PDA

View Full Version : Motherfucker!


No longer Trippin
20-09-2003, 01:32:55
Scratch 3 15k 36gb Seagate Cheetahs, 2 18 gb 15k Cheetahs, and 1 WD 120gb 7200 JB series drive all thanks to my fucking college having a pirated copy of something on there which set off CDiLLA which isn't supposed to jump to floppies anyways - at least all known versions I know of and others I just talked to have. It doesn't show up as a virus (as technically it's copy protection, a la safedisk), it's memory resident, writes to the bios and to the EPROM's on all drives from an infected disk along with writing to the MBR (floppy from shit I "had" to work on in lit over there and finish here for a grade must have gotten it on the MBR). Can't remove it from HDD's, can replace the eprom for the bios to salvage the motherboard, but that is it. Also flashes itself to the controller card for the SCSI drives I've been told. Seems I just had a few thousand dollars flushed down the fucking toilet thanks to that damned teacher. Only up and running on an old kt133a board that is running on a fucking Duron. This really pisses me off. All the warranties on the drives are null and void as since it's copy protection software, it means it is user damage. CDilla isn't even supposed to fucking jump through floppies, they never designed it to as that would make it a virus, not protection. However they setup the damned lab there at school though, it fucking did (How the fuck do you get XP to think a floppy drive is a mounted disk? Seriously, anyone got that answer? As that is the only way it would jump to a floppy. Real cute, really fucking cute). Anybody wanna guess how fucking pissed I am? Lost a shitload of work, have to reinstall fucking everything on top of doing a cheap new build (they discountinued my mobo 8rda+ only a few days ago, so my backups are shit unless I replace the eprom on it and get my mobo working without infecting everything it touches) so I'm not running in the dark ages as well as cheerfully having to accept a few thousand in hardware is now fucking trash. ARGH!

Those fuckers who make safedisk should be fucking shot, along with the damned IT dept. that figured out how to make a floppy a permanent mounted disk some damned way and still work. FUCK!

Deacon
20-09-2003, 04:28:12
Ouch. The whole lot of virus writers and copy protection people would not be missed if they were to be grabbed by guys in black fatigues in the middle of the night.

No longer Trippin
20-09-2003, 06:22:43
No shit... That shit should be fucking illegal, EULA or fucking not. The protection has been known to go off with the real copy on several products already, though generally it works as it should, only going off with copies, still, I have no fucking idea how it made it onto the floppy. Had a version come down on an old comp when using a backup MS copy of 2000... that's how I got to know Cdilla fairly well. It wouldn't move to floppies. This had all the signs of it. Disk errors - RAID array wouldn't mount, the other drive worked "fine" just was slow. Was having trouble with stuff on the PCI bus, then my mouse started going to shit. Same pattern of stuff basically. Looked at my processes and Cdilla was staring me in the fucking face. Too bad there are like 50 versions of the damned program - some aren't bad, some are real bad. Spybot removes the older ones, but the virulent, nasty new fuckers it doesn't even recognize other than the process - and there is tons more to it than the process sadly. Legacy CD-ROM drivers become primary, can't remove them from registry, then go the PCI devices slowly, though it'll keep IDE drives alive generally - so if you swap out motherboards, even with a format w/MBR from a box it will still hit the new mobo as it sits in the infected drives EPROM as well as MBR and moves the data on the EPROM to the HDD I'm assuming if it doesn't have room since the disk access times go way the fuck up. Viruses at least you can remove, this fucker you can't. I'm seriously thinking of checking my legal options since I was forced to use their machine and it isn't like they are hurting for cash anyhow. Probably can't do shit about it, but if I can get money back, you bet your ass I will. SCSI drives and controller cards aren't cheap. The 120 JB and the 8rda+ are cost that I can eat a bit more easily than the rest. That shit should be illegal, period.

