From @Fidoii.CC.Lehigh.EDU:virus-l@lehigh.edu Mon Aug 16 08:19:22 1993
Return-Path: <@Fidoii.CC.Lehigh.EDU:virus-l@lehigh.edu>
Received: from Fidoii.CC.Lehigh.EDU ([128.180.2.4]) by dylan.af.mil (4.1/SMI-4.1)
	id AA23253; Mon, 16 Aug 93 08:18:36 CDT
Received: from Fidoii.CC.Lehigh.EDU ([127.0.0.1]) by Fidoii.CC.Lehigh.EDU with SMTP id <4153-8>; Mon, 16 Aug 1993 09:05:04 EDT
Message-Id: <9308161310.AA26945@agarne.ims.disa.mil>
Reply-To: virus-l@lehigh.edu
Originator: virus-l@lehigh.edu
Sender: virus-l@lehigh.edu
Precedence: bulk
From: VIRUS-L Moderator <virus-l@assist.ims.disa.mil>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #112
X-Listprocessor-Version: 6.0a -- ListProcessor by Anastasios Kotsikonas
X-Comment: Virus Discussion List
Date: Mon, 16 Aug 1993 09:05:01 EDT
Status: RO

VIRUS-L Digest   Monday, 16 Aug 1993    Volume 6 : Issue 112

Today's Topics:

Re: Learning how to make virus programs: Info?
Problems with FPROT ?? (PC)
Re: Information on the 'Trident' Virus (PC)
Re: Virus protection Software recommendation (PC)
Re: Dudley [odud] virus ? (PC)
Mark II virus - HELP! (PC)
Trigger virus (PC)
possible virus? (PC)
Arj-virus? (PC)
Name this virus (PC) ?
HELP on DIR 2 Virus (PC)
HELP!! more informations to russian virus (PC)
Questions on McAfee Scan Verson 106 (PC)
Sharing .def files between scanners (Novell) (PC)
Perry and CPAV 2.0 (PC)
VIRSTOP & boot sectors?? (PC)
[mon] virus (PC) whats good? (PC)
Anti-virus software usable on LAN's (PC)
Can"t read 3,5" HD disk (still alive) (PC)
Thanks (was: Hokay, boot sector viruses) (PC)
Boot sector infectors (CVP)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@ASSIST.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Sun, 08 Aug 93 16:00:38 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Learning how to make virus programs: Info?

>So, any information or guidance would be appreciated on how to make
>this type of non-malicious virus.

What you want is not a virus - all you need is something that is run in
a login script, and checks the user's hard disk when he logs into the
network.

Sure, this *could* be done with a virus, but that would be an *EXTREMELY
STUPID* thing to do, and would probably cost you your job.

Problem #1:  Preventing the virus from "escaping" - you don't want the virus
             spreading over the whole country, do you ?

Problem #2:  Self-checking programs & Integrity checkers would notice the
             virus, and raise an alarm - have you considered the support
             that would require.

Problem #3:  Unknown side-effects - what if there is a bug in the virus, and
             it corrupts something when a certain combination of other
             programs is in use ?

Problem #4:  Do you seriously think I (and other anti-virus producers) would
             ignore your virus just because it was supposed to be
             "non-malicious" ? 

I could co on, but the conclusion is obvious...trying to solve the problem 
with a virus-type program is pretty idiotic.

- -frisk

------------------------------

Date:    Fri, 06 Aug 93 16:58:59 -0400
From:    "Andrew Brennan, LRC Manager" <brennan@hal.hahnemann.edu>
Subject: Problems with FPROT ?? (PC)

      Actually, VIRSTOP - not FPROT.  I had a run-in with Michelangelo
   recently that was appearing on machines that were set up to check for
   viruses on reboot (/DISK /FREEZE /WARM /BOOT /COPY) and we ran a few
   tests to see what we could do about it.  VIRSTOP does not (??) appear
   to do memory-testing for viruses already loaded?  We set up FPROT to
   load and scan the machine (using cmd line parms) and it can be set to
   scan memory -or- to auto-disinfect the disk.

      FPROT's auto-disinfect is nice, but that's only available if you 
   do *not* scan the memory and it leaves the active virus in memory. 
   The memory scan is nice, but it appears to detect a virus and continue
   through without locking the machine (if in cmd-line mode).

