Path: utzoo!censor!geac!torsqnt!news-server.csri.toronto.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: CHESS@YKTVMV.BITNET (David.M.Chess)
Newsgroups: comp.virus
Subject: re: MusicBug (PC)
Message-ID: <0010.9012061357.AA16381@ubu.cert.sei.cmu.edu>
Date: 5 Dec 90 15:12:51 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 7
Approved: krvw@sei.cmu.edu

Looks to me like the MusicBug is finding sufficient unused clusters in
the FAT to hold its non-boot-sector code, marking them as used (with
FF's, rather than as "bad" with F7's), and writing itself there.
Depending on what the FAT looks like at the time of the infection, the
position of the clusters used will differ.  This also means that
CHKDSK will show lost clusters on an infected disk.  (I haven't tested
this on hard disks yet, only diskettes.)  DC