Already ordered a new EPROM for my mobo and will use one of my 200gb backup drives for the time being for everything. I'm not buying a new setup with the A64, PCI-Express, SATA 450/600 and DDR 2 on next years list of goodies that will be coming out. I'd be pissing money away there if I did. I can squeeze 2.4 ghz out my 2500 barton, so I'm in no need to upgrade and if a 15 buck eprom can save me from having to spend 120 on a new board, that is fine by me as SATA hasn't matured yet and there is just too much that is due to change with the BTX form factor on the horizon as well.

notyoueither
20-09-2003, 08:03:11
Well actually....

I have never heard of a warranty voided by anything other than physical mangling. Send your drives in. You will get replacements.

Secondly, if this is some kind of copy protection, then SUE their asses off. Seriously. If any moron in a suit ever put such a beast out there, then that knuckle dragger would seriously deserve the Mother of all Class Actions.

No longer Trippin
20-09-2003, 09:03:04
Can't sue and win period against the makers of Safedisk due to how the EULA of whatever program it was packaged with is written, sad but true, they'd have been bankrupted years ago if it was possible. I could only sue Tulane POSSIBLY - you know how many fucking lawyers they have? It's insane, even companies don't like it when Tulane gets involved in things, thus they had the LA legislature along with the governor strip the law clinics of nearly every right since they were going after polluters for poor communities. I know someone who graduated at the top of his class in law overall, and was specialized in maritime law, no oil firm would touch him and they hire a lot of those guys. He had to go into the Navy making 30 grand a year working suicide shifts, and they have one of the better law schools in the nation. That is how much they are hated and how damned good they are at pulling out Jpohny Cochran type wins. So it's a losing proposition there. The money in sueing would be WAY more than replacing the several grand in hardware. Then I'd have to prove that it was from their computer and that I have no programs which have that particular version of CDilla nor had any which could carry it. If it's an MS product, Photoshop, or AutoCAD, I'm fucked good and hard there. Most likely it is one of those and someone got sloppy and pulled a backup they made using Nero or Roxio (as those generally will trigger it in some versions) and screwed a set of comps up. I'll have to go by the lab monday when they turn the comps on again, I'm betting that they'll be down, or at least the one I was on will be for sure.

Generally the ones for games and minor programs it just screws around with your PCI bus or some other mundane garbage and that is about it. Relatively easy to kill and don't do any permanent damage. This is not that version, this is one that was similar to the one on 2000 I've tangled with, only a bit more happy with taking down a system.

Might have something to do with the nforce2 chipset as well for how quickly things degraded, the drives, well I have one old one which works, and one "newer" one on the kt133 that was infected which no longer works (and was pitched) and will cause all devices to go undetected at bootup. The ATA66 with the OS works, the ATA 100 died so to speak for the current "setup" I have running at the moment. 1 gig of pc133 ram, a 1200 Duron, and an ATA66 6.5 gig drive. Runs like it has 24 megs of ram and a P90 processor practically anytime it has to access the HDD - so it pretty much has me limited to web usage and word processing, though I have to reinstall the printer drivers for each time I want to print - turn off the machine and turn it on again, the drivers are fucked. Fun.

As for replacements through warranty - the warranties are void. I've played with a copy of Cdilla before unwittingly on a system I was replacing soon anyhow luckily. Talked to a friend previously about RMAing such a drive, I was informed they don't take them, well they will, and clean it and sell it as used, but you don't get a replacement. They don't replace drives infected by C-Dilla as that implies that I was installing cracked software even if it's a backup that was triggered improperly (as it generally allows one backup to be made, just not a backup of a backup), thus the software was what broke the drive, not the drive having a defect in and of itself, thus my fault. Even though it was a copy of 2000 that I actually owned, just used a backup to do a recovery one time and bam, down went the system - guess nero thought the original was a copy and triggered it in the burn process, then on the install using the what should have been viable copy, it tore the current machine I'm posting from apart.

