CCTR132@csc.canterbury.ac.nz (Nick FitzGerald) (03/27/91)
In VIRUS-L Digest V4 #47: "David.M.Chess" <CHESS@YKTVMV.BITNET> wrote: >Pat Ralston <IPBR400@INDYCMS.BITNET> writes: > >>Table" "Your PC is now Stoned! LEGALISE". Please note that Legalise >>is NOT spelled with a Z as in other versions and is in all uppercase >Now I'm taking an unusual (for me) risk here, as I'm at home with the >tail end of a nasty cold, and can't verify it, but I'm Pretty Sure >that the standard normal everyday Stoned virus spells the word with an >"S" ("LEGALISE"). Yep - originating from New Zealand, where we speak proper English ( 8-) ) the author of Stoned, like most New Zealanders (and probably Aussies and the English themselves), spelled "legalise" with an "s". Pity none of them read the Oxford English Dictionary, or any of the standard references on "correct" English usage (this is a cryptic comment, whose significance will be uncovered by the truly inquisitive - - enjoy). > . . . There are also many cases in which the word >"MARIJUANA" has been overwritten (probably, I am told, by hard disk >controllers that keep some data in an "unused" part of the master boot >record, and overwrite that word in the process). I have seen several copies of Stoned from various machines exhibitting the munged legalise message, and often wondered what may be causing it. I've also seen copies with apparently random bytes in the "free" space between the end of the message and the bootable disk signature bytes. If David is right, however, there are serious implications for the "self- checking boot sector" type schemes that have been discussed here recently. If some HD controllers cavalierly write to what they assume is unused space in the MBR, change-checking boot sectors are going to have a hell of a time. David - are you thinking about the (I think) Zenith machines that write the boot time and date in the MBR each boot up, or do you mean something different? - --------------------------------------------------------------------------- Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337
CHESS@YKTVMV.BITNET (David.M.Chess) (03/29/91)
"Nick FitzGerald" <CCTR132@csc.canterbury.ac.nz>: > David - are you thinking about the (I think) Zenith machines that > write the boot time and date in the MBR each boot up, or do you mean > something different? I don't know! *8) Someone that I trust to be reasonably knowledgeable in such things told me awhile back something like (I didn't write it down) this: some hard disk controllers keep some information about the structure of the hard disk on the hard disk itself, in the MBR. If something changes that information, they write it back there again. This didn't sound terribly likely to me, and I wouldn't be surprised if it's either subtly misstated, or I've misremembered it. The only machines I deal with are True Blue IBM's, and I don't know of any that do things like that... DC
frisk@rhi.hi.is (Fridrik Skulason) (04/04/91)
CHESS@YKTVMV.BITNET (David.M.Chess) writes: "Nick FitzGerald" <CCTR132@csc.canterbury.ac.nz>: > David - are you thinking about the (I think) Zenith machines that > write the boot time and date in the MBR each boot up, or do you mean > something different? Huh ? I have never heard of any machine which would modify the MBR on each bootup. If this is true I would very much like to see it confirmed. I think somebody may be confusing this with the practice of Zenith DOS (or at least some versions of it) to write to the DOS boot record - that is it updates an area containing information on where to start looking for "free" space on the disk. I discovered this when people started complaining that my F-OSCHK (which among other things does a checksum test of the boot sector) reported constant changes on some Zenith machines. - -frisk
padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) (04/06/91)
>From: frisk@rhi.hi.is (Fridrik Skulason) >I think somebody may be confusing this with the practice of Zenith DOS >(or at least some versions of it) to write to the DOS boot record - Our experience with Zenith XT class machines (model 158 & 159) was that they did write occasionally to the boot record (not the MBR) as Frisk says. This action seemed to occur with Zenith DOS 3.0 through 3.2 and the location written to varied with the O/S but was inside the "reserved" area of the boot record. As with Frisk's software, this surfaced when we began installing integrity checking mechanisms in our PCs last year and started getting changes flagged on each boot, before we had the checking software "fixed" to recognize that it was dealing with a Zenith (ATs & 386s did not exhibit this). Since then, I have been told that early HP Vectras are likely to exhibit this same condition. For more detailed discussion, I posted a number of items to Virus-L last year concerning this. Possibly, the confusion seems to come from the number of different names applied to the "Master Boot Record" (cyl 0 hd 0 setor 1) which contains both executable code and the partition table. The DOS Boot Record (first sector of any DOS partition - only the record of the partition marked "active" is executed) is something else entirely. The DOS Boot Record can be accessed with a "load" (L) command from DEBUG. The MBR cannot. Padgett