Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!rex!ukma!widener!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: paul@parsifal.econ.yale.edu (Paul McGuire)
Newsgroups: comp.virus
Subject: Re: Joshi Virus in part. table (PC)
Message-ID: <0006.9104162011.AA07133@ubu.cert.sei.cmu.edu>
Date: 13 Apr 91 02:25:56 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 28
Approved: krvw@sei.cmu.edu

padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) writes:
>>From:    awl@extro.ucc.su.oz.au (Tony Locke)
>
>>We have a machine with Joshi on it and can't find something to kill
>>it.  Anyone have any ideas (have tried SCAN 74B)
>
>As I recall, the Joshi stores the real MBR (partition table) code in
>cyl 0 head 0 sector 9 (should be able to tell by looking).
>To recover, just cold boot from a known clean write-protected floppy and
>use DEBUG to copy the real MBR back to sector 1. The rest of the virus code
>will still be on (hopefully) unused sectors on cyl 0 but will be cut off from
>execution & harmless.

I have an IBM-AT that won't boot from drive c:, but comes up fine from
a floppy, at which point the c: drive seems to be okay.  FPROT114
f-fchk tells me my files are fine, f-syschk tell me my memory is fine,
however f-disinf tells me I have joshi but fails to cure it.  I tell
f-disinf to cure it, it says I'm cured, but if I run it again it again
tells me I'm infected and the computer still won't boot from the hard
disk.

Is this an FPROT bug?  Am I prehaps multiply infected?  Can I trust
the identification of Joshi and preform the above sector 9 to sector 1
copy, or does FPROT's failure indicate more serious problems that the
copying won't fix or will make worse?

Thanks for any help,
Paul McGuire