You get a version of C-Dilla with any game that has Safedisk or Safedisk 2 on it. They aren't bad as I said before compared to those on Operating Systems, workstation software and the like, though can be fairly bad as there are literally dozens of versions - just how much the company wants to pay dictates how "fun" the fucker is. Can't sue for what I didn't set off - it's Tulane that would have to sue, but with the EULA, they can't win it - like I said, if it could have been done, it would have been done by now. Safedisk is on tons of stuff now. It's not hard to get a game or a program with it.

Deacon
21-09-2003, 06:53:06
Is there any way to restore the original drive firmware?

No longer Trippin
21-09-2003, 21:12:13
Nope - the two ways to do this without the tools needed - namely the hardware/program to rip it out are self destructing so to speak.

I have tried taking the infected disk (after a box format with mbr even and NSA format on top of that) and stick it on an uninfected motherboard (that was expendable), that motherboard instaneously got infected from bootup when it accessed the eprom on the hdd, thus when you flash the eprom on the hdd, the "program" then just jumps back from your newly ruined mobo's bios to the eprom immediately after unless you can unplug it faster than the computer can communicate to the drive - fat chance there. It will infect hotswap drives - that's how I found that out, playing with old hardware that was expendable. Thus if a drive queries and it doesn't have the "program" on it, it then the eprom is flashed for you with that helpful program. Thus it is self defeating, all your doing is ruining more and more hardware trying to fix it. Real bastard of a program. I'll just give them to my friend's little brother, he liked playing with my first drive that had a similar version on it, couldn't remove it, but hell, if he finds out how, I'll give him some money and I'll have the disk back again, but I'm seriously not counting on it. At least the controller card has a removable eprom. Looking into replacing that as I have a friend who's interested in the card as it'd be tons cheaper than buying one new - 32bit PCI 160/320 (160 usable since 32 bit) RAID 5 SCSI cards are hard to find at that and cost a good bit as well. So it is still a huge loss, but I'm recouping some money, not much, but better than nothing.

Pilsn3r
22-09-2003, 09:15:00
is the eprom on the hdd a separate chip?
because then you probably could erase (when its not connected to a computer. external vcc and gnd to the chip) and reprogram it.
sure it may or may not ruin other circuits on the hdd but since its landfill anyway...

Darkstar
22-09-2003, 20:08:07
That reminds me, Trip...

If you are going to be working on their stuff and bringing it home to do more work... buy/build a cheap computer that you can "eat". My dad has fried out his home machine everytime he's done with, whether it was NorthEastern, MIT, Harvard, Framingham State, etc. For a couple of days, he could get by, but something always came along home from the Univ computers and fried his home box out. And kept doing so. Best just to get a "junker" for home use with that crap...

You don't need to mount a floppy as permanent... these days, if you build something to get removable, you'll get most floppies as well. Thanks to floppies being removable media for laptops.

MDA
22-09-2003, 21:12:02
I can't believe its legal to have copy protection that can trash your system. That's like having a book that explodes when you place it on a copy machine.

That's really legal? No police, no legal proceedings - just a piece of software, acting as judge, jury, and executioner. Written by a private company, not law enforcement.

Orwellian.

Darkstar
22-09-2003, 22:06:36
Right now, it's legal because you agree to it when you break the shrink wrap. However, it is only a matter of time before Billy G or one of his friends with money get bitten by such, and sue the pants off the people that made it. After all, once the CP spreads, it is no longe Copy Protection... it is a virus, legally speaking. And that people can sue for.

However, Trip is right... he'd have to sue the school, and they'd sue the CP provider. And since he doesn't think he could get past the school, he's screwed.

No longer Trippin
23-09-2003, 00:51:18
DS, for CDilla to move it needs it to be registered as a permanent disk - that goes for all versions, as if it was able to jump onto floppies, that would have already crashed every bloody computer in the world. Spybot only picks up the service and can disable that, but in the versions that are common for high priced programs, they don't even need the service, they act more like an old fashioned BIOS virus, only a helluva lot more malicious and not really easy to get rid of. Though I think I may just use this infected POS for schoolwork and get the other one running for everything else - and if Pilsn3r's idea works, well then I'm all set once the Eprom's come in.

