Path: utzoo!mnetor!uunet!mcvax!ukc!its63b!hwcs!neil
From: neil@cs.hw.ac.uk (Neil Forsyth)
Newsgroups: comp.sys.atari.st
Subject: Re: Possible Virus! (Boot Sector)
Message-ID: <1771@brahma.cs.hw.ac.uk>
Date: 12 Apr 88 08:09:44 GMT
References: <8804010103.AA17773@ucbvax.Berkeley.EDU>
Reply-To: neil@cs.hw.ac.uk (Neil Forsyth)
Organization: Computer Science, Heriot-Watt U., Scotland
Lines: 31

In article <8804010103.AA17773@ucbvax.Berkeley.EDU> BHOLMES@WAYNEST1.BITNET (Brian Holmes) writes:
>
>
>I recently posted about a disk crash problem I was having.
>This disk just crashed on me and here is a dump of the boot sector.
>
>   0 1 2 3 4 5 6 7 8 9 A B C D E F
>00 603800004E4E4E4E6145D60002020100

(rest of article deleted)

There is a branch instruction ($6038) at the start of the boot sector which
branches to what looks like a load of nonsense. My first impression is that
the disk has an executable checksum. The checksum is the sum of all 256 words
(Motorola style) in the boot sector. If the total is $1234 then the OS will try
to execute the code in the boot sector. I have not calculated the checksum.
If this is the case then the nonsense code crashes the system when booted.
You can get and change the checksum using my Disk Toolbox posted recently.

-------------------------------------------------------------------------------
"I think all right thinking people in this country are sick and tired of being
told that ordinary decent people are fed up in this country with being sick and
tired. I'm certainly not and I'm sick and tired of being told that I am!"
- Monty Python

 Neil Forsyth                           JANET:  neil@uk.ac.hw.cs
 Dept. of Computer Science              ARPA:   neil@cs.hw.ac.uk
 Heriot-Watt University                 UUCP:   ..!ukc!cs.hw.ac.uk!neil
 Edinburgh
 Scotland
-------------------------------------------------------------------------------