Path: utzoo!attcan!uunet!aplcen!samsung!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: CHESS@YKTVMV.BITNET (David.M.Chess)
Newsgroups: comp.virus
Subject: re: Stoned (PC)
Message-ID: <0002.9006071302.AA20751@ubu.cert.sei.cmu.edu>
Date: 6 Jun 90 13:41:01 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1.BITNET>
Lines: 36
Approved: krvw@sei.cmu.edu

Yep, the Stoned installs itself on the bottommost sector of the
physical disk, which is the place where the partition table lives on a
partitioned hard disk.

>                        DEBUG cannot read/modify the partition table so
> some of the methods presented thusfar will not necessarily work on
> such a disk.

That's only sort of true; the DEBUG "load" command can only
see within the DOS partition, and therefore it can't see the
bottommost sector; but I think people were suggesting using
DEBUG to type in the tiny program needed to do the work.
For instance, if you go into debug and type

a 100
xor ax,ax
int 13
mov ax,0201
mov bx,0200
mov cx,0001
mov dx,0080
int 13
<enter by itself>
g 112
d 200 3ff

you'll be able to see the bottommost sector of the first hard disk,
including the partition table and the master boot code, sitting there
at address 200.  (Only do this if you have some idea of what you're
doing, of course!  The wrong typo in the above could easily make your
hard disk inaccessible.)  Similar tiny programs can read the original
stashed bottommost sector on a Stoned-infected hard disk, and write it
back to where it belongs.  I think that's what some folks were
suggesting...

DC