Path: utzoo!attcan!uunet!cs.utexas.edu!sun-barr!olivea!samsung!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: CHESS@YKTVMV.BITNET (David.M.Chess) Newsgroups: comp.virus Subject: Re: Possible Boot-Sector Virus in Shrink-Wrapped Software (PC) Message-ID: <0009.9010111649.AA06500@ubu.cert.sei.cmu.edu> Date: 10 Oct 90 20:35:57 GMT Sender: Virus Discussion List Lines: 35 Approved: krvw@sei.cmu.edu The first boot sector in your posting is actually quite innocent; it just prints the messages This disk is not bootable If you wish to make it bootable, run the DOS program SYS after the system has been loaded Please insert a DOS diskette into the drive and strike any key... waits for a keystroke, and then reboots via INT 19. Is that in fact what happened when you booted from it? If not, perhaps there's a confusion of diskettes, and some other diskette may be infected with something? Of course, there's always the possibility that some executable file on the diskette (or some other diskette) is infected with something, or is otherwise nefariously altering boot sectors. The other two boot sectors also look mostly innocent. Except for the BPB area (describing the disk capacity etc), and an "80" just before the '55AA' at the end, the second one is identical to my own DOS 3.3 boot record on my C:. The last looks like a legitimate master boot record to casual inspection, although it's a bit different from mine. Possibly F-OSCHK was somehow fooled by something (a new device driver?) in the system? Or perhaps some program made some non-viral changes to the boot sector(s), as part of a copy-prot scheme or something like that? (That might explain that "80", although there's also likely some other explanation that I'm just overlooking.) DC