Pilsn3r: The Eprom is inside the casing of the drive, that means I have to open it up to a limited degree. Wouldn't be exposing the disk, but the warranty would be void (well it is anyhow - so what the hell). Worth a shot. I just need to find out what is what on the eprom and I've never seen a diagram which shows vdd and grnd for hdd eproms. Any voltage to it should do as they are notoriously weak compared to the rest of the components onboard, so I doubt I'd burn anything up once I find out what voltage it's taking - hopefully the eprom manufacturer's name is on it, that should be enough for me to get the voltage specs as I know Seagate isn't going to give them to me since I doubt they have that running at 12 volts for obvious reasons. Just need to wipe it with a formatting box to get it off the platters (which my friend can do at work) before I try it. Sounds viable. Thanks for the idea.

MDA: It is very legal. Like DS said, even though you don't get to agree to the conditions of purchase until after you break the shrinkwrap (thus you've agreed to practically every software vendor to them at least) it is legal. Yeah, it's backwards. It's like buying a car and having to then test drive it and view your warranty conditions after you've plunked down the money. Doesn't make any sense whatsoever, but it is legal.

Oh, and the computer I used along with two others in the lab (of about 50 computers) were shutoff with a maintanance tag on them - all said the same thing for problem, computer wouldn't start up. Seems somebody screwed up when fixing some problems and used a bad copy of whatever.

MDA
23-09-2003, 03:03:30
It's more like buying a home security system that bolts the doors and sets the house on fire when it goes off.

No longer Trippin
23-09-2003, 04:19:22
Yeah, only it insures you live and voids your home insurance policy at the same time.

Darkstar
24-09-2003, 04:43:15
Was that SafeDisk? I had reason to go digging through my Registry (I'll tell that tale in Games forum), and spotted a "trash" entry under software. So I exploded it... and low and behold, it was SafeDisk's list of SafeDisked software on my laptop. The list included XP, SimCity4, Sims, terran (SMAC), terranx (SMACAX). Whee!

Why it's main node under Software is "trash" (a hash string it looks like), I don't know.

No longer Trippin
24-09-2003, 19:59:35
DS: Yes, it is safedisk. Go into the folder of simcity4 and look around for something like CdillaXX. C-DillaXX, or C-dilliacXX, or something similar. It should be somewhere in each games folder on the disk as it is saved locally in many instances. The X's generally will be numbers followed by a letter or two. "Trash," because that is what it will do to your computer in the worst cases, trash it.

Well, I've "fried" all six eproms on the drives after an NSA format of each. Now just waiting for the eproms for the controller card and motherboard to come in to see if I'll be able to get it up and running or they are just tossed as they are unflashable now as I have no machine to do it from that is clean at the moment.

Deacon
25-09-2003, 06:10:38
Macrovision owns C-Dilla, the guys who created SafeDisc and SafeCast. SafeCast is another wonderful product. It's a DRM scheme that decides to write a key to the area after the MBR and before track 1 of your hard drive without telling you first. Which will trash any bootloader or other piece of software that happens to use the same space.

No longer Trippin
25-09-2003, 15:18:48
Yeah, I've heard of SafeCast - haven't run into it yet thankfully. I've encountered CDilla enough. Hopefully the eproms should be here by tomorrow or saturday. I'm tired of running on this POS.

Darkstar
25-09-2003, 19:39:30
Thanks Trip. That's all I needed to here. Talk about keeping me paranoid from now on...

Hey what can nasty C do to flash cards? Any clues? PCMCIA Hard Drive cards?

Did you school ever get their computers back "online"?

No longer Trippin
25-09-2003, 21:49:00
I passed by the lab yesterday out of curiousity. All with the maintance tag were gone along with several others... seems they took them out the lab as they couldn't find out what was wrong there or finally saw the process running in the background. That means the certified Dell Techs will try formatting it several times, yank the drives, then have errors pop up on those, then they are going to yank the motherboards, then stick the infected drives back into the new board after a format and ruin another set of boards before they toss it all out and get new drives and motherboards, as I think the eprom flashing or replacing is beyond them. That'll be sent to whatever regional hq they have which will then wipe them and send them to whatever company or user needs a new board or drive due to some odd failure or another as I'm sure Dell has the removal tools.

