n054gi@tamuts.tamu.edu (Apurva Shah) (05/15/91)
This is in relation to the couple of questions that were raised about the Joshi virus. I am a student from India and while there I had done some work on virus detection and cure. Coming to the point. Joshi is a partition table virus (much like Stone). According to popular belief it originated in Pune (a city very close to Bombay). The reason why the virus got its name is that on the 5th of Jan, if one is to boot the machine with the virus active, a message appears wishing Mr. Joshi a very happy birthday. In fact one is asked to type this very message out in order to proceed further. This is a general description of the virus behaviour. Now, for the more interesting part on how the virus works. When the user boots with a infected desk. The virus copies itself to the partition table (first physical sector on disk). The original partition table is moved to sector 7 (or is it 11? Can' remember exactly.) This is necessary cause once the machine is normally booted and the virus is activated control needs to be passed ot the original partition table. Here we have a catch. If the machine is once again booted with the virused disk. Joshi has a hard time figuring out if it is already on the first sector. So what it does in such a situation is to paste a copy of itself on the 7th sector and once again copying itself on the 1st sector. The result ofcourse is disastorous, since no signs of the original partition table remain and the machine will refuse to boot. This explains the apparent time delay in the viruse being activated. About the real time clock err orm I have never faced such a problem. Finally, at least to my knowledege, the Joshi virus does not deal with files. One has to keep in mind that it is a partition table virus and enters the picture before DOS loads, namely when there is no concept of files. However, if the version of the virus running around in the U.S. is a modification of the original virus that might explain it. What is the solution to this problem? I have a program with me which recreates the partition table. In fact, I have a interesting little set of programs which do some simple yet effective things. That apart thet are all written in C including the TSRs. Actually that is not completely correct, there is a bit of assembly embedded in there. I would like to post this programs including the source at some ftp site after having them verified by some virus 'guru'. Any volunteers? Regards Apurva Shah (ashah@cs.tamu.edu)