MMCCUNE@sctnve.bitnet (10/19/90)
I would like to thank the members of the Virus-L, Fidonet and Interlink virus
conferences for there feedback on this program. Earlier, I posted a remover
for the Joshi Virus that didn't check for the virus before trying to remove
it. I have now added several checks to the new version of the program....
mov ah,0h
mov dx,80h
int 13h ;Reset hard disk
mov cx,1h
mov bx,200h
mov ax,201h
int 13h ;Load sector 1 of partition table into memory
or ah,ah ;Check for a read error
jnz read_error
es:
cmp w[bx],1feb ;See if partition table is infected
jnz no_virus
mov cx,000ah
mov ax,301h
int 13h ;Save copy of partition record
or ah,ah ;See if there was a write error
jnz write_error
mov cx,9h
mov ax,201h
int 13h ;Load sector 9 of partition table into memory
or ah,ah ;Check for a read error
jnz read_error
cmp w[bx+1fe],0aa55h ;Checks for a valid partition record
jnz no_remove
mov cx,1h
mov ax,301h
int 13h ;Write sector 9 over sector 1 (in partition table)
or ah,ah ;Check for a write error
jnz write_error
mov ah,9h
lea dx,remove_message
int 21h
int 20h
no_virus:
mov ah,9h
lea dx,virus_message
int 21h
int 20h
no_remove:
mov ah,9h
lea dx,no_remove_message
int 21h
int 20h
read_error:
mov ah,9h
lea dx,read_message
int 21h
int 20h
write_error:
mov ah,9h
lea dx,write_message
int 21h
int 20h
remove_message:
db 'Joshi Removed$'
virus_message:
db 'Joshi not found$'
no_remove_message:
db 'Joshi can not be removed!$'
read_message:
db 'Read Error$'
write_message:
db 'Write Error$'
This program will remove the Joshi virus from the hard disk. McAfee's
SCANV64 or above will detect it. The virus can also be detected by
looking at the partition table with a HEX editor such as Norton
Utilities. First, cold boot (turn the machine off) off a clean, write
protected diskette. Then look at the partition record (Track 0, Head
0, Sector 1). If the first two bytes are Hex EB 1F, the hard disk is
infected.
The virus also does some other things to make itself detectable. When
the date is set to 1-05-(any year), a green screen with the words
"TYPE HAPPY BIRTHDAY JOSHI" appear on the screen. The machine will
halt until the message is typed.
Also, CHKDSK will show 6k less memory than is available on an
unifected system .
Probably the most annoying bug in the virus is that it won't allow you
to format a diskette while it is active in memory; the system will
give a "bad track 0" error.
To use, first boot off an unifected diskette (this is very important).
Then type RMJOSHI. This will remove the virus from the hard disk. It
will leave traces of the virus in the partition table but the virus
will be disabled and the system will be returned to normal.
RMJOSHI will give four messages:
Joshi Removed - The virus was found and removed from the partition table
of the hard disk.
Joshi not found - Either the virus is active in memory or the hard disk is not
infected.
Joshi can not - Either the partition record is corrupted or you have a new
be removed variation of the virus.
Read Error - The program aborted because there was an error reading the
hard disk.
Write Error - The program aborted because there was an error writing to
the hard disk.
When dealing with viruses, there is always a danger of losing
programs or data. Thus, I offer no warranty on these programs. They
may be freely distributed as long as they are not altered in any way.
I can be reached on the FIDONET virus echo, the INTERLINK virus echo
and VIRUS-L digest. I can also be reached on BITNET as
MMCCUNE@SCT.NVE. It is free to use by all private individuals
(Institutions please contact me first).
Mike McCune.n33@telvm2.iinus1.ibm.com (Donny Gilor) (10/31/90)
Using a small signature (EB1F) for detecting the Joshi virus (or any other virus) is not recommended. A future system or virus may have the same signature and the results would be unpredictable. Dr. Virus