If you set the drive as a boot drive, I'd imagine it would try to get on - but really can't say as I don't have the tools to dissect it, nor do I have the programming experience to understand it. I just have tons of hardware knowledge and how to "optimize" an OS - programming is over my head. I have an aquaintance who is a BIOS engineer (for Pheonix), maybe he'd know if anybody that I could contact - but I haven't the slightest idea in all truth. I'll have to dig up his email and ask. The CDilla on my bundled copy of 2000Pro-AdvServer totally ignores USB and firewire directly, so any even remotely "new" technologies are safe going by that. I have yet to see it target CD-ROM eproms, though it kills them through the registry and setting itself up as a legacy reg, thus hard as hell to remove if not impossible - probably it does this since it has nowhere to store the instruction set like it does on a fixed disk. Also they target only fixed disk as they don't want it proliferating obviously. I only managed to get it I imagine as someone or the OS somehow screwed up and thought A: a permanently mounted drive (yet didn't error up?). The last thing they want is it spreading outside of the computer or locl network it is running on at the most since they don't want to bring the world to it's knees. I'll check on the PCMIA cards, but I'd lean towards no since it's something that is generally transfered. Unless it's setup wrong (which is near impossible to do which is how I'm wondering how that 1.44 drive grabbed it) your safe, but I'll check with someone who should know.

Honestly, if virus creators were of this mindset, we'd all be screwed by now.

No longer Trippin
27-09-2003, 23:03:28
Have all the eproms now and flashed all the drives. One SCSI 18 gig dead and the 120 WD IDE dead. The other drives work. Just need to get another SCSI drive and I should be set. Controller card seems fine (can't test RAID 5 out though, can test lower with current drives) and the motherboard is fine and clocks just as well after flashing to the latest bios. So I only lost a SCSI and an IDE... better than everything. Just can't restore everything until I get another drive. Better than a total loss by far though. Fucking Safedisk.

Thanks pilsn3r for the idea of manually wiping the eproms with a little juice.

Pilsn3r
27-09-2003, 23:16:23
:beer:

Darkstar
30-09-2003, 19:51:36
So, you are out a lot of time and a couple of drives? Not as bad as you had expected then! CONGRATS! :beer: to you!

and a :beer: to Pilsn3r!

No longer Trippin
01-10-2003, 03:04:00
Thanks.

chagarra
01-10-2003, 11:04:05
Now "ALL" you have to do is reload everything..

Lots a Luck.

No longer Trippin
01-10-2003, 18:56:45
DS: I asked about the PCMIA card deal, from what he knows, it won't jump to it. He doesn't work on mobile chipsets though, but he said knowing how they play in PCs he doesn't forsee them making it jump around which sending it to a PCMIA card would do. As a boot drive, he wasn't sure, but possibly due to how it sets up services, if you used it to boot in another machine it would infect that one, but just to transfer data, no - as the service wouldn't engage.


Chagarra: Backup :)

Darkstar
01-10-2003, 19:34:20
Cool. As long as my PCMIA is safe, my paranoia doesn't need to include worrying about it being CDilla'd then. Very cool.

MDA
01-10-2003, 19:47:46
It occurred to me that if CDILLA was a biological construct, it would never, ever have been permitted to exist. Plenty of virus-vectored gene therapy techniques got scrapped when there was even the slightest risk of them reverting to wild-type behavior.

Of course this is kind of backwards, as there is currently no "wild type" virus version of CDILLA, but it still creeps me out.

No longer Trippin
01-10-2003, 20:19:56
No wild version yet, it's only a matter of time before some hacker thinks of using it if they plan on crashing the entire internet. Just that it's so malicious that nobody wants to touch it. It's like playing with ebola without the suit - your gonna screw yourself.