padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (01/12/91)
In issue 7 Jeffery <3501P@NAVPGS.BITNET> writes that his PC is
infected by both JOSHI and the STONED II (Donald Duck). I havent tried
such a dual infection but it certainly is feasible. Because JOSHI is
more selective, I would venture that it was the first infection,
followed by the STONED II, therefore the real partition table can
probably be found at absolute sector 9 on the hard disk (if not it
might be in sector 7, but I doubt it. Interestingly, Joshi puts its
code into sectors 2-6, skipping 7 where the Stoned usually infects.
To look at these sectors, use the following debug code:
a
mov ax,0201 ; read one sector
mov bx,200 ; put it in ds:200
mov cx,9 ; ch=track 0, cl=sector to read, 1 is first
mov dx,80 ; dh=head 0, dx=80 first fixed disk
int 13 ; the notorious - see IBM ROM BIOS by Ray Duncan
int 20 ; quit
; bare <cr> gets you out of assemble mode
g ; to run
d200 3ff ; dumps sector (more than one screen) real table will have
; messages like "Invalid Partition Table" in ASCII
e107 ; to change sector number
after you find the partition table and it is in the 200-3ff area, just
e102 to change the 2 (read) to 3 (write) and e107 to 1 & run to put
the partition table back. NOTE: do not try the last part unless you
are SURE you know what you are doing as it can lose the table
completely, making the disk unreadable except by an expert. However,
for a multiple infection such as you seem to have I would prefer the
manual method to any automatic one (why CLEAN et al have disclamers).
Incidently, since this is dangerous, I didn't tell you to do it.
Padgett
Addendum: you MUST cold boot from a known clean floppy before attempting
disinfection or sector reads since many viruses intercept Int 13.
Padget