Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!cs.utexas.edu!asuvax!ukma!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: con_jdc@selway.umt.edu (John-David Childs)
Newsgroups: comp.virus
Subject: FDISK; partitions starting at 0,0,2; Stoned virus; (PC)
Message-ID: <0006.9104031509.AA05149@ubu.cert.sei.cmu.edu>
Date: 2 Apr 91 15:39:12 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 29
Approved: krvw@sei.cmu.edu

>> Nick Fitzgerald <CCTR132@canterbury.ac.nz> wrote
>> Some OEM versions of DOS (some of them still
>> labelled MS DOS) with version numbers 3.0 and above have versions of
>> FDISK that still begin the first partition at 0,0,2 - from memory, I
>> think Falcon DOS 3.1 is one such.  This may give a tiny bit more
>> usable disk space, but causes grief after a Stoned strike.

>Padgett Peterson <padgett%tccslr.dnet@uvs1.orl.mmc.com> replied:
>[stuff deleted] One point though: A disk could be partitioned with FDISK 1.00
>even though a later version of DOS is loaded. I would like to hear from the
>readers if they have come across any later partitioning software that does
>not use "hidden sectors" as described.

	One of our computer labs on campus uses Computerland DOS 3.1
(the FDISK version number is listed as "BC88/BC286 FDISK ver 3.0")
which begins the first partition at 0,0,2. A few months back, the lab
got hit with the Stoned virus and we discovered that F-PROT 1.13 would
not disinfect the stoned virus properly so we ended up having to
reinstall the machines from scratch every time the PC's got infected
(until I wrote a small C program to get rid of it...thanks to the
VIRUS-L readers).  F-PROT 1.14 DOES properly disinfect the Stoned
virus from machines whose partitions begin at 0,0,2.  When used in
conjunction with F-DRIVER.SYS at startup, I've had no trouble with
removing the virus.  If F-DRIVER.SYS or some other detection utility
was not loaded at startup (F-DRIVER.SYS halts the PC if a virus is
detected), then Nick's and Padgett's comments about corrupted FAT's
etc. would be apropos.
				John-David Childs
				Consultant, University of Montana CIS