Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!samsung!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson)
Newsgroups: comp.virus
Subject: Master Boot Record (PC)
Message-ID: <0004.9106181359.AA17901@ubu.cert.sei.cmu.edu>
Date: 17 Jun 91 15:52:37 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 42
Approved: krvw@sei.cmu.edu

>From:    frisk@rhi.hi.is (Fridrik Skulason)

>padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes:
>>From:    dwe29248@uxa.cso.uiuc.edu (Derek William Ebdon)
>>One thing that Mr. Doss forgot to mention is that although Central
>>Point Anti-Virus v1.0 can easily romove the Asuza virus from a floppy,
>>it cannot remove the virus from a hard drive.  The only way to
>>disinfect a hard drive is to redo the low level format because the
>>virus infects the boot sector and the dos partition.  A high level
>>format will not remove the virus, nor will simply removing the dos
>>partition with the fdisk program.

Aw come on fella, give a fella a break: I didn't say that, Mr. Ebdon
did.

The Master Boot Record, aka the Partition Table Record, aka physical
sector one on the hard disk contains two distinct elements:

1) The partition table located at offset 1BEh-1FCh (what is read by NU in
   partition table format).
2) The executable code beginning at offset 0 that uses the table to find
   the O/S boot record (also contains ASCII error messages).

Since the AZUSA replaces part 2 with its own code, all that is
necessary for recovery is to mate a good part 2 with the existing part
1 (not really difficult but more complicated than just copying a
sector) and replace the infected sector.

Things get a bit more complicated if special code is in use e.g. the
selection code used with COHERANT or other MBR replacement code
(DISKSECURE does this which is why the original MBR is backed up three
times during the installation process including once on floppy).

However, I have NEVER had to do a low-level format on a disk because
of a virus, & have been able to restore infections from both AZUSA and
MUSICBUG without any great difficulty, it is just a matter of
following the correct procedure, nor have I ever advised anyone to do
so.

			Hotly (having rolling blackouts of my a/c),

							Padgett