Tags:






can viruses - specifically the pe_virut variants - survive re-imaging?
March 3, 2009 7:22 PM   RSS feed for this thread Subscribe

can viruses - specifically the pe_virut variants - survive re-imaging?

I'm a sysadmin at the largest school in my district - the largest district in our state. we got hit by a wave of pe_virut variants. i used a solution from sophos (and a dr web live cd for the older PCs) to clean my PCs. The plan was simple: 1)get a clean/updated image of the 4 models of PC found at my school. 2)push the images out to the various locations remotely 3)clean up and reinstall any software lost during reimaging.

Instead, my second level support told me specifically NOT to reimage the machines. He actually shut down the vlans at my school to prevent multicasting (really, disabled DHCP. I could not re enable it). The district then sent a team of 10 techs to clean each PC one-at-a-time. This is the policy for the entire district. Personally, I have over 700 PCs. I have a zenimage server, a clonezilla server and a ghostserver at my disposal. These things are unsupported by our policy, but I'm all alone swimming in 2500 users - I can't afford to babysit individual PCs like the guys at smaller schools. The lead tech - with like 30 more years experience than I - mumbled something about this virus infecting the image server DURING imaging. Thats why we couldn't use flash drives or district servers to reimage. So I mentioned maybe adding a command to format the receiving PC, sending the image and then Deep Freez-ing the PC once naming was done. My suggestion was ignored.

Do these guys know something I don't about imaging? I thought that since Zen/Cloneszilla run in RAM, the HDD would be inert and anything on it would be overwritten.

Storage and security gurus out there: can a virus infect an image server during an imaging?

ps.
ironically, the source of the reinfections was our Novell/netware server. It only took them 2 weeks to get around to scanning/cleaning our servers - the responsibility of that same second level administrator.
posted by Davaal to computers & internet (5 comments total) 1 user marked this as a favorite
A virus could only survive reimaging if it had infected the boot sector and the reimaging process does not overwrite the boot sector with a clean one. The computers, while being reimaged, are not booted into Windows; there is no way for them to infect the license server. Your initial plan would have worked just fine and would have cleaned up everything.
posted by zsazsa at 7:42 PM on March 3


zsanzsa is technically correct (usually that infers something else.. but in this case.. it means exactly what it means). The only way a virus could be brought through an image is:

a. the image has a virus
b. You didnt overwrite the boot sector

Making sure a didnt happen is easy. Making sure b didn't happen is just a matter of making sure your software handles boot sectors appropriately; or at worst; making a linux boot cd that zero's out /dev/hda, and THEN image.

The one-at-a-time is ludacris -- I would start a campain to have the schools IT budget cut if that was happening locally.

PS-Massive infections still happen? Your not running A/V?
posted by SirStan at 8:30 PM on March 3


This makes no mention of this being a boot sector virus; and as such; would not be carried through on an image. And "infecting the image server" ... really? Really? REALLY?

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=PE_VIRUT.A

You are right. Stand your ground. I don't know of a virus that effects ghost images/zen images/clonezilla images. I would assume your base machine is kept off the network and only connected to the image server. I would then assume the image server is a read only source to the infected network (naturally; thats how all of these products work unless you explicitly tell them otherwise) and firewall off absolutely everything you dont need open (simply out of preparedness). Then image away.

There is no way to infect the image "on-the-wire". It sounds like mass hysteria more than a cognitive and planned repair.
posted by SirStan at 8:35 PM on March 3


"PS-Massive infections still happen? Your not running A/V?"

We didn't even have updated virus definitions from trend micro when all this jumped off. I'm talking 30+ locations infected, close to 10k PCs and servers at last count. This article is from Feb 14th, 2 full weeks into the debacle.

a major company did an end run in our IT department back in OCT. The state instated a hiring freeze, so there are 12 very important positions left vacant. Which ever tech was supposed to handle backups and windows updates dropped the ball. our current solution is to clean with sophos and then manually update each PC with all the windows updates (to include SP3) we haven't been getting. To ensure that we just don't go to windows-update, they disabled access to update.microsoft.com. then, when I built some images and started bringing PCs up in groups of 40, they disabled DHCP on my router pretty much preventing me from imaging other than with a flash drive... one at a time. I've only been a tech for 8 years (to include active duty time in the ARMY) - and this is my first real catastrophe. Tomorrow, I'm going to strap down 40 PCs at a time to my little zenimage server. then i'll deep-freeze/steady-state the lot of them. i'll be sure to check my script for the line to zero out /dev/hda. I'm sure it's there, but IO want to lay eyes on it, myself.

thanks for the advice, i was beginning to doubt my own knowledge because these other guys have been doing this for decades.
posted by Davaal at 9:30 PM on March 3


You know DHCP works based on a "who replies fastest" principal right?

Build your own DHCP server on a laptop to use for imaging. Use Ubuntu and DHCPd and hardcode in the MAC addresses you are ghosting. The local machine will respond MUCH faster and the machines will take your laptops IP.

For extra bonus points; use a different IP range so you KNOW the machines are picking up the right IP.

You'll save tons of time.
posted by SirStan at 4:43 PM on March 4


« Older A question about a change in t...   |   How do you rid a web site of M... Newer »

You are not logged in, either login or create an account to post comments