From: Laurence Hartje (laurencehhealthforcepartners.com)
Date: Thu Apr 01 2004 - 09:46:13 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm by no means a NTFS expert, nor have I had to fight with the Witty
worm, but I would expect if it happened to corrupt the beginning of the
MFT (and the MFT mirror) then you would lose all the data on the drive.
Maybe you just happened to get "lucky" in that respect -- although who
knows how much data would still be on the drive even if the MFT
survived.

If the machine just recently crashed, it might have been infected for a
week or longer, since the worm started its spread around the 19th of
March.

Have you checked the integrity of all the data on the second partition?
Since the worm seems to select random sectors from the disk, you might
see some corruption of the data that was on the second partition. It
might give some answers to your questions.

FYI, it appears that the patch for BlackIce was made available March
9th.

Laurence

-----Original Message-----
From: Bill Hays [mailto:wjhayssbcglobal.net]
Sent: Wednesday, March 31, 2004 4:53 PM
To: focus-mssecurityfocus.com
Cc: wjhayssbcglobal.net
Subject: ISA Server Crash - More Information

I appreciate all the responses that I have received, but I still have
one big question. Everything that I have read doesn't say anything
about the Witty worm basically erasing a hard drive. Everything that I
have read states that it over-writes the data until the infected machine
crashes if it is not rebooted before it over-writes the boot sector;
which then can cause other serious problems. Am I missing something?

As requested by most everyone, here is more information on my system. I
want to tell everyone that this hard drive had two partitions and only
the second partition survived. The active partition was the one
erased/crashed. I am pretty certain that the C:\ partition was
completely empty. Can anyone advise? Also, the system was running ISA
and Black Ice cause that was the way it was configured by someone before
me. I inquired about this when I first started working here and was
told this was double security; I think more like double trouble
personally. As for whether or not Black Ice was updated I know as I
wasn't here when it was built and I haven't done any updates since I
arrived back in the last month.

Also can anyone please tell me if Win2K Server can in fact be formatted
while the system is up and running? I've been pretty lucky I guess in
all the years I've been doing this (8 yrs) that I've never had anything
like this happen.
 
Thanks again for everyone's help;

Bill Hays
IT Support Specialist
MCP (NT4&W2K)

------------------------------------------------------------------------
---
Free 30-day trial: firewall with virus/spam protection, URL filtering,
VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with

Astaro Security Linux, the comprehensive security solution that combines
six
applications in one software solution for ease of use and lower total
cost
of ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ms_040301
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with
Astaro Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost
of ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ms_040301
---------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]