padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (04/04/91)
>From: con_jdc@selway.umt.edu (John-David Childs) >Subject: FDISK; partitions starting at 0,0,2; Stoned virus; (PC) >When used in conjunction with F-DRIVER.SYS at startup, I've had no trouble >with removing the virus. If F-DRIVER.SYS or some other detection utility >was not loaded at startup (F-DRIVER.SYS halts the PC if a virus is >detected), then Nick's and Padgett's comments about corrupted FAT's >etc. would be apropos. I would still recommend that people having disks formatted without "hidden" sectors whose machines are at risk, do a thorough backup and re-partition the disk using a version that does provide this added protection. The STONED is not the only virus that is liable to corrupt a FAT in this manner. An easy way to check is with DEBUG: load the logical boot sector of the fixed disk ( L 100 2 0 1 ) and the number of "hidden sectors" is contained in a double word at offset 11Ch (just the first byte is enough unless someone has more than 255 "hidden sectors" & that would surprise me). For an MFM drive, the value should be 11h or 17 "hidden sectors", I think an RLL drive will report 1Ah (26) and a large disk might report 3Fh (63), but if 0 or 1, I would expect that the FAT might be at risk. One of the difficulties of restoring a fixed disk infected with the MusicBug is that this "hidden sector" value is lost and must be restored (DOS SYS won't) before the disk will boot properly. Padgett