MMCCUNE@sctnve.BITNET (09/06/90)
Here is a program that will detect and remove the Joshi Virus from
hard disks. It is free to use by all private individuals and any
institution that I give permission to use it. I wrote it for the
shareware A86, but it should assemble with MASM, TASM or WASM
with minor modifications.
mov dx,80h
mov cx,1h
mov bx,200h
mov ax,201h
int 13h
or ah,ah
jnz read_error
es:
cmp w[bx],1feb
jnz no_virus
mov cx,000ah
mov ax,301h
int 13h
or ah,ah
jnz write_error
mov cx,9h
mov ax,201h
int 13h
or ah,ah
jnz read_error
mov cx,1h
mov ax,301h
int 13h
or ah,ah
jnz write_error
mov ah,9h
lea dx,remove_message
int 21h
int 20h
remove_message:
db 'Joshi Removed$'
no_virus:
mov ah,9h
lea dx,virus_message
int 21h
int 20h
virus_message:
db 'Joshi not found$'
read_error:
mov ah,9h
lea dx,read_message
int 21h
int 20h
read_message:
db 'Read Error$'
write_error:
mov ah,9h
lea dx,write_message
int 21h
int 20h
write_message:
db 'Write Error$'
This program will remove the Joshi virus from the hard disk. McAfee's
SCANV64 or above will detect it. The virus can also be detected by
looking at the partition table with a HEX editor such as Norton
Utilities. First, cold boot (turn the machine off) off a clean, write
protected diskette. Then look at the partition record (Track 0, Head
0, Sector 1). If the first two bytes are Hex EB 1F, the hard disk is
infected.
The virus also does some other things to make itself detectable. When
the date is set to 1-05-(any year), a green screen with the words
"TYPE HAPPY BIRTHDAY JOSHI" appear on the screen. The machine will
halt until the message is typed.
Also, CHKDSK will show 6k less memory than is available on an
unifected system.
Probably the most annoying bug in the virus is that it won't allow you
to format a diskette while it is active in memory; the system will
give a "bad track 0" error.
To use, first boot off an unifected diskette (this is very important).
Then type RMJOSHI. This will remove the virus from the hard disk. It
will leave traces of the virus in the partition table but the virus
will be disabled and the system will be returned to normal. On some
systems, RMJOSHI may damage the partition table. The program
RETURN.COM will restore the hard disk to it's origonal state. Do not
use RETURN unless you have used RMJOSHI on the hard disk at least one
time.
RMJOSHI will give four messages:
Joshi Removed - The virus was found and removed from the partition table
of the hard disk.
Joshi not found - Either the virus is active in memory or the hard disk is not
infected.
Read Error - The program aborted because there was an error reading the
hard disk.
Write Error - The program aborted because there was an error writing to
the hard disk.
When dealing with viruses, there is always a danger of losing programs
or data. Thus, I offer no warranty on these programs. They may be
freely distributed as long as they are not altered in any way. I can
be reached on the FIDONET virus echo, the INTERLINK virus echo and
VIRUS-L digest. I can also be reached on BITNET as MMCCUNE@SCT.NVE.
Mike McCune.