frisk@rhi.hi.is (Fridrik Skulason) (07/14/89)
I need an answer to the following question:
In the boot sector of every diskette and hard disk there is a short
string starting at the fourth byte. This string contains information
about the version of DOS used to format the disk/diskette.
Typically it is something like "IBM 3.0" or "MSDOS2.0".
What I need to know is: What other possibilities are there ?
The reason I'm asking this question is as follows:
I'm working on a package of programs for fighting computer
viruses on the PC. One program in this package tries to determine
if the boot sector has been infected by some virus. Since some
viruses modify the label described above, it is one of the things
I check on each diskette. For example, one well-known virus will
write 1234 in this place, and another (the Pentagon virus) will write
"HAL" there.
Now - my problem is that one person who was using a beta-test version
of the program told me that the program would flag diskettes formatted
on a Cordata machine as "Possibly infected by an unknown virus".
Examination revealed that the reason was the string "CDS" instead of
"IBM" or "MSDOS". Therefore I am asking for a bit of assistance.
If you have a machine from somebody other than IBM, please take a look
at this portion of the boot sector, using NORTON or some similar program.
If it contains a string different from "IBM", "MSDOS" or "CDS", please
send me information on the string and the machine type.
Of course - the package will be distributed freely when finished - Expect
it to appear on comp.binaries.ibm.pc or in some accessible place.
I just need to obtain a few more viruses to test it against first. Currently
I have only tested it (and found it 100% effective) against Brain, Ping-Pong,
1704 and a new Icelandic (I think) virus.
This message would have been posted to comp.virus, but since it is not
operating right now, I am posting it here.
--
Fridrik Skulason University of Iceland
frisk@rhi.hi.is
Guvf yvar vagragvbanyyl yrsg oynax .................c37189h@saha.hut.fi (07/14/89)
The string is located at offset 3 ... 0Bh at boot sector and it's filled with whatever one's format program is wanting to fill it with. Quite often it is filled with the name and version number of the manufacturer. You'd better check if it matches to what a virus changes it to or you'll get a huge number of strings it may be! --- E-mail: c37189h@saha.hut.fi * If you're feeling good, don't * UUCP: ...!mcvax!santra!saha!c37189h * worry - You'll get over it! *
everett@hpcvlx.HP.COM (Everett Kaser) (07/14/89)
I think you're on shaky ground, because the string starting in the 4th byte of the boot sector is the OEM identification string; i.e. there are going to be a significant number of different ones, up to (but not likely) as many as there are OEM's of MS-DOS. On the HP Vectra PC that I'm using with MS-DOS 3.3 (OEM'd from Microsoft by HP) the ID string says "IBM 3.3". I suspect that many clone manufacturers that supply MS-DOS use the "IBM" string in order to be as compatable as possible with IBM. But I know that on a couple of HP's earlier computers, different strings were placed there. Everett Kaser "Your thoughts create your reality." !hplabs!hp-pcd!everett everett%hpcvlx@hplabs.hp.com
leonard@bucket.UUCP (Leonard Erickson) (07/17/89)
Tandy MS-DOS 3.1 TAN 3.1 Tandy MS-DOS 3.2 TAN 3.2 and Zenith puts either ZENITH or ZEN (I can't find a Zenith disk right now..) -- Leonard Erickson ...!tektronix!reed!percival!bucket!leonard CIS: [70465,203] "I'm all in favor of keeping dangerous weapons out of the hands of fools. Let's start with typewriters." -- Solomon Short
mju@mudos.ann-arbor.mi.us (Marc Unangst) (07/20/89)
In article <1565@bucket.UUCP>, leonard@bucket.UUCP (Leonard Erickson) writes: >and Zenith puts either ZENITH or ZEN (I can't find a Zenith disk >right now..) Zenith puts ZDS; my Zenith Z-148 (Zenith MS-DOS v3.1, IO.SYS v3.04) says "ZDS 3.0" in the boot sector. -- Marc Unangst UUCP smart : mju@mudos.ann-arbor.mi.us UUCP dumb : ...!uunet!sharkey!mudos!mju UUCP dumb alt.: ...!{ames,rutgers}!mailrus!clip!mudos!mju Internet : mju@mudos.ann-arbor.mi.us