DOS FDISK and it's hoops.
Article: 7850 of alt.hackers From: cantrick@rintintin.Colorado.EDU (Ben Cantrick (alias Macky Stingray)) Newsgroups: alt.hackers,alt.2600 Subject: DOS FDISK and it's hoops. Followup-To: alt.2600 Date: 21 May 1995 03:28:00 GMT Organization: Silky Doll Women's Lingerie, MegaTokyo, JP Lines: 88 Approved: firstname.lastname@example.org (Socks Clinton) Message-ID: 3pmc00$6sj@CUBoulder.Colorado.EDU NNTP-Posting-Host: rintintin.colorado.edu Status: RO
Well I felt ambitous this morning, so I thought a little about the virus that has a lot of machines in the lab flashing red and yellow VIRUS!! warnings... It was known to survive a reformat, so I figured it must be a master boot record virus. FDISK /MBR would probably kill it, but I wasn't satifsied with jumping through FDISK's hoops every time I wanted to delete the partition table. Not to mention the network prep routines to bring the machine up to speed put an un-typeable label on the first DOS partition, making it tough to type in the label and have FDISK delete it. This brings us to today's ObHack, wipeboot.asm: ObHack: -----railgun spike here----- a 100 mov ah,9 ; Function 9: write string pointed to by DS:DX push cs ; The string is in CS, so make CS = DS. pop ds mov ax, mov dx,12B ; Set DX to point to the right string. int 21 ; Print out message: what we're doing. xor ax,ax ; Wait for a key press. int 16 mov ah,03 ; Function 3 -> Write absolute sector. mov al,1 ; Write 10 sectors. mov ch,0 ; Write at track 0. mov cl,1 ; Write at sector 1. mov dh,0 ; Write at head 0. mov dl,80 ; On the first hard disk. (first floppy = 0) push cs ; Write data from ES:BX, aka CS:BX, aka from a pop es ; big buffer o' zeros. mov bx,117 ; Our code ends (and the buffer begins) at 113 hex. int 13 ; Rock 'n Roll... MBR is now wiped clean. mov ah,9 ; Same song, second verse. mov dx,195 ; Set DX to point to the other string. int 21 ; Print out message: Success. mov ah,4C ; And exit the program. int 21 db "WARNING:",07,07,07," Wiping first 10 sectors of the hard disk!!",0D,0A db "Press any key to continue, or CTRL-BRK to stop.",0D,0A,0D,0A"$" db "Done wiping.",0D,0A,"$" f cs:1A4 15A4 00 n killhd.com rcx 14A4 w q -----railgun spike here----- You can make a .COM file called 'killhd' with this. Type: debug < wipeboot.asm When run, 'killhd' scribbles '0' over the first 10 sectors of the hard disk, killing everything (including DOS or other necessary stuff) that might be in the Master Boot Record or (possibly in the)DOS boot records. I would not recommend running it on your computer at home... Imagine my surprise, then, after hacking a hard disk wiping program all morning, when it didn't work at all. Or rather, when it worked, and didn't help any. Even after I completely wipe a computer's, MBR and DOS Boot sectors then netprep it (bafdisk and all...) some of them still come up with virus warnings within the next couple of boots. So I'm thinking 3 things... 1) The virus is a never before seen file-infector and has worked it's way onto our netprep disks. 2) The scanning software is seeing a virus where there isn't one, and giving us a false positive. 3) The machines somehow "know" that people are running MSWindbloze on them and are correctly telling us we have the biggest virus ever known on our systems. ;] -Ben -- "BGC: Because some of us believe women over 14 are still sexy." =----------------------------------------------------------------------------= *Ben Cantrick, diehard BGC otaku and Priss fan. ---> THE BGC DUBS SUCK! <---* *Why Mac? "When I want to spend 50% of my time fighting an OS, I'll use VMS."*