ASLPTAY@NTIVAX.BITNET.BITNET (05/30/90)
This is the documentation for the manipulation of DEBUG utility to destroy the
stone virus. (For people like me who can't get a hold on any software, whether
it is free or not)
The stone virus has a characteristic of moving the boot sector system files
into either sector 7 or sector 2. It then replaces sector 1 with the virus.
When destroying the virus, it should be *first* terminated from it's memory
resident mode. This is to prevent further infection.
"Vstop" does this well.( I believe it is from PCTOOLS ) or booting from a
clean floppy.
****************************************************************************
To manually destroy the virus, use DEBUG, provided by DOS.
command summary:
- -a XXXX performs an assembling of lines beginning at XXXXh.
- -d XXXX performs a display of the buffer beginning from XXXXh.
- -t executes line by line showing all registers and status flags.
- -p executes the procedure
- -u XXXX unassembles the code beginning from XXXXh
- -RIP reset instruction pointer
The following program is used to read/write from a sector on a harddisk/floppy.
100 mov BX,0200 /* storing in buffer location 200 onwards */
mov AH,2 /* 2 = read, 3 = write */
mov AL,1 /* number of sectors = 1 */
mov CL,1 /* start sector = 1 or 7 for reading the moved system file*
/
mov CH,0 /* head number = 0 (normal)*/
mov DL,80 /* 80 = harddisk, 0 = floppy A */
mov DH,0 /* 00 always ?? */
int 13 /* disk operation using BIOS ROM */
NOP /* No Operation ?? */
int 20 /* Halt entire process */
Caution must be used to copy sectors to and fro the buffer. It would be
advisable to copy the infected sector into a floppy before anything else
is done. This is to ensure that the system can be restored to its infected
OPERATIONAL state *in case* restoration goes wrong. Otherwise your data will
have a "DMA channel to heaven".
All that is required for the destruction of the stone virus is to retreive the
system files from sector 7 (most likely) and write it into sector 1 of the
stone program. My advise is to constantly check what is in your defined buffer.
************** Better safe than sorry ****************************************
*******************************************************************************
This documentation is dated 30 May 1990 - Project Virus/ stone killer. If
anyone finds gross errors in the code, please alert the distribution list.
All attempts to kill the virus with this method are done at the owner's risk.
By the way, I don't think 1.2 Meg floppies can be saved.
*******************************************************************************
ALEX TAY
Singapore