EMERSON@TURING.SDC.TASC.COM (04/09/91)
Help! I have a 286 12MHz IBM clone in my office that has been infected with the Beijing Virus. It has disabled my 3 1/2" floppy disk drive for me and is infecting any diskette I happen to boot with that is not write-protected. Our virus guru found that on the 128th boot of my PC, the message "Bloody! June 4th 1989" will show up and then every six times after that. This virus lives in the boot sector of my hard disk. Needless to say, I'd like to disinfect my hard disk without having to re-format it. I'd like to have a "tool" available to use for the next time this happens. Is there anyone who can tell me of a piece of software (and where to find it), or some method of getting rid of this? I have something that may work, but I need a SIGN.TXT file to run it with. Could I get a copy of this? Any help is greatly appreciated!!!!! Please send replies to: emerson@turing.sdc.tasc.com or Amanda Emerson, phone # (617)942-2000 Thanks!
padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (04/10/91)
>From: EMERSON@TURING.SDC.TASC.COM >...and is infecting any diskette I happen to boot with... The "Bloody" (apologies to UK readers) virus cannot remain resident through a cold (power off) boot from an uninfected floppy in a normal PC. period. If it is, then something strange is going on (like a BIOS that forces boots from C & I hope the readers understand the implications of this in view of some earlier discussions). This virus is similar to the STONED and functions in much the same way. The original partition table/code (MBR) is stored at cyl 0 head 0 sector 6 and a good technician or the current version of McAfee's SCAN/CLEAN will take care of the problem. When resident, it can be detected by the si...(oops, promised no more mention of my "primitive" technique) by CHKDSK which will report a loss of 2k from the TOM (640k machine will report 653312 "total bytes memory" instead of 655360. If in memory, it must be removed (through clean reboot) for any disinfection to be effective. Note: as in any infection of this type, it is essential that all infected diskettes (and there must be at least ONE or there is a bigger problem) be found and disinfected else you will get a lot of practise in removal. Warmly, Padgett
p1@arkham.wimsey.bc.ca (Rob Slade) (04/11/91)
EMERSON@TURING.SDC.TASC.COM writes: > this? I have something that may work, but I need a SIGN.TXT file to > run it with. Could I get a copy of this? Any help is greatly Your statement indicates that what you have is FPROT. If you have been given only the F-FCHK program, you do not have the full package, as SIGN.TXT is included in it. The file FPROT114.ZIP should contain the entire suite, and is available on many servers and local bulletin boards. (frisk has also been promising 1.15 RSN for a while now, and it may be available by the time you read this. :-) ============= Vancouver p1@arkham.wimsey.bc.ca | "Is it plugged in?" Institute for Robert_Slade@mtsg.sfu.ca | "I can't see." Research into (SUZY) INtegrity | "Why not?" User Canada V7K 2G6 | "The power's off Security | here."