Does exist virus that does low level format?

[Scorpion]

Hello Guy,

Do any one have heared about a virus that copy itself to the local memory ram than reboot the system and run low level format on the local hard drive/s?

I got today a drive with low level format from a technician than he told me that his friend over the sea has heared about such anonimus virus..

I never see that virus before even the method is very logic to do.

[data-medics]

If the virus were to write itself into RAM then reboot, it would be deleted from RAM wouldn't it? I suppose it's possible that a virus could write in it's own bootable script to run on startup that could wipe a drive, but I'm not familiar with any that actually do this. Seems more likely that someone, possibly the technician screwed up.

I did once however have a HDD come in for recovery that was very strange. It had been a MacOS boot drive, but stopped working. I discovered that it was damage to the firmware, made the necessary repairs, and got the drive working. However, it was completely blank afterward, nothing but zeros from beginning to end. The customer swears I was the first one to look at it, but who knows if that's really true.

[Scorpion]

I did more research on the drive and found that only the first sector is oqupied with the following data and ALL the OTHER sectors are zeroes.

Does it seems like a virus job or like someone action?
The drive as I been told was contain some Windows (XP/7) before it died.

Code:

0x0000   33 C0 8E D0 BC 00 7C 8E C0 8E D8 BE 00 7C BF 00   3ְŽ׀¼.|ŽְŽ״¾.|¿.
0x0010   06 B9 00 02 FC F3 A4 50 68 1C 06 CB FB B9 04 00   .¹..ף₪Ph..ֻ¹..
0x0020   BD BE 07 80 7E 00 00 7C 0B 0F 85 0E 01 83 C5 10   ½¾.€~..|..…..ƒֵ.
0x0030   E2 F1 CD 18 88 56 00 55 C6 46 11 05 C6 46 10 00   גסֽ.ˆV.UֶF..ֶF..
0x0040   B4 41 BB AA 55 CD 13 5D 72 0F 81 FB 55 AA 75 09   ´A»×Uֽ.]r.U×u.
0x0050   F7 C1 01 00 74 03 FE 46 10 66 60 80 7E 10 00 74   קֱ..t.‏F.f`€~..t
0x0060   26 66 68 00 00 00 00 66 FF 76 08 68 00 00 68 00   &fh....fv.h..h.
0x0070   7C 68 01 00 68 10 00 B4 42 8A 56 00 8B F4 CD 13   |h..h..´BŠV.‹פֽ.
0x0080   9F 83 C4 10 9E EB 14 B8 01 02 BB 00 7C 8A 56 00   Ÿƒִ.žכ.¸..».|ŠV.
0x0090   8A 76 01 8A 4E 02 8A 6E 03 CD 13 66 61 73 1C FE   Šv.ŠN.Šn.ֽ.fas.‏
0x00A0   4E 11 75 0C 80 7E 00 80 0F 84 8A 00 B2 80 EB 84   N.u.€~.€.„Š.²€כ„
0x00B0   55 32 E4 8A 56 00 CD 13 5D EB 9E 81 3E FE 7D 55   U2הŠV.ֽ.]כž>‏}U
0x00C0   AA 75 6E FF 76 00 E8 8D 00 75 17 FA B0 D1 E6 64   ×unv.ט.u.ת°ׁזd
0x00D0   E8 83 00 B0 DF E6 60 E8 7C 00 B0 FF E6 64 E8 75   טƒ.°ז`ט|.°זdטu
0x00E0   00 FB B8 00 BB CD 1A 66 23 C0 75 3B 66 81 FB 54   .¸.»ֽ.f#ְu;fT
0x00F0   43 50 41 75 32 81 F9 02 01 72 2C 66 68 07 BB 00   CPAu2ש..r,fh.».
0x0100   00 66 68 00 02 00 00 66 68 08 00 00 00 66 53 66   .fh....fh....fSf
0x0110   53 66 55 66 68 00 00 00 00 66 68 00 7C 00 00 66   SfUfh....fh.|..f
0x0120   61 68 00 00 07 CD 1A 5A 32 F6 EA 00 7C 00 00 CD   ah...ֽ.Z2צך.|..ֽ
0x0130   18 A0 B7 07 EB 08 A0 B6 07 EB 03 A0 B5 07 32 E4   . ·.כ. ¶.כ. µ.2ה
0x0140   05 00 07 8B F0 AC 3C 00 74 09 BB 07 00 B4 0E CD   ...‹נ¬<.t.»..´.ֽ
0x0150   10 EB F2 F4 EB FD 2B C9 E4 64 EB 00 24 02 E0 F8   .כעפכ‎+ֹהdכ.$.אר
0x0160   24 02 C3 49 6E 76 61 6C 69 64 20 70 61 72 74 69   $.ֳInvalid parti
0x0170   74 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72   tion table.Error
0x0180   20 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69    loading operati
0x0190   6E 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E   ng system.Missin
0x01A0   67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74   g operating syst
0x01B0   65 6D 00 00 00 63 7B 9A 4A 11 40 68 00 00 00 00   em...c{šJ.@h....
0x01C0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x01D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x01E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x01F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............U×


[fzabkar]

That looks like a standard Windows 7/8 MBR with an empty partition table.

http://thestarman.pcministry.com/asm/mbr/W7MBR.htm#CHS

[Scorpion]

That looks like a standard Windows 7/8 MBR with an empty partition table.

http://thestarman.pcministry.com/asm/mbr/W7MBR.htm#CHS

So does it seems like a Virus Job or not?

[lcoughey]

In my experience, most of the time, the "virus" is really a tech trying to cover up his mistake of losing all the data.

[fzabkar]

The drive looks like it has been zero-filled and then "initialised". I can't imagine that a virus would bother to initialise a drive after wiping it. In any case, most malware attempts to extract some kind of gain from the victim, financial or otherwise. Nothing would be gained by wiping a drive, so it seems pointless.

[LarrySabo]

About 17 years ago, I had both of the drives on my PC wiped by the "Chode" worm IIRC, which ended with "Gotcha, M-- F--." I don't know what the author/perp gained from that.

Edit: I believe this is what it was.

[fzabkar]

After the fall of communist governments in the USSR and Eastern Bloc, organised crime was privatised. I suspect that most modern malware derives from these sources, either directly or indirectly.

[Amarbir[CDR-Labs]]

The drive looks like it has been zero-filled and then "initialised". I can't imagine that a virus would bother to initialise a drive after wiping it. In any case, most malware attempts to extract some kind of gain from the victim, financial or otherwise. Nothing would be gained by wiping a drive, so it seems pointless.

Hello Frank " Happy New Year Brother " ,

A few months ago i got a call from my closeby town the guy told me to collect a hdd for data recovery .We did send a guy to his place and once i got the same i found out that the entire drive was zero filled .The hdd was perfect and not even a single bad sector was in it .I called up the person and asked him the real story this is what he said

" He had given this hdd to a company and that company claimed that they could not do it hence they got someone who looked remotely into the case [ But as that guy was super intelligent he demanded approx USD 1000 for this job ] "

So i asked my client did he know this guy and he said yes its his routine computer guy .Well i suspected some fouldpay into this and hence i asked him to get this guy to my office .The visit was scheduled 2 days later and once the guy was there i made that engineer sit in a chair and started asking him technical question about logical data recovery to a point where actually i was discussing this case only .So in the end i asked him " Were the #$#^#^ was the data and if we do not get it we will complained to the police for cyber theft and ransom " . Within 2 Days my client got the data .Though i did not even get a penny for this job i felt very nice and special .

PS : Now i get data recovery jobs from that engineer