HI all,

I have a very unusual problem.

I have recently aquired a WD drive, the details are..

WD2500JD -00HBB0
BIOS 82H
FIRMWARE 08.02D08
DCM HSBACTJAA

WD CAVIAR SE/SE16 SATA 1

I regularly use MHDD to clrmbr, nhpa and either fasterase (internal secure wipe) or erase.

I do this for all the drives I work with to start from a clean slate.

I have worked on close to 80 drives in the last year and I have never come across this before.

When I attempt to action an "clrmbr" command, the usual warning confirm pops up... are you sure yo want to clear the mounted boot record etc.. accept in this case the the word "VIRUS" (just like that in uppercase) pops up partially writing over the firmware revision code, waiting for a Y/N confrim to action the clrmbr command.

Pressing Y completes the clrmbr command without error and the correct firmware code is then displayed i.e 08.02D08

Also HD Sentinal reports the ATA checksum as being "INVALID"

Please view the video and photo's I have made and stored in my windows skydrive public folder. This will show you in real terms what the issue is.

The link is...

https://skydrive.live.com/redir?resid=5 ... der%2c.png

I am experiencing some serious (equpment damaging) stabilty issues randomly, these appear to be volatge related but this has been going on since beofre I owned the drive.

The drive is 100% healthy and has 100% performance. For a ten year old drive it has only has an uptime of 240 days, which is extremely low.

Also there is no clicking, scrapig, dragging or any type of untoward noise coming from the drive which would indicate a fault.

I have worked with many drives that have bad sectors or data transfer problems and this drive does not display any similar symtoms. i.e delayed boot, slow data transfer, abnormal noises, fail to boot, windows freeze etc etc etc

The other thing which seems relevant is that I don't believe MHDD has virus detection capabilities, perhaps some one could confirm that belief.

So how on earth is MHDD throwing that up.

I'm guesing that some one has intentionally managed to access the firmware, replaced the firmare code some where in the hex to the word VIRUS and then reflashed the hdd. That would explain why the ATA checksum - primarily drive lable information - comes up invalid.

The odd thing about that is, it's illogical to blatantly advertise any virus if your objective is to infect a system...

I have a hunch that this change was done to get a reaction as opposed to thier actually being any virus present in the firmware.

I have also scanned the drive with Kaspersky Rescue Disc 10, and it's no surprise that no virus has been detected.


Any ideas or precidents here would be appreciated.

Hi there.
That's a very interesting video.
A side note is you call the MBR the "Mounted Boot Record" and I always assumed it was the "Master Boot record". No point to make on this, as many people use names for things differently (motherboard/Mainboard) but I thought it was interesting.

It sounds like the Firmware has been infected or made to look like it has been. The interesting thing is why the firmware displays properly at times and VIRUS other times.

Do you have any way of getting a copy of the firmware off the drive?
If you open the drive up in say HxD or winhex and view sectors, do you see that string anywhere?

Without knowing more about this, it may be possible you have stumbled apon something of interest to people in the InfoSec community, Malware companies etc. It is possible, as the drive is quite old, that it has a known virus, but identifying that might be difficult today if you aren't familiar with them.

I don't recall hearing if the same thing happens on a different computer with different copy of MHDD(though I agree you've probably ruled out software tampering of MHDD.exe). It may be possible for malware resident on a system to wait for an ATA command and if executed, return that string.

Do you have any other drives similar that you can test if it happens on that system?

What about the origin/history of the drive? anything at all of interest there?

Im leaning towards a firmware edit, as there isn't a lot of room in the firmware for malware. It is possible though. And I also puzzle as to why it would display that due to supposed stealth capabilities being a better idea..

I would love to write it off as someone playing around with the firmware, but you always should be cautious just assuming the perceived obvious. Have you heard of "Bad BIOS"? It is an issue a fairly respected researcher has claimed has infected his network, possibly transmitting across air gaps using the PC speaker among other things. Some people dismiss it, but also a lot of people are hedging their bets.

I wouldn't be doing anything to damage/edit/potentially lose the evidence if there is a chance this turns out to be more than a simple prank or old virus.

BTW, 240 days is potentially suspicious I agree.

Thanks for sharing, I wish I had found it to research! look forward to more info.

Curious... does the drive ID with the "virus" string on any other tool, DOS tool, whatever?

_________________
Hard Disk Drive (HDD), Solid State Drive (SSD, SATA, NVMe, etc), USB Flash Drive and RAID Data Recovery Specialist in Massachusetts