C09615SJ@WUVMD.BITNET (01/12/91)
Hi,
I have a tendency to only scan VIRUS-L when I read it so I am not
sure about the current line of discussion regarding the user who had
been reinfected with the STONED virus after "cleaning" his hard drive.
Let me present a problem that we had a few weeks ago for your consideration.
The equipment: A 386 clone with an 80Mb hard drive AND a floppy
controller with four ports; and a gob ( >5Mb ) of extended memory. Floppy
A: is a 360K 5 1/4", B: is a 1.2M 5 1/4", and C: is a 1.44M 3.5". The
hard drive has four partions (E,F,G, and H) and one RAM drive, I:.
We had a version of STONED that McAfee could NOT detect or clean
because of the way it had infected our drive. The chain of events went
something link this:
1> We had become aware, through a comedy of errors, that our hard
drive was STONED after we inserted a known-to-be-clean diskette
into the A: drive, used a DIR command, and then removed it and
checked the boot sector with Norton Disk Doctor.
2> SCAN would not detect the virus on our E: drive (the boot drive),
but would detect it in memory.
3> If we put a clean disk in our 3.5" drive (drive C:) and then SCANed
it, it would find STONED "in the partion table" but CLEAN was
unable to remove it.
now it gets weird...
4> We would boot from a (repeatedly confirmed) clean disk in our A:
drive. SCAN memory. Find nothing. Play around on the B: and C:
drives. SCAN memory. Find nothing. Change drive to E: and then
immediately change back to C:. SCAN memory. Find STONED resident
in memory.
Our analysis of the situation was that STONED had infected the first
sector of our hard drive which was the partion table NOT the boot sector.
McAfee's CLEAN was not able to clean our drive because (we guess) the
program assumed that the first partion of our hard drive was C: and it
couldn't handle the values it was finding for our configuration. We know
for a fact that when we attempted to CLEAN our E: drive, nothing would
happen. We solved our problem by reformatting and repartioning the hard
drive and pulling the old data off of tape.
Somewhere in the middle of this process we called McAfee and discussed
our problem. They were very responsive and very interested but seemed as
stumped was we were. We were expecting a call-back from them but, when one
never came, we solved the problem on our own. I would like to state for
the record that we feel that they have made an excellent product and that
they are an organization with a great deal of integrity. The frightening
thing about this whole situation was that STONED would get loaded into our
computer's memory whenever we did anything that forced it to check the
partion table on our hard drive regardless of whether or not we booted from
a clean system diskette.
Hope this helps,
Jon
Jon Spinner C09615SJ@WUVMD
ECS computer clinic manager
Washington University in St. LouisCHESS@YKTVMV.BITNET (David.M.Chess) (01/15/91)
Hm, interesting. The Stoned infects the master boot record (synonymous with "partition table") on the first physical hard drive (BIOS drive id "80" hex). In your case, that's the master boot record on the 80Mb hard disk. The master boot record (and therefore the partition table) are stored at the very bottom of the disk, lower than any of the partitions (E F G and H). Did you test whether or not, after booting from a clean floppy and then switching to E: and back to A:, the virus was actually *active* (infecting new diskettes), as well as being in memory? My guess would be that, although the virus code was in memory (in the buffer used by DOS to hold the partition table of the hard drive), the virus was not active (that is, not hooked into INT 13, and never actually getting control passed to it). That is, after step <4> I would suggest that, although the virus was in memory, it wasn't actually -doing- anything. (Memory scanning in general has the problem that it can't tell an active virus from a "ghost" of the virus that just happens to be sitting in a buffer somewhere, never running). The only way the usual Stoned virus can get control is if it's present on the boot record or the disk or diskette that the system is booted from. DC