Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!samsung!sdd.hp.com!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: C09615SJ@WUVMD.BITNET Newsgroups: comp.virus Subject: Re: Stonned reoccurence of reformatted hard drive (PC) Message-ID: <0012.9101181512.AA09075@ubu.cert.sei.cmu.edu> Date: 17 Jan 91 23:55:42 GMT Sender: Virus Discussion List Lines: 37 Approved: krvw@sei.cmu.edu >From: "David.M.Chess" >Hm, interesting. The Stoned infects the master boot record >(synonymous with "partition table") on the first physical hard drive >(BIOS drive id "80" hex). In your case, that's the master boot record >on the 80Mb hard disk. The master boot record (and therefore the >partition table) are stored at the very bottom of the disk, lower than >any of the partitions (E F G and H). Ooops. Yes I found all this out after I sent the message. I am, unfortunately, BIOS illiterate. But the poliferation of viruses here at Washington University in St. Louis is forcing me to learn more every day. It was a "shoot from the hip" answer to very real effect which I outlined. >Did you test whether or not, after booting from a clean floppy and >then switching to E: and back to A:, the virus was actually *active* >(infecting new diskettes), as well as being in memory? My guess would No we did not. Oops again. [stuff deleted] >active virus from a "ghost" of the virus that just happens to be >sitting in a buffer somewhere, never running). The only way the usual >Stoned virus can get control is if it's present on the boot record or >the disk or diskette that the system is booted from. Ummmm... I'm not sure I understand what a "ghost" virus implies, we were never able to actually clean it off so I don't know how it could have become a "ghost". Also there was at least enough of it to set of McAfee's SCAN program. Jon Jon Spinner Washington University C09615SJ@WUVMD