padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) (12/03/90)
>From: Robert Slade <USERQBPP@SFU.BITNET> >Subject: DOS viri and OS/2 (PC) >The operator's PC is normally running OS/2...However, I did not succeed >in inducing it to infect the disks we offered it as bait, so perhaps >(perhaps, mind you) it wasn't active. The "original" STONED checks the media byte in the boot sector and would only infect 360k 5 1/4 floppies. I suspect that this machine uses 3 1/2s. - ------------------------------ >From: deepak@shakti.ernet.in >Subject: EB21 or PrintScreen virus (PC) >... how does it write in the harddisk? because no >encounters of interrupt 13 are seen. Does any one know about it? The >detector which we had installed (on the basis of int 13 had been >bypassed!) Can the hard-disk be written without use of BIOS int 13? Without complete detail, an interrupt is simply a special form of calling a subroutine. Int 13 utilities generally intercept the interrupt and check for "unusual" requests. Next, you have to understand the order in which a PC boots: (part of a two day course I teach to technicians here). Leaving out a lot of detail, when turned on or booted, a PC first executes POST clearing memory. loads the low level interrupts (including 0-1F), checks for ROM extensions, checks for a floppy (A) followed by a hard disk in that order, reads the first physical sector from whichever is found first (some machines let you specify), and jumps to the first byte of what it found. If a partition table (hard disk) it points to the boot record (logical sector 1 of the partiton marked "active") which is then loaded and executed. If a floppy or some old fixed disks with no partiton table, this is the boot record. If a virus, it can do anything it wants. This loads the two system files which read & load the config.sys contents, loads COMMAND.COM, and then executes AUTOEXEC.BAT if found. Now the PRINTSCREEN (according to VSUM) is a boot sector infector & goes resident long before any Int 13 intercept loaded by AUTOEXEC.BAT or CONFIG.SYS can take control (why GOOD anti-viral utilities are so difficult to write). My suspician is that the virus has simply intercepted the interrupt 13 vector so that any call to Int 13 is passed to the virus. Your Int 13 intercept is probably sitting fat, dumb, and happy on top of DOS watching high level operations while the virus is mucking around down in the engine compartment. - ------------------------------------- >From: "Willem van der Wal, ICP, NIAS" <SURF124@KUB.NL> >Subject: (c) Brain ? (PC) >Does someone have information on a virus that labels floppies with: >"(c) Brain" How do I get rid of it? 1) Make sure the virus is not resident (CHKDSK or Int 12) 2) Check floppies for three k in bad sectors 3) Use DEBUG to replace the boot sectors on infected ones. or Get McAfee's CLEAN (71B is current), read the .DOC, boot from a known- unifected floppy, invoke: CLEAN a: /many [Brain]<cr>, and swap floppies in a: as required, send John currency. Padgett