, if you don't remember providing one, it's probably blank.
As no other person has access to my PC, I have no need to ever set passwords.
I had also tried to access the control panel using blank (no password) but also without any luck.
As this particular PC was supplied with a OEM disc and was originally set-up by the manufacturer, I always assumed it was because of the way it was originally set-up.
And I can't remember whether I have tried to access it since, even after a fresh re-install because of not being able to access it on previous occasion/s, so it seemed just as quick, not to mention getting rid of all and any leftovers just to do a complete install.
Go to command prompt (Start - Run - cmd) and then type
net user administrator "" [Enter]
It should say "The command completed successfully.", and then the Administrator password will now be blank
Similarly you can type net user administrator "newpassword" and it will set it to whatever you type. Note that the quotes aren't strictly necessary, but they are when blanking the password and putting in a password that contains spaces.
Hope this helps :)
Thanks for the info people, I hope it will come in handy should the occasion occur.