C09615SJ@WUVMD.BITNET (01/12/91)
Hi, I have a tendency to only scan VIRUS-L when I read it so I am not sure about the current line of discussion regarding the user who had been reinfected with the STONED virus after "cleaning" his hard drive. Let me present a problem that we had a few weeks ago for your consideration. The equipment: A 386 clone with an 80Mb hard drive AND a floppy controller with four ports; and a gob ( >5Mb ) of extended memory. Floppy A: is a 360K 5 1/4", B: is a 1.2M 5 1/4", and C: is a 1.44M 3.5". The hard drive has four partions (E,F,G, and H) and one RAM drive, I:. We had a version of STONED that McAfee could NOT detect or clean because of the way it had infected our drive. The chain of events went something link this: 1> We had become aware, through a comedy of errors, that our hard drive was STONED after we inserted a known-to-be-clean diskette into the A: drive, used a DIR command, and then removed it and checked the boot sector with Norton Disk Doctor. 2> SCAN would not detect the virus on our E: drive (the boot drive), but would detect it in memory. 3> If we put a clean disk in our 3.5" drive (drive C:) and then SCANed it, it would find STONED "in the partion table" but CLEAN was unable to remove it. now it gets weird... 4> We would boot from a (repeatedly confirmed) clean disk in our A: drive. SCAN memory. Find nothing. Play around on the B: and C: drives. SCAN memory. Find nothing. Change drive to E: and then immediately change back to C:. SCAN memory. Find STONED resident in memory. Our analysis of the situation was that STONED had infected the first sector of our hard drive which was the partion table NOT the boot sector. McAfee's CLEAN was not able to clean our drive because (we guess) the program assumed that the first partion of our hard drive was C: and it couldn't handle the values it was finding for our configuration. We know for a fact that when we attempted to CLEAN our E: drive, nothing would happen. We solved our problem by reformatting and repartioning the hard drive and pulling the old data off of tape. Somewhere in the middle of this process we called McAfee and discussed our problem. They were very responsive and very interested but seemed as stumped was we were. We were expecting a call-back from them but, when one never came, we solved the problem on our own. I would like to state for the record that we feel that they have made an excellent product and that they are an organization with a great deal of integrity. The frightening thing about this whole situation was that STONED would get loaded into our computer's memory whenever we did anything that forced it to check the partion table on our hard drive regardless of whether or not we booted from a clean system diskette. Hope this helps, Jon Jon Spinner C09615SJ@WUVMD ECS computer clinic manager Washington University in St. Louis
CHESS@YKTVMV.BITNET (David.M.Chess) (01/15/91)
Hm, interesting. The Stoned infects the master boot record (synonymous with "partition table") on the first physical hard drive (BIOS drive id "80" hex). In your case, that's the master boot record on the 80Mb hard disk. The master boot record (and therefore the partition table) are stored at the very bottom of the disk, lower than any of the partitions (E F G and H). Did you test whether or not, after booting from a clean floppy and then switching to E: and back to A:, the virus was actually *active* (infecting new diskettes), as well as being in memory? My guess would be that, although the virus code was in memory (in the buffer used by DOS to hold the partition table of the hard drive), the virus was not active (that is, not hooked into INT 13, and never actually getting control passed to it). That is, after step <4> I would suggest that, although the virus was in memory, it wasn't actually -doing- anything. (Memory scanning in general has the problem that it can't tell an active virus from a "ghost" of the virus that just happens to be sitting in a buffer somewhere, never running). The only way the usual Stoned virus can get control is if it's present on the boot record or the disk or diskette that the system is booted from. DC