Can suse change a read only VirtualCDROM drive to writable?

Hi,

I’ve come to you guys for help.

I recently purchased some mp3 players from China that I wanted to sell to make some Xmas cash. They work fine on my Suse 11.

When you put it on my missus’ XP machine it detects a Trojan!!!

Guess what no reply from the Chinese vendor. It seems the 1gb drive is partitioned into a Virtual CD Rom drive that contains some bundled software for windows that contains the trojan. Obvioulsy this is no problem for my Suse machine but I wanted to sell some on and assume there will be a few windows users who buy them.

I wish to delete the bundled software as it is not required and by doing this will cure the problem. Even if the virtual drive still remains. I would rather lose money than sell these on with a trojan.

Guess what I can’t do anything to it on Windows.

In suse the Virtual drive mounts at /media/AMT-CDROM

SUSE will not allow me to see the see the file permissions when I right click on the drive and view properties. But they are set to READ only, windows has shown me that.

Is there a way I can force a change to file permissions of the read only Virtual CD Rom to writable so I can delete them in konsole or similar. Or even better is there anyway to delete this from the flash drive bearing in mind suse sees the flash drive/mp3 player and the Virtual CD Rom drive as seperate entities?

I use suse only for basic computing and knew there would be a day it would be invaluable for me to have it. Any help at all very appreciated.

Rio

I understand you want to wipe the “disk”; have you tried formatting the “disk” with a tool such as “gparted” or “yast2 disk”?

Or, for a windows equivalent, Paragon Partition Manager, Norton Partition Magic, 7 Tools Partition Manager (Although they all use the same engine.)

I can walk you through this if this is what you are aiming for.

In a Konsole or Terminal


su
[enter root pass]
umount /media/AMT-CDROM
yast2 disk

Click yes when it warns you of the power of the tool.

You should reveive a screen like this:
http://i34.tinypic.com/2q0654x.png
COMPLETELY IGNORE the contents of my picture, it is just a guideline.

Try and find the disk’s name then directly under it the partition where the trojan resides. Click edit, format then choose FAT. Don’t type in a mount point, it isn’t necessary. PLEASE DON’T FIDDLE WITH ANY OTHER OPTIONS. I can’t stress that enough.

If in doubt, please run this in a Konsole or Terminal and post me the results so I can tell you which one to format :


su
[enter root pass]
fdisk -l

Hi Thanks for the reply.

Tried Paragon partition manager and loads of others on XP. The problem is it looks like to me both XP and Linux see the virtual CD ROM and the MP3 player as seperate partitions. Tho I may be wrong.

When I go into Expert Partitioner the device is shown as /dev/sdb at 975.75mb, same as on windows so it still looks as tho the virtual drive is being looked at by linux as a seperate entity. But I didn’t think this was possible and had hoped the partitions would show up in expert partitioner

Here is my output of the command you asked for.

leon@linux-u706:~> su
Password:
linux-u706:/home/leon # fdisk -l

Disk /dev/sda: 20.4 GB, 20491075584 bytes
255 heads, 63 sectors/track, 2491 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x1bc969bb

Device Boot Start End Blocks Id System
/dev/sda1 1 194 1558273+ 82 Linux swap / Solaris
/dev/sda2 * 195 1152 7695135 83 Linux
/dev/sda3 1153 2491 10755517+ 83 Linux

Disk /dev/sdb: 1023 MB, 1023148032 bytes
32 heads, 61 sectors/track, 1023 cylinders
Units = cylinders of 1952 * 512 = 999424 bytes
Disk identifier: 0x6f20736b

This doesn’t look like a partition table
Probably you selected the wrong device.

Device Boot Start End Blocks Id System
/dev/sdb1 ? 398636 983425 570754815+ 72 Unknown
Partition 1 does not end on cylinder boundary.
/dev/sdb2 ? 86419 1078237 968014120 65 Novell Netware 386
Partition 2 does not end on cylinder boundary.
/dev/sdb3 ? 957932 1949749 968014096 79 Unknown
Partition 3 does not end on cylinder boundary.
/dev/sdb4 ? 1 1863334 1818613248 d Unknown
Partition 4 does not end on cylinder boundary.

Partition table entries are not in disk order
linux-u706:/home/leon #

I select this and then click on edit and I get a message /dev/sdb
with a big green bar saying free. Doesn’t look like I can format using that method.

I have screenshots but not sure how to get them on here.

Looks like the drive is seen as the 1023mb I was expecting with four partitions. Can I do some sorta super wipe of em all and then reformat?

