Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Newsgroups: comp.virus Subject: New Viruses ? (PC) Message-ID: <0004.9105021354.AA27981@ubu.cert.sei.cmu.edu> Date: 1 May 91 14:34:48 GMT Sender: Virus Discussion List Lines: 34 Approved: krvw@sei.cmu.edu Recently, I have received questions from two different people concenting activities that sound suspicious yet do not match any of the charactoristics that I am aware of. If anyone has further information, elucidation would be appreciated. Oddity #1: Several XT class machines exhibit the following: all Master Boot Records (partition table) have 17 bytes written into offset ACh-BDh (immediately before P-table). These bytes are an executable fragment containing the following assembly code: 1E PUSH DS 07 POP ES BB007C MOV BX,7C00 B90100 MOV CX,0001 BA8000 MOV DX,0080 000000 I am told that any attempt to replace the MBR results in an unbootable machine and if the locations are zero'd using Norton, the code immediately reappears. Oddity #2: Single 386/SX20 found the an unusual MBR which appears to be the second half of "something". The MBR will operate normally if called with DX=0. If called with a non-zero DX and if a data area from offset 03-15 is filled, amoung other activities, an interrupt between 42h and 59h will be trapped (which one is found in the data region, unfilled in the fragment I received). The code has all of the normal error messages and appears otherwise normal e.g. no attempt to modify 413 is made. If any reader has seen anything like this, a reply would be appreciated. Warmly (only 93 yesterday) Padgett