BHOLMES@WAYNEST1.BITNET (Brian Holmes) (04/01/88)
I recently posted about a disk crash problem I was having.
This disk just crashed on me and here is a dump of the boot sector.
0 1 2 3 4 5 6 7 8 9 A B C D E F
00 603800004E4E4E4E6145D60002020100
027000D002F805000900010000004E4E
4E4E4E4E4E4E4E4E4E4E4E4E4E4E4E4E
0000000000000000F5F5F5FE4F000102
F74E4E4E4E4E4E4E4E4E4E4E4E4E4E4E
4E4E4E4E4E4E4E000000000000000000
000000E5E5E5E5E5E5E5E5E5E5E5E5E5
E5E5E5E5E5E5E5E5E5E5E5E5E5E5E5E5
*
Continue | with E5
*
F0 E5E5E5E5E5E5E5E5E5E5E5E5E5E5A0AC
Is this what a normal boot sector should look like? This disk
will no-longer boot. From running Simon Poole's DL II utility,
the directory is BAD on this disk. I have a few other disks with
identical boot sectors, but the directory is fine and the disk will
still boot. Some of my other disks have TOTALLY different boot
sectors. Anyone have any ideas?
Internet : Brian_Holmes%WU@UM.CC.UMICH.EDU
BITNET : BHOLMES@WAYNEST1
UUCP : {..!UMIX!ITIVAX!..}!WAYNE-MTS!THUMPERwoodside@ttidca.TTI.COM (George Woodside) (04/06/88)
In article <8804010103.AA17773@ucbvax.Berkeley.EDU> BHOLMES@WAYNEST1.BITNET (Brian Holmes) writes: > > >I recently posted about a disk crash problem I was having. >This disk just crashed on me and here is a dump of the boot sector. > > 0 1 2 3 4 5 6 7 8 9 A B C D E F >00 603800004E4E4E4E6145D60002020100 > 027000D002F805000900010000004E4E > 4E4E4E4E4E4E4E4E4E4E4E4E4E4E4E4E > 0000000000000000F5F5F5FE4F000102 > F74E4E4E4E4E4E4E4E4E4E4E4E4E4E4E > 4E4E4E4E4E4E4E000000000000000000 > 000000E5E5E5E5E5E5E5E5E5E5E5E5E5 > E5E5E5E5E5E5E5E5E5E5E5E5E5E5E5E5 > > * > Continue | with E5 > * > >F0 E5E5E5E5E5E5E5E5E5E5E5E5E5E5A0AC > > >Is this what a normal boot sector should look like? This disk >will no-longer boot. From running Simon Poole's DL II utility, >the directory is BAD on this disk. I have a few other disks with >identical boot sectors, but the directory is fine and the disk will >still boot. Some of my other disks have TOTALLY different boot >sectors. Anyone have any ideas? > This is almost a normal boot sector from a single sided disk. It was most likely formatted from the desktop. There has been some alteration of it, but it does not contain a virus. Here is a standard boot sector from a single sided disk, formatted from the desktop: 000000 00 00 4E 4E 4E 4E 4E 4E 29 6C 11 00 02 02 01 00 000010 02 70 00 D0 02 F8 05 00 09 00 01 00 00 00 4E 4E 000020 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 000030 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 00 00 00 00 000040 00 00 00 00 00 00 00 00 F5 F5 F5 FE 4F 00 01 02 000050 F7 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 000060 4E 4E 4E 4E 4E 4E 4E 00 00 00 00 00 00 00 00 00 000070 00 00 00 F5 F5 F5 FB E5 E5 E5 E5 E5 E5 E5 E5 E5 000080 - 0001EF all E5 0001F0 E5 E5 E5 E5 E5 E5 E5 E5 E5 E5 E5 E5 E5 E5 9D 86 First, note that some things are supposed to change from disk to disk, so the two boot sectors should not be identical. There are two interesting variations between your boot sector, and the standard one. I assume that you were quite careful in transcribing the data, or did it automatically from some utility. First, the normal first four bytes have been replaced by a branch instruction. While this may have been done by a virus, it was not successful, since the sector checksum does not compute to an executable boot sector. Therefore, the ST would not attempt to execute this boot sector (again, assuming you were precise in transcribing the image). Second, note the fourth line from the standard boot sector (000030). If this line were in your boot sector, then it would be an almost exact normal boot sector. If your system can't read this disk, it isn't because of the boot sector. And, while the boot sector has most likely been altered, it is not harmful. You need to determine what caused the boot sector to be altered. It could be the result of a power surge, or a buggy program. There may be a virus in your system, and this may be the result. I've no way of knowing, since I still don't have a real, virus-infected disk. You may wish to run the CHKFMT program I posted recently on your other disks, and watch carefully for the message "Self Booting". If it appears after the serial number of the disk, and you don't have special, self booting software on that disk, be suspicious. Open the write protect window on whatever disks you insert into the system, just to be on the safe side. If you do find a self booting disk where you shouldn't have one, send it to me. I'll be glad to re-imburse you for the disk, and shipping. If the disk contains a virus, I'll let yo know, and provide a specific cure program here, for everyone to use. A specific cure would be far superior to the "kill anything" program PENECILN I posted, since you could safely run it on disks which should be self booting, and it wouldn't harm them unless they already contained the virus. George R. Woodside 5219 San Feliciano Drive Woodland Hills Ca. 91364 -- *George R. Woodside - Citicorp/TTI - Santa Monica, CA *Path: ..!{trwrb|philabs|csun|psivax}!ttidca!woodside
neil@cs.hw.ac.uk (Neil Forsyth) (04/12/88)
In article <8804010103.AA17773@ucbvax.Berkeley.EDU> BHOLMES@WAYNEST1.BITNET (Brian Holmes) writes: > > >I recently posted about a disk crash problem I was having. >This disk just crashed on me and here is a dump of the boot sector. > > 0 1 2 3 4 5 6 7 8 9 A B C D E F >00 603800004E4E4E4E6145D60002020100 (rest of article deleted) There is a branch instruction ($6038) at the start of the boot sector which branches to what looks like a load of nonsense. My first impression is that the disk has an executable checksum. The checksum is the sum of all 256 words (Motorola style) in the boot sector. If the total is $1234 then the OS will try to execute the code in the boot sector. I have not calculated the checksum. If this is the case then the nonsense code crashes the system when booted. You can get and change the checksum using my Disk Toolbox posted recently. ------------------------------------------------------------------------------- "I think all right thinking people in this country are sick and tired of being told that ordinary decent people are fed up in this country with being sick and tired. I'm certainly not and I'm sick and tired of being told that I am!" - Monty Python Neil Forsyth JANET: neil@uk.ac.hw.cs Dept. of Computer Science ARPA: neil@cs.hw.ac.uk Heriot-Watt University UUCP: ..!ukc!cs.hw.ac.uk!neil Edinburgh Scotland -------------------------------------------------------------------------------