      Curiously enough, the configuration we toyed with that _did_ work
   as expected (locking on reboot if the diskette was infected) was a
   combination of VIRSTOP *and* VSHIELD.  It seems that VSHIELD's action
   to check the disk triggers VIRSTOP's /COPY (or one of the other parms)
   to detect a virus on the diskette - hanging the machine with a message
   to this effect.

      Anyone planning a package with the future detection abilities of the
   VIRSTOP /COPY and the bulldog attributes of VSHIELD's virus-in-memory
   detection?  I would definitely be interested.

      andrew.  (brennan@hal.hahnemann.edu)

------------------------------

Date:    Fri, 06 Aug 93 17:18:19 -0400
From:    neuro@santafe.edu (Terrance Johnson)
Subject: Re: Information on the 'Trident' Virus (PC)

Brenda Parsons (parson@coulomb.pcc.oz.au) wrote:
: We've recently had an attack of the 'Trident' virus, and seemed to
: have gotten rid of it, but no one was able to supply us with information
: as to what it would do when activated.

The Trident virus I believe is not actually a virus, it is the Trident
Polymorphic Engine, akin to the Mutation Engine, which encrypts a virus
differently every time a new file is infected. Since any number of virii
may use the Engine, it is impossible to say what the virus would have done
upon activation.
 
- ---
neuro@bbs.santafe.edu     --    You know me as Neurophire or Neurophyre...
I am the PHYRE that burns in your brain.

------------------------------

Date:    Fri, 06 Aug 93 23:05:52 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: Re: Virus protection Software recommendation (PC)

From:    bjgreenb@rs6000.cmp.ilstu.edu (Brian Greenberg)

>I am looking for the best Anti-Virus software for DOS or Windows
>(perferably Windows).  I used to use McAffee and Norton.  Are there
>any reccomendations of types and prices, also why might one out weigh
>another.

If you're going to rely on Scanners, I recommend the following.

F-Prot 
Integrity Master
Thunderbyte
Scan
VIRx

All five scanners are Share Ware or Free Ware.

If you want to go beyond scanning, look for Generic virus detection.

I have tested all of these on my test machine with live viruses in memory, 
and all of these work as advertized.

  F-Prot Professional
* Integrity Master
  PC-cillin
  PC-Rx
* Thunderbyte Anti-Virus
  Untouchable
* Victor Charlie

* denotes Share Ware product.

I test A-V software monthly, and will be releasing the LAT report in about 
a week.

Hope it is of use to you.

Bill

------------------------------

Date:    Sun, 08 Aug 93 16:00:46 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Dudley [odud] virus ? (PC)

oenglund@bilbo.abo.fi (Olof Englund) writes:

>Nope, i don't think there is. I looked the virus up in VSUM (Oi Dudley)
>aaand.....no detection method....YET!

You must be reading an old VSUM - the latest VSUM states that DSAVTK, F-PROT
Scan, Virus Buster and VirusNet can detect it - I guess VET and several other
products that VSUM does not cover can detect it too....

> Just delete infected files (however
>you'll find out wich are infected)

Never trust anything VSUM says about removal of viruses - that is usually the 
most incorrect part of the description.

- -frisk

------------------------------

Date:    08 Aug 93 17:45:24 -0400
From:    mrobbins@umiami.ir.miami.edu
Subject: Mark II virus - HELP! (PC)

My HD is infected with the Mark II virus.  I've tried CBAV and the latest
scan, and it can't even be located, not to mention destroyed.  If anyone
knows of a cure for this thing, PLEASE mail me the details.

Mark

------------------------------

Date:    Sun, 08 Aug 93 23:47:14 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: Trigger virus (PC)

Trigger Virus 

Trigger infects .COM and .EXE files from 2 bytes - 29696 bytes. My largest 
bait file is 29K 29696 bytes.

Trigger has the following text in the first generation (Trigger by Dark 
Angel of Phalcon/Skism  Utilising Dark Angel's Multiple Encryptor (DAME)). 
No text is readable in the second generation and beyond.

