padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) (06/17/91)
>From: frisk@rhi.hi.is (Fridrik Skulason) >padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: >>From: dwe29248@uxa.cso.uiuc.edu (Derek William Ebdon) >>One thing that Mr. Doss forgot to mention is that although Central >>Point Anti-Virus v1.0 can easily romove the Asuza virus from a floppy, >>it cannot remove the virus from a hard drive. The only way to >>disinfect a hard drive is to redo the low level format because the >>virus infects the boot sector and the dos partition. A high level >>format will not remove the virus, nor will simply removing the dos >>partition with the fdisk program. Aw come on fella, give a fella a break: I didn't say that, Mr. Ebdon did. The Master Boot Record, aka the Partition Table Record, aka physical sector one on the hard disk contains two distinct elements: 1) The partition table located at offset 1BEh-1FCh (what is read by NU in partition table format). 2) The executable code beginning at offset 0 that uses the table to find the O/S boot record (also contains ASCII error messages). Since the AZUSA replaces part 2 with its own code, all that is necessary for recovery is to mate a good part 2 with the existing part 1 (not really difficult but more complicated than just copying a sector) and replace the infected sector. Things get a bit more complicated if special code is in use e.g. the selection code used with COHERANT or other MBR replacement code (DISKSECURE does this which is why the original MBR is backed up three times during the installation process including once on floppy). However, I have NEVER had to do a low-level format on a disk because of a virus, & have been able to restore infections from both AZUSA and MUSICBUG without any great difficulty, it is just a matter of following the correct procedure, nor have I ever advised anyone to do so. Hotly (having rolling blackouts of my a/c), Padgett