I now have another problem tho. I messed about with the mount point of the Virtual CDRom and now it won’t mount.

I get this message

unable to mount the volume ‘AMT_CDROM’
Details
mount_point cannot contain the following characters: newline, G_DIR_SEPERATOR (usually)/

Arrgh!!

I changed it when I right clicked on the Virtual Drive and clicked on properties. My mistake. I hope this hasn’t made things more difficult.

Thanks

Rio

Is it, by any chance, some kind of U3 device?
If so there’s a tool to remove it in the link, for Windows.

It is similar to the the U3 devices but not the same the tool they provide doesn’t remove the virtual drive from the flash disk.

But in principal the Virtual CD Rom drive acts the same, in the way that it autoruns a program. It’s this bundled program that contains the trojan.

Thanks

Have deleted and reformatted all partions on the flash disk using this tutorial on fdisk
How to Format a Hard Drive in Linux | eHow.com

Now fdisk -l looks like this…

leon@linux-u706:~> su
Password:
linux-u706:/home/leon # fdisk -l

Disk /dev/sda: 20.4 GB, 20491075584 bytes
255 heads, 63 sectors/track, 2491 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x1bc969bb

Device Boot Start End Blocks Id System
/dev/sda1 1 194 1558273+ 82 Linux swap / Solaris
/dev/sda2 * 195 1152 7695135 83 Linux
/dev/sda3 1153 2491 10755517+ 83 Linux

Disk /dev/sdb: 1023 MB, 1023148032 bytes
32 heads, 61 sectors/track, 1023 cylinders
Units = cylinders of 1952 * 512 = 999424 bytes
Disk identifier: 0x6f20736b

Device Boot Start End Blocks Id System
/dev/sdb1 1 1023 998417+ 6 FAT16


Which is great but, this still shows as a 975mb drive on XP. It shows as 975mb drive on linux with 966mb free. when I reconnect this device to a windows or linux machine this seperate virtual cd rom drive still installs and on xp still try to drop this trojan on the system…

Any ideas how I can force linux to change the virtual drive or the files on that drive that mounts at /media/AMT_CDROM from read only to write? Or to delete it all together.

Thanks

Here is how the files look in konsole

leon@linux-u706:/media/AMT_CDROM> dir
total 2968
-r-xr-xr-x 1 root root 2849744 2007-12-17 03:26 AMT.sn
-r-xr-xr-x 1 root root 31 2007-05-17 05:33 autorun.inf
-r-xr-xr-x 1 root root 188475 2007-10-16 06:47 start.exe
leon@linux-u706:/media/AMT_CDROM>

I have tried to mount as rw but think code the syntax wrong here is what I changed fstab to

/dev/disk/by-id/scsi-SATA_Maxtor_5T015H2_T2JPJY2C-part1 swap swap defaults 0 0
/dev/disk/by-id/scsi-SATA_Maxtor_5T015H2_T2JPJY2C-part2 / ext3 acl,user_xattr 1 1
/dev/disk/by-id/scsi-SATA_Maxtor_5T015H2_T2JPJY2C-part3 /home ext3 acl,user_xattr 1 2
/dev/disk/by-id/scsi-SATA_ST3120022A_5JT50CGC-part1 /windows/C ntfs-3g
/dev/disk/by-id/scsi-SATA_ST3500830A_9QG3ABC3-part1 /windows/E ntfs-3g
/dev/sdb /media/AMT_CDROM auto rw.noauto.user.exec 0 0
users,gid=users,fmask=133,dmask=022,locale=en_GB.UTF-8 0 0
proc /proc proc defaults 0 0
sysfs /sys sysfs noauto 0 0
debugfs /sys/kernel/debug debugfs noauto 0 0
usbfs /proc/bus/usb usbfs noauto 0 0
devpts /dev/pts devpts mode=0620,gid=5 0 0

The problem is that even if you were to mount the virtual CDROM device writable, you still wouldn’t be able to write to it, because the ISO9660 filesystem is read-only, by design. To change the contents you would have to rebuild the ISO9660 image and put that on the flash device. Why not just delete it from the device.

Got ya.

In that case whats the best way to go about deleting it from the flash drive.

Thanks

Rio

ken_yap going along the lines of what you suggested about deleting the drive I’ve found some info on a forum.

TeknoHog / U3 Linux hacking

This relates to the U3 drive that has a similar autorun virtual cdrom on it. The U3 unistall tool doesn’t work as it’s not a U3 drive but the Virtual CDRom on my drive must be hackable in linux the same way.