Trigger is polymorphic, but not stealth. On my test machine, the files 
grew by 2493 bytes - 2653 bytes

Trigger appends the virus to the end of the host files.

Bill

------------------------------

Date:    Thu, 05 Aug 93 10:55:00 +0200
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: possible virus? (PC)

pdavies@alchemy.chem.utoronto.ca (Paul Davies) writes:

 > This is what I have experienced.  I have noticed that
 > there seems to be a bit too much disk activity, most notably when
 > Windows is loading. This might just be paranoia.

This is the way windows works, what you see is the swapping it does with the 
disk.
If you use SMARTDRV also you might even experiance writes and reads to the 
disk at IDLE time (when apperantly nothing is running on your system) these 
are the delyed disk access done by the CACHE.

 > my computer has crashed a few times when running Telix.
 > One time when running Telix my machine froze up and there where
 > (random?) flashing characters all over the screen. I thought that this
 > was the behaviour of a known virus.
No virus, but a well known problem with communication programs. (As well as 
others) ;-)

 > I used the latest version of McAFee Scan (106) on my
 > machine and it did not find anything.
I would be surprised if it warent so (judging from your description of the PC 
behaviour).

 > I am currently running DOS 5 and Windows 3.1.
Enjoy them...

* Amir Netiv. V-CARE Anti-Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Mon, 02 Aug 93 15:03:00 +0200
From:    Arie_Zilberstein@f0.n462.z9.virnet.bad.se (Arie Zilberstein)
Subject: Arj-virus? (PC)

StarDate 07-18-93  10:53: A transmission from Amir Netiv to All was decoded: 

 >>Hi! I use Arj verision 2.41 (The best). Well, i have a memory-resident
 >>program, that says if files are being changed. Everytime i access .exe
 >>files that belong to arj the program warns me that the file has
 >>changed.  Has this happened to you? Will you test the problem?
 AN> If you are using a program that has the "Protect executable files"
 AN> option in  it, don't be surprised by these alarms, it usually simply a
 AN> false alarm made  by it, I'd reccomend using another TSR instead,

It's the new version of VWatch/VSafe V2.00 that creating all the mess.  It
gives me "File is infected" on ARJ.EXE, Q.EXE and lots of more programs.

Bye
AZ

.. The more people I meet, the more I love my computer
- --- FMail 0.95a4 beta+ 
 * Origin: Beyond Tomorrow * 972-3-544-4488/3746 * 24h * 14Kbps (9:9721/202.0)

------------------------------

Date:    Thu, 05 Aug 93 11:02:00 +0200
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: Name this virus (PC) ?

JERRY@hnrc.tufts.edu (Jerry Dallal) asks:

 > Is this the behavior of an IBM-PC virus that anyone is familiar with?

 > Files are being created on floppy disks.  One invariably shows (DIR) a
 > size of over 21Mb (on a 1.4Mb disk) and has a name composed of
 > graphics characters.  Another file will be named 'read me.com' or 'DOS
 > 5.0xxx'.

Typical Root-Directory destruction. Cause: can be a virus (DIR-2 sometimes 
causes it, but then one should expect the have som indication on one's hard 
disk, run CHKDSK on your disk to see), another cause might be a fault in some 
program, or a hardware fault.

If you nkow what you are doing you might regain access to the floppy by using 
the combination of CHKDSK, NDD and DISKEDIT. If you are not familiar with the 
reconstructing methods, don't start, as it might turn out to be very 
frustrating!

 > UTScan   early '92
 > Norton Anti-Virus  fall '92
 > Microsoft Aint-Virus (DOS 6.0)
 >                                 show no infection.
 > UTScan can't scan the files with graphics characters
 > in the name (bad path).  Norton says somehting like access denied to
 > these files.
Sure.... 8-)

* Amir Netiv. V-CARE Anti-Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Thu, 05 Aug 93 10:48:00 +0200
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: HELP on DIR 2 Virus (PC)

9239561@rkw-lan.cs.up.ac.za (KRUGER S) asks:

 > Can anybody help me with a DIR II virus.
How about me?

