CHESS@YKTVMV.BITNET (David.M.Chess) (08/10/90)
The Disk Killer virus has a bug (at least one) that causes it to sometime/often/usually mark the wrong sectors as bad in the FAT when it infects a diskette. If the diskette is later written to, this often results in the virus's on-disk code being overlayed, rendering the diskette non-bootable and non-infectious (although the boot sector is still there, so scanners will still see it as infected). Does anyone know in any detail under what circumstances the bug shows up? From some limited testing, it looks as though the wrong sectors are marked bad if a freshly- formatted diskette is used in a machine with the virus in memory, but the right sectors are marked bad if the diskette already has considerable stuff on it when it becomes infected. Does this sound right to others who have looked at it? DC
RADAI@HUJIVMS.BITNET (Y. Radai) (08/21/90)
David Chess writes: >The Disk Killer virus has a bug (at least one) that causes it to >sometime/often/usually mark the wrong sectors as bad in the FAT when >it infects a diskette. .... Does >anyone know in any detail under what circumstances the bug shows up? >From some limited testing, it looks as though the wrong sectors are >marked bad if a freshly- formatted diskette is used in a machine with >the virus in memory, but the right sectors are marked bad if the >diskette already has considerable stuff on it when it becomes >infected. Does this sound right to others who have looked at it? Yes, the August issue of the Virus Bulletin has an article which comes to the same conclusion: "If a completely blank floppy disk is infected with the virus, an uninitialised counter in the routine which searches through the FAT for free clusters will cause the wrong 3 clusters to be labelled as bad." Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET