Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!thunder.mcrcim.mcgill.edu!snorkelwacker.mit.edu!apple!julius.cs.uiuc.edu!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson)
Newsgroups: comp.virus
Subject: Re: Boot sector self-check (PC)
Message-ID: <0011.9102081853.AA00397@ubu.cert.sei.cmu.edu>
Date: 6 Feb 91 12:35:57 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 18
Approved: krvw@sei.cmu.edu

>From:    Steve Albrecht <70033.1271@CompuServe.COM>
>
>While waiting for the same type of self-check in the boot sector, we
>have developed a small program (so far only intended to protect
>ourselves against reinfection by the Stoned virus) which does the
>following:
             (lengthy description follows)

	This method will detect the Stoned however "stealth" type
viruses (Brain, Joshi) will return the original boot sector
(floppy-Brain) or partition table (hard disk-Joshi) when an Int 13
request is processed since these viruses (as well as others) trap the
Int 13 call. A proven technigue is to first perform an Int 12 call
(returns # of k in hex to AX) and check for either 280h (640k) or 200h
(512k). Successful BSI/PTI viruses (Brain, Stoned, Joshi) go resident
at the TOM and change this value to some lower number.

					Padgett