 > I would like to know if there is a cure for it, and if so,
Yes, most Anti Viruses of today...
however there is a way to clean it without one by:

0. Make sure you have a CLEAN DOS DISKETTE available !
1. Boot from the infected disk.
2. while the virus is running in memory do in EACH directory:
     REN *.COM *.CVC
     REN *.EXE *.EVC
3. Boot the PC from the floppy and do (again in EVERY directory):
     REN *.CVC *.COM
     REN *.EVC *.EXE
4. Boot again. The PC should be clean!
5. Run CHKDSK to verify: if you have a lot of
   "is crosslinked into cluter..." on your screen then the    process failed. 
if you have only few... erase these files or    let CHKDSK correct (actually 
destroy) the files and then    delete them!

Step 2 may be replaced with the commands
   ATTRIB +s *.COM
   ATTRIB +s *.EXE
In such case a clean DOS floppy is not necessary.

 > where I can obtain it.
Buy it... ;-)

 > I would appreciate any answer helping me with the virus.
Hope that helped.

 > Must the hard drive be formatted
NO NO NO NO NO NO NO....... almost never...

 > or is there a something else that I can do?
As explained above.

  > Thanks !!
Your welcome...

* Amir Netiv. V-CARE Anti-Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Mon, 09 Aug 93 11:19:20 -0400
From:    Astrid Kuhr <ICH561@djukfa11.bitnet>
Subject: HELP!! more informations to russian virus (PC)

Hello!

There are some new infos I can give to our dubious russian virus:

We are using DOS 5.00. The COMMAND.COM on the infected PC is
50244 Bytes, original it's 50031 Byte. The date is a little bit
different to. (Sorry, I forgot to write it down, and now the PC
is already locked for today)

Scanning with F-PROT 209 gives following result:
    Scanning MBR of hard disk 1
    Master Boot Sector: Possibly a new version of Shifter

If possible, we want to avoid to formatt our harddisk. Because there are
very many things installed at.
If possible, we would like to find the virus, clear the .COM and .EXE
files, and the formatt the hard disk to get free of the virus at the
Boot Sector.
Or is their another possibility to get free of the virus in the boot
sector?

Perhaps somebody can make more conclusions from this than me??
Any help is welcome!!

Thanx and regards, Astrid Kuhr

- --
a.kuhr@kfa-juelich.de

------------------------------

Date:    Mon, 09 Aug 93 13:14:17 -0400
From:    kathy@oasys.dt.navy.mil (Kathy Smith)
Subject: Questions on McAfee Scan Verson 106 (PC)

We have found the Version 106 of McAffee Scan and Clean on one of the ftp
sites.  Was there a announcement posted in this newsgroup that I missed? 
Also, does anyone have their email address.

Kathy M. Smith              Carderock Division, Naval Surface Warfare Center
Customer Support            Bethesda, Maryland, U.S.A.
Code 3581                   Bldg 17W, Room 219
kathy@oasys.dt.navy.mil     301-227-3000, AV/DSN 287-3000   

------------------------------

Date:    Mon, 09 Aug 93 13:37:29 -0400
From:    "The Radio Gnome" <V2002A@VM.TEMPLE.EDU>
Subject: Sharing .def files between scanners (Novell) (PC)

Hi,

     Is it possible for any of the popular PC scanners to use a MAC .def
file to scan a Netware Volume with MAC namespace loaded?  ...Also vice-versa.
e.g., have F-Prot load additional definitions from SAM or Disinfectant and
scan the MAC volumes... have SAM load an F-Prot .def file and scan PC files
on the server.

     Is there or should there be a standard for virus definition files?
Thoughts?

               Andy Wing
"On the internet, nobody knows that you're a dog"

------------------------------

Date:    Tue, 10 Aug 93 10:49:37 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: Perry and CPAV 2.0 (PC)

I have been receiving reports from concerned users, that the
VALIDATE.COM program that is distributed by Patricia Hoffman as a part
of the VSUM package might be infected with the Perry virus.
 
It seems that version 2.0 of the Central Point Anti-Virus claims this is
the case.
 
This is not a typical false alarm, however - the VALIDATE.COM program *does*
indeed contain the Perry code, but it is not infected at all, as Perry is 
NOT A VIRUS.
 
Perry is (or rather was) a somewhat useless program, distributed by InterPath.
It was used to "protect" programs, so that they would either ask for a password
when run, or self-destruct on a specific date.

