Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!csd4.milw.wisc.edu!bionet!ames!apple!usc!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: frisk@rhi.hi.is (Fridrik Skulason)
Newsgroups: comp.virus
Subject: Request for boot sector information
Message-ID: <0009.y8907171856.AA19378@ge.sei.cmu.edu>
Date: 13 Jul 89 19:18:08 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Lines: 42
Approved: krvw@sei.cmu.edu

I need an answer to the following question:

    In the boot sector of every diskette and hard disk there is a short
    string starting at the fourth byte. This string contains information
    about the version of DOS used to format the disk/diskette.
    Typically it is something like "IBM   3.0" or "MSDOS2.0".
    What I need to know is: What other possibilities are there ?

The reason I'm asking this question is as follows:

    I'm working on a package of programs for fighting computer
    viruses on the PC. One program in this package tries to determine
    if the boot sector has been infected by some virus. Since some
    viruses modify the label described above, it is one of the things
    I check on each diskette. For example, one well-known virus will
    write 1234 in this place, and another (the Pentagon virus) will write
    "HAL" there.

    Now - my problem is that one person who was using a beta-test version
    of the program told me that the program would flag diskettes formatted
    on a Cordata machine as "Possibly infected by an unknown virus".

    Examination revealed that the reason was the string "CDS" instead of
    "IBM" or "MSDOS". Therefore I am asking for a bit of assistance.
    If you have a machine from somebody other than IBM, please take a look
    at this portion of the boot sector, using NORTON or some similar program.
    If it contains a string different from "IBM", "MSDOS" or "CDS", please
    send me information on the string and the machine type.

Of course - the package will be distributed freely when finished - Expect
it to appear on comp.binaries.ibm.pc or in some accessible place.

I just need to obtain a few more viruses to test it against first. Currently
I have only tested it (and found it 100% effective) against Brain, Ping-Pong,
1704 and a new Icelandic (I think) virus.

This message would have been posted to comp.virus, but since it is not
operating right now, I am posting it here.

         Fridrik Skulason          University of Iceland
         frisk@rhi.hi.is
          Guvf yvar vagragvbanyyl yrsg oynax .................