awl@extro.ucc.su.oz.au (Tony Locke) (04/05/91)
We have a machine with Joshi on it and can't find something to kill it. Anyone have any ideas (have tried SCAN 74B) Tony Locke Sydney University Computing Service Australia
padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (04/06/91)
>From: awl@extro.ucc.su.oz.au (Tony Locke) >We have a machine with Joshi on it and can't find something to kill >it. Anyone have any ideas (have tried SCAN 74B) As I recall, the Joshi stores the real MBR (partition table) code in cyl 0 head 0 sector 9 (should be able to tell by looking). To recover, just cold boot from a known clean write-protected floppy and use DEBUG to copy the real MBR back to sector 1. The rest of the virus code will still be on (hopefully) unused sectors on cyl 0 but will be cut off from execution & harmless. Warmly, Padgett
paul@parsifal.econ.yale.edu (Paul McGuire) (04/13/91)
padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) writes: >>From: awl@extro.ucc.su.oz.au (Tony Locke) > >>We have a machine with Joshi on it and can't find something to kill >>it. Anyone have any ideas (have tried SCAN 74B) > >As I recall, the Joshi stores the real MBR (partition table) code in >cyl 0 head 0 sector 9 (should be able to tell by looking). >To recover, just cold boot from a known clean write-protected floppy and >use DEBUG to copy the real MBR back to sector 1. The rest of the virus code >will still be on (hopefully) unused sectors on cyl 0 but will be cut off from >execution & harmless. I have an IBM-AT that won't boot from drive c:, but comes up fine from a floppy, at which point the c: drive seems to be okay. FPROT114 f-fchk tells me my files are fine, f-syschk tell me my memory is fine, however f-disinf tells me I have joshi but fails to cure it. I tell f-disinf to cure it, it says I'm cured, but if I run it again it again tells me I'm infected and the computer still won't boot from the hard disk. Is this an FPROT bug? Am I prehaps multiply infected? Can I trust the identification of Joshi and preform the above sector 9 to sector 1 copy, or does FPROT's failure indicate more serious problems that the copying won't fix or will make worse? Thanks for any help, Paul McGuire