MMCCUNE@sctnve.BITNET (09/06/90)
Here is a program that will detect and remove the Joshi Virus from hard disks. It is free to use by all private individuals and any institution that I give permission to use it. I wrote it for the shareware A86, but it should assemble with MASM, TASM or WASM with minor modifications. mov dx,80h mov cx,1h mov bx,200h mov ax,201h int 13h or ah,ah jnz read_error es: cmp w[bx],1feb jnz no_virus mov cx,000ah mov ax,301h int 13h or ah,ah jnz write_error mov cx,9h mov ax,201h int 13h or ah,ah jnz read_error mov cx,1h mov ax,301h int 13h or ah,ah jnz write_error mov ah,9h lea dx,remove_message int 21h int 20h remove_message: db 'Joshi Removed$' no_virus: mov ah,9h lea dx,virus_message int 21h int 20h virus_message: db 'Joshi not found$' read_error: mov ah,9h lea dx,read_message int 21h int 20h read_message: db 'Read Error$' write_error: mov ah,9h lea dx,write_message int 21h int 20h write_message: db 'Write Error$' This program will remove the Joshi virus from the hard disk. McAfee's SCANV64 or above will detect it. The virus can also be detected by looking at the partition table with a HEX editor such as Norton Utilities. First, cold boot (turn the machine off) off a clean, write protected diskette. Then look at the partition record (Track 0, Head 0, Sector 1). If the first two bytes are Hex EB 1F, the hard disk is infected. The virus also does some other things to make itself detectable. When the date is set to 1-05-(any year), a green screen with the words "TYPE HAPPY BIRTHDAY JOSHI" appear on the screen. The machine will halt until the message is typed. Also, CHKDSK will show 6k less memory than is available on an unifected system. Probably the most annoying bug in the virus is that it won't allow you to format a diskette while it is active in memory; the system will give a "bad track 0" error. To use, first boot off an unifected diskette (this is very important). Then type RMJOSHI. This will remove the virus from the hard disk. It will leave traces of the virus in the partition table but the virus will be disabled and the system will be returned to normal. On some systems, RMJOSHI may damage the partition table. The program RETURN.COM will restore the hard disk to it's origonal state. Do not use RETURN unless you have used RMJOSHI on the hard disk at least one time. RMJOSHI will give four messages: Joshi Removed - The virus was found and removed from the partition table of the hard disk. Joshi not found - Either the virus is active in memory or the hard disk is not infected. Read Error - The program aborted because there was an error reading the hard disk. Write Error - The program aborted because there was an error writing to the hard disk. When dealing with viruses, there is always a danger of losing programs or data. Thus, I offer no warranty on these programs. They may be freely distributed as long as they are not altered in any way. I can be reached on the FIDONET virus echo, the INTERLINK virus echo and VIRUS-L digest. I can also be reached on BITNET as MMCCUNE@SCT.NVE. Mike McCune.