ivan@rzsin.sin.ch (Ivan D. Reid) (09/11/89)
A week or so back, I asked if anyone knew if the Atari used the reserved (I said hidden then, sorry) sector info, or just assumed that all disks had just one reserved sector. This was in respect to transferring disks ST<=>HP-150 MS-Dos machine. I spent time playing with this off and on last week, with puzzlingly inconsistent success. What I did establish, though was that the HP expected to find an Intel short jump of a specific displacement, followed by a NOP, before it would recognise the disk. Take an Atari disk, use DEBUG to read in the 1st sector, change the 3 bytes & write it back & Voila! the HP recognises the Atari disk! Microsoft recommends in the V3.0 Programmers Reference that MS-DOS OEMs check the 3 bytes for an Intel short jump plus NOP or an Intel long jump. Since the HP-Dos is V2.11 and the Prog. Ref. with it doesn't have this recommendation for checking for MS-DOS disks, I guess [(hp)] can be excused for wanting a specific displacement. However, when checking the disk again Saturday, I realised that its boot sector was stuffed with strange data, and then I recalled that I'd seen a Motorola jump instruction on one of the boot sectors I'd looked at earlier. Out with the disassembler and Voila! again -- a boot-sector virus! Strange virus, though, it just spreads itself and also waits for a newer version. No malicious code at all. To cut a long story short, this virus was found in great profusion on the disks here in our institute. I also captured a couple of possible mutants that I'll examine tonight. I also found several legit self-boot diskettes (All with the word "Loader" at the start, and Atari notices at the end) and one "friendly" virus that I recommended be wiped too. Despite the fact that this virus is not malicious, I don't like it or the "friendly" viruses for these reasons: Firstly, it can overwrite a legit boot sector -- it checks the jump instruction at the start, which luckily has the same displacement as the Atari loader, but if someone wrote a self-booting disk with a different offset, the virus thinks "not infected" and overwrites it. This would probably ruin the disk (containing probably expensive software). It will also overwrite MS-DOS boot sectors, since the Intel jump is different to the Motorola jump -- this is what caused me grief with the HP last week. Secondly, the "safe" area in memory may not be safe, especially with later versions of TOS, so that its in-memory copy gets trashed subtly or not-so- subtly causing inexplicable & unpredictable behaviour. Some of the posiible different copies I've looked at so far have just one byte changed (this may be due to an error in writing the sector back, too). Such a change may not make sense so watch out if that disk is used to boot... So, kill all viruses. The only good virus is one in the bit-bucket! ivan