Sam Trenholme's webpage
This article was posted to the Usenet group alt.hackers in 1995; any technical information is probably outdated.

DOS FDISK and it's hoops.


Article: 7850 of alt.hackers
From: cantrick@rintintin.Colorado.EDU (Ben Cantrick (alias Macky Stingray))
Newsgroups: alt.hackers,alt.2600
Subject: DOS FDISK and it's hoops.
Followup-To: alt.2600
Date: 21 May 1995 03:28:00 GMT
Organization: Silky Doll Women's Lingerie, MegaTokyo, JP
Lines: 88
Approved: presi-cat@whitehouse.gov (Socks Clinton)
Message-ID: 3pmc00$6sj@CUBoulder.Colorado.EDU
NNTP-Posting-Host: rintintin.colorado.edu
Status: RO


  Well I felt ambitous this morning, so I thought a little about the virus
that has a lot of machines in the lab flashing red and yellow VIRUS!!
warnings...

  It was known to survive a reformat, so I figured it must be a master boot
record virus. FDISK /MBR would probably kill it, but I wasn't satifsied with
jumping through FDISK's hoops every time I wanted to delete the partition
table. Not to mention the network prep routines to bring the machine up
to speed put an un-typeable label on the first DOS partition, making it
tough to type in the label and have FDISK delete it. This brings us to
today's ObHack, wipeboot.asm:

ObHack:

-----railgun spike here-----

a 100
mov ah,9        ; Function 9: write string pointed to by DS:DX
push cs         ; The string is in CS, so make CS = DS.
pop ds
mov ax,
mov dx,12B      ; Set DX to point to the right string.
int 21          ; Print out message: what we're doing.
xor ax,ax       ; Wait for a key press.
int 16
mov ah,03       ; Function 3 -> Write absolute sector.
mov al,1        ; Write 10 sectors.
mov ch,0        ; Write at track 0.
mov cl,1        ; Write at sector 1.
mov dh,0        ; Write at head 0.
mov dl,80       ; On the first hard disk. (first floppy = 0)
push cs         ; Write data from ES:BX, aka CS:BX, aka from a
pop es          ;  big buffer o' zeros.
mov bx,117      ; Our code ends (and the buffer begins) at 113 hex.
int 13          ; Rock 'n Roll... MBR is now wiped clean.
mov ah,9        ; Same song, second verse.
mov dx,195      ; Set DX to point to the other string.
int 21          ; Print out message: Success.
mov ah,4C       ; And exit the program.
int 21
db "WARNING:",07,07,07," Wiping first 10 sectors of the hard
disk!!",0D,0A
db "Press any key to continue, or CTRL-BRK to
stop.",0D,0A,0D,0A"$"
db "Done wiping.",0D,0A,"$"

f cs:1A4 15A4 00
n killhd.com
rcx
14A4
w
q

-----railgun spike here-----

 You can make a .COM file called 'killhd' with this. Type:

  debug < wipeboot.asm

  When run, 'killhd' scribbles '0' over the first 10 sectors of the hard
disk, killing everything (including DOS or other necessary stuff) that
might be in the Master Boot Record or (possibly in the)DOS boot records.
I would not recommend running it on your computer at home...


  Imagine my surprise, then, after hacking a hard disk wiping program all
morning, when it didn't work at all. Or rather, when it worked, and didn't
help any. Even after I completely wipe a computer's, MBR and DOS Boot sectors
then netprep it (bafdisk and all...) some of them still come up with virus
warnings within the next couple of boots.

  So I'm thinking 3 things...

  1) The virus is a never before seen file-infector and has worked it's way
onto our netprep disks.

  2) The scanning software is seeing a virus where there isn't one, and
giving us a false positive.

  3) The machines somehow "know" that people are running MSWindbloze
  on them
and are correctly telling us we have the biggest virus ever known on our
systems. ;]

          -Ben
--
     "BGC: Because some of us believe women over 14 are still sexy."
=----------------------------------------------------------------------------=
*Ben Cantrick, diehard BGC otaku and Priss fan.  ---> THE BGC DUBS
SUCK! <---*
*Why Mac? "When I want to spend 50% of my time fighting an OS, I'll
use VMS."*



Child

Back to index