In this particular case, the VALIDATE.COM program is set to self-destruct
on June 6th, 2000.  (Note that this is a different version of VALIDATE than
the one currently distributed with McAfee's SCAN).
 
Apart from this, the Perry code is quite harmless, and the general consensus
among anti-virus manufacturers has been that there is no real need to detect
Perry-ized files as such.
 
Central Point, however calls Perry-ized files "infected with the Perry virus"
(which is nonsense, as the code does not replicate, and therefore is not a
virus, and even confirms this on the phone when called "Yes, Perry is a virus,
but it does not spread very much - you should just delete the file" was the
reply they gave, even though CPAV has been made aware of the problem some
time ago.

This posting is intended to set the matter straight - CPAV is calling a
clean program virus-infected.

- -frisk

------------------------------

Date:    Tue, 10 Aug 93 11:11:55 -0400
From:    BRENNAN@hal.hahnemann.edu (A. Andrew Brennan)
Subject: VIRSTOP & boot sectors?? (PC)

      It's not entirely impossible that I'm messing up the configs 
   somewhere ... this is related to machine(s) in an open environment
   where you can't expect users to respond appropriately ...

      VIRSTOP *shouldn't* peacefully co-exist with Michelangelo, should
   it?  I get Stoned and/or Michelangelo-A loaded before VIRSTOP (that's
   the nature of those beasts, no?) and at best VIRSTOP whispers the 
   data equivalent of "I'll get you next time, Red Baron!!" as it does
   not hang/freeze/crash the machine until the virus actually infects a
   diskette (oh - using the /FREEZE /COPY params with VIRSTOP).

      We've had pleasant results with VSHIELD _and_ VIRSTOP on the same
   machine - Vstop to nail future problems with /COPY and Vshield to 
   halt the machine if anything is already present.  I dunno how long I
   want to use that configuration - we're in the process of waiting for
   purchasing (the corporate equivalent of "the check is in the mail")
   to get our license for F-PROT.  We recently dropped McAfee, so the
   "use both" approach can't be used too long.

      andrew.  (brennan@hal.hahnemann.edu)

------------------------------

Date:    Tue, 10 Aug 93 12:25:01 -0400
From:    mingione@acf2.NYU.EDU (mingione)
Subject: [mon] virus (PC) whats good? (PC)

We have had a lot of trouble here at Academic Computing with the [MON] 
virus infecting the boot sectors o our PCs. Has anyone had problems with this
particular virus?  

I know Clean106 and Scan106 work fairly wellto detect and erase it. What I 
don't understand is why other programs are not doing as well.  We have 
purchased a license from frisk@complex.is for the f-prot program but as far
as I can tell version 2.0.9 still does not have the capability to erase the
virus from the partition table.  

Does anyone know of other good effective ways of ersing this virus.  Repeated 
e-mailings to the author of f-prot (even sent him a disk with the [mon] virus
on it )  have produced no feedback.  So we may have to switch to something 
else after we evaluate several products.

Thanx in advance.

------------------------------

Date:    Tue, 10 Aug 93 20:06:21 -0400
From:    marc_b@ingres.com (Marc Burckin)
Subject: Anti-virus software usable on LAN's (PC)

Hi,

A friend who is w/o net access has asked me to pose this question.

	"What types of software and/or methods to people use to keep 
	 their LAN's free of viruses? Is there a way to run the virus 
	 software from the server and thereby check all of the connected
	 PC's?"
Thanks,

Marc
- ----

Marc Burckin				| I wish I was on that N17     __o 
The ASK Group				| traveling with just my     -\<, 
(510) 748 3488				| thoughts and dreams.      (_)/(_)
marc_b@ingres.com			|
- -------------------------------------------------------------------------------
- -
- --
marc_b@ingres.com
Ingres International
London, UK

------------------------------

Date:    Wed, 11 Aug 93 04:08:46 -0400
From:    Ralph Rinschen <rinschen.pad@sni-usa.com>
Subject: Can"t read 3,5" HD disk (still alive) (PC)

Hello,

my problem to read 3,5" HD disks is still alive.

I changed following components :

AT Controller
The 3,5" drive 
All cables 

McAffee 106 can not find any viruses.

So, why can i read sometimes the HD and sometimes not ??

IS this a virus or just a unknown hardware problem ??

Any hints ??

Thanks
Ralph

- -- 
==============================================================
Sender4s Name and Adress  |
- ------------------------- | There is no grazy lazy boring text
Name : Rinschen, Ralph    | in here ..
Street : Cromptonstr. 10e | ----------------------------------
Location : 4790 Pb-Elsen  |
Telephon : not visible    | email : rinschen.pad@sni.de
==============================================================
- --
==============================================================
Sender4s Name and Adress  |
- ------------------------- | There is no grazy lazy boring text
Name : Rinschen, Ralph    | in here ..

------------------------------

Date:    Mon, 09 Aug 93 03:59:25 -0400
From:    corneliu@cs.curtin.edu.au (Nigel Cornelius)
Subject: Thanks (was: Hokay, boot sector viruses) (PC)

To all those who responded, (you know who you are), THANKS!!

regards,

Nigel
- --
...................................................................
........ . . ......... __ Nigel Cornelius                         .
....... _--_|\ ...... | . corneliu@marsh.cs.curtin.edu.au         .
...... /  OZ  \ ..... | .                                         .
...... x_.--._/ ..... | . "Home is where the heart is"            .
..... /^\ . .v ...... | . "and the fridge, the beer, the tv, ..." .
...... |______________|............................................

------------------------------

Date:    Fri, 06 Aug 93 16:20:38 -0400
From:    ROBERTS@decus.ca
Subject: Boot sector infectors (CVP)

DEFGEN5.CVP   930728
 
                     Boot sector infectors
 
Having dealt with some non-viral terminology, let us cover some
viral related terms that may be unfamiliar.
 
Most people think of viral programs in terms of Fred Cohen's
definition.  That is, a virus is a program which always
"attaches" to another program.  This has given rise to a great
many misconceptions about some of the most common viral
programs, boot sector infectors.
 
Boot sector infecting viral programs, often referred to as
"BSI"s, *do*, in a sense, attach to another program.  Most
people are unaware of the fact that there is a "program" on
every disk, even those which are "blank".  Every formatted disk
has a "boot sector", specified, not by a filename, but simply by
its location as the first physical (or logical, in the case of
hard drives) sector.  When the computer is "booted", the ROM
programming looks for a disk, then "runs" whatever happens to be
in that sector as a program.
 
In most cases, with non-bootable disks, the "program" that is
there simply prints a message reminding the user that the disk
is non-bootable.  The important thing, however, is that
regardless of how small the actual program may be, the computer
"expects" there to be a program in the boot sector, and will run
anything that happens to be there.  Therefore, any viral program
that places itself in that "boot sector" position on the disk
will be the first thing to run, other than ROM programming, when
the computer starts up.  BSIs will copy themselves onto floppy
disks, and transfer to a new computer when the "target" machine
is (usually inadvertantly) booted with an infected floppy in the
A: drive.
 
The physical "first sector" on a hard drive is not the boot
sector.  On a hard drive the boot sector is the first "logical"
sector.  The number one position on a hard drive is the master
boot record or MBR.  (This name gets slightly confused by the
fact that the MBR contains the partition table; the data
specifying the type of hard disk and the partitioning
information.  "Master boot record", "partition table" and
"partition boot record" are often used interchangeably, although
they are not identical entities.)  Some viral programs, such as
the Stoned virus, always attack the physical first sector: the
boot sector on floppy disks and the master boot record on hard
disks.  Thus viri that always attack the boot sector might be
termed "pure" BSIs, whereas programs like stoned might be
referred to as an "MBR type" of BSI.
 
copyright Robert M. Slade, 1993   DEFGEN5.CVP   930728
 
============= 
Vancouver      ROBERTS@decus.ca         | "Remember, by the
Institute for  Robert_Slade@sfu.ca      |  rules of the game, I
Research into  rslade@cue.bc.ca         |  *must* lie.  *Now* do
User           p1@CyberStore.ca         |  you believe me?"
Security       Canada V7K 2G6           |    Margaret Atwood

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 112]
******************************************