They suggest hacking the drive in linux with this…

copied from the above link

Linux CD-part access

Reading this far, you probably know that Linux handles USB drives via the SCSI driver layer. There’s a SCSI option in the kernel menuconfig that you may have to turn on in order to access the CD part:

[li] Probe all LUNs on each SCSI device

[/li]
This means CONFIG_SCSI_MULTI_LUN=y in the kernel .config file. Without it, Linux only sees the plain drive (which, btw, is a sensible fallback design :slight_smile: It may be already set on your system; try if you get a SCSI CDROM when inserting the drive. This way I could mount the CD part as an ordinary ISO9660 filesystem.

The CD part appears as a CD writer, which makes sense as you can change the contents via (proprietary Windows-only) software. Cdrecord fails with the following message:

# cdrecord -dev=/dev/sr0 -v -driveropts=burnfree blank=fast ~teknohog/u3new.iso 
dvdrtools v0.3.1
Portions (C) 2002-2006 Ark Linux 
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; either version 2, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE.  See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with
this program; see the file COPYING.  If not, write to the Free Software
Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
Based on:
Cdrecord 1.11a15 (i686-pc-linux-gnu) Copyright (C) 1995-2001 J�rg Schilling
TOC Type: 1 = CD-ROM
scsidev: '/dev/sr0'
devname: '/dev/sr0'
scsibus: -2 target: -2 lun: -2
Scanning device, b=4294967295
Linux sg driver version: 3.5.27
Using libscg version 'bero-0.5a'
cdrecord: Warning: using inofficial version of libscg (bero-0.5a '@(#)scsitransp.c      1.81 01/04/20 Copyright 1988,1995,2000 J. Schilling').
Driveropts: 'burnfree'
atapi: 1
Device type    : Removable CD-ROM
Version        : 0
Response Format: 2
Capabilities   :
Vendor_info    : 'Kingston'
Identifikation : 'DataTraveler U3 '
Revision       : '6.50'
Device seems to be: Generic mmc CD-R.
resid: 236
cdrecord: Warning: controller returns zero sized CD write parameter page.
cdrecord: Warning: controller returns wrong size for CD write parameter page.
cdrecord: Warning: controller returns wrong page 0 for CD write parameter page (5).
cdrecord: Warning: controller returns zero sized CD write parameter page.
cdrecord: Warning: controller returns wrong size for CD write parameter page.
cdrecord: Warning: controller returns wrong page 0 for CD write parameter page (5).
Using generic SCSI-3/mmc CD-R driver (mmc_cdr).
Driver flags   : SWABAUDIO BURNFREE
Supported modes:
FIFO size      : 4194304 = 4096 KB
cdrecord: Drive does not support TAO recording.
cdrecord: Illegal write mode for this drive.

But i’m not sure even how to begin would someone please look as this and tell me where to start. I’m using SUSE 11 with Gnome desktop.

Thanks

Rio

I’ve looked into this constantly since Friday and so far have tried the following.

All windows partition programs and U3 removal tools

Linux. Fdisk, gparted, qtparted, testdisk and dd

None of the obvious options work.

The flash drive is definatley split it isn’t two chips.

So in between the difference between 975mb linux says it has and the 1024 it is lurks the virtual CDROM drive.

I have two ideas that might fix this.

1 Burn a new .iso over the existing

? Is this possible what would I use to do this. The code I used in dd didn’t work as couldn’t access the drive tho I suspect I was using the wrong code.

2 Erase the partition all together is some command line or even DOS

Any help will be useful

Thanks

Rio

Hi all,

Have been in touch with the vendor and they say only way is to short the flash drive and reflash it. Ah well you win some you loose some.

Thanks to all who helped

Hi
I had a cruzer or jetflash drive like that, from memory all I did was
delete the partitions with fdisk, change the format to fat32 (id = c)
and then formatted the drive and the cdrom disappeared…


Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 11.0 x86 Kernel 2.6.25.16-0.1-default
up 3:29, 1 user, load average: 0.05, 0.10, 0.09
GPU GeForce 6600 TE/6200 TE - Driver Version: 177.80

RioSteel wrote:
> Hi,
>
> I’ve come to you guys for help.
>
> I recently purchased some mp3 players from China that I wanted to sell
> to make some Xmas cash. They work fine on my Suse 11.
>
>

Mind telling us the brand (so we can stay away from them…lol).

Maybe sell them cheaper to people who are not afraid of Windows viruses, i.e. people with only Linux computers? lol!