Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!crdgw1!uakari.primate.wisc.edu!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!pacbell.com!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson)
Newsgroups: comp.virus
Subject: Joshi Virus in part. table (PC)
Message-ID: <0008.9104081309.AA03138@ubu.cert.sei.cmu.edu>
Date: 5 Apr 91 16:42:14 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 14
Approved: krvw@sei.cmu.edu

>From:    awl@extro.ucc.su.oz.au (Tony Locke)

>We have a machine with Joshi on it and can't find something to kill
>it.  Anyone have any ideas (have tried SCAN 74B)

As I recall, the Joshi stores the real MBR (partition table) code in
cyl 0 head 0 sector 9 (should be able to tell by looking).
To recover, just cold boot from a known clean write-protected floppy and
use DEBUG to copy the real MBR back to sector 1. The rest of the virus code
will still be on (hopefully) unused sectors on cyl 0 but will be cut off from
execution & harmless.

					Warmly,
						Padgett