Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!mips!pacbell.com!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson)
Newsgroups: comp.virus
Subject: Need help with Beijing Virus (PC)
Message-ID: <0012.9104101503.AA06496@ubu.cert.sei.cmu.edu>
Date: 10 Apr 91 15:45:36 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 25
Approved: krvw@sei.cmu.edu

>From:    EMERSON@TURING.SDC.TASC.COM

>...and is infecting any diskette I happen to boot with...

The "Bloody" (apologies to UK readers) virus cannot remain resident through
a cold (power off) boot from an uninfected floppy in a normal PC. period. If
it is, then something strange is going on (like a BIOS that forces boots from
C  & I hope the readers understand the implications of this in view of some
earlier discussions).

This virus is similar to the STONED and functions in much the same way. The
original partition table/code (MBR) is stored at cyl 0 head 0 sector 6 and
a good technician or the current version of McAfee's SCAN/CLEAN will take
care of the problem. When resident, it can be detected by the si...(oops,
promised no more mention of my "primitive" technique) by CHKDSK which will
report a loss of 2k from the TOM (640k machine will report 653312 "total
bytes memory" instead of 655360. If in memory, it must be removed (through
clean reboot) for any disinfection to be effective.

Note: as in any infection of this type, it is essential that all infected
diskettes (and there must be at least ONE or there is a bigger problem)
be found and disinfected else you will get a lot of practise in removal.

                                          Warmly,
                                                  Padgett