From CUNYVM.CUNY.EDU!lehigh.edu!virus-l Fri Feb 19 22:53:54 1993 Date: Fri, 19 Feb 1993 14:16:05 -0500 Message-Id: <9302191618.AA01441@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #30 Status: R VIRUS-L Digest Friday, 19 Feb 1993 Volume 6 : Issue 30 Today's Topics: Re: What is a virus ? What kind of people make viruses? Virus detection by code inspection Re: Virus education YOUR opinions on virus legality needed! Re: TIME Magazine on "Cyperpunk": How Not to Define a "Worm" Uruguay on PS/2 Ref disk (PC) 1757 virus (PC) Re: Scanning memory (PC) Michelangelo or STONED? (PC) Possible new Virus found. HELP! (PC) Re: New way of opening files??? (PC) Minimal virus scan? (PC) Re: windows virus (PC) - is WALDO one? Re: New Virus (PC) Re: Suggestion to the developers of resident scanners (PC) Re: MtE Infected... (PC) CLU-011.ZIP (PC) SCAN 101 (PC) FDISK buggy? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: 11 Feb 93 19:59:10 +0000 From: ulogic!hartman (Richard M. Hartman) Subject: Re: What is a virus ? bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >So, let's try again: > >"A computer virus is a sequence of symbols which, when interpreted >under certain conditions in certain environments, will make a possibly >evolved copy of itself. This is called `replication' and the copy >retains at least the capability to recursively replicate further." This still does not include the charactistic that is, to me, the distinguishing characteristic between virii and worms. That is that virii host themselves within other programs (a hard disk boot sector program IS a program, even though it is not a "program file"), altering their behavior, while worms merely propogate themselves from system to system taking advantage of whatever mechanism the system provides. By "merely propogate themselves" I am ignoring any potential side effects of the worm or virus, ranging from vandalism (trashing files and hard disk sector indexes) to "useful worms" such as a (hypothetical) network file or e-mail address finder... The "intelligent assistant" that (Apple? Microsoft?) proposed a while ago... -Richard Hartman hartman@ulogic.COM =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "Nobody has ever had a sexual fantasy about being tied to a bed and ravished by somebody dressed as a liberal." -P.J. O'Rourke ------------------------------ Date: Wed, 17 Feb 93 14:39:12 -0500 From: (Cameron D. Bunch) Subject: What kind of people make viruses? I am trying to find information on whatever might be known about the personality profile of the 'typical' virus author. Although there may not be much available in this area I would appreciate any references to either studies (if such exist) or case histories which would shed some light on what kind of person creates and releases viruses, what kinds of motivations are involved. Cases known to readers of this list but not necessarily recorded else where would be of interest also. Material available via ftp would be of greatest interest as I do not have access to a university library. Direct e-mail responses would probably be most appropriate. I would be glad to summarize if there is interest. - ---------------------------------------------------------------------- Cameron D. Bunch Head, Management Information Systems Dept. U.S. Naval Hospital, Rota Spain Internet: rth1cdb@rota-bumed.navy.mil cbunch@rota-measure.navy.mil DSN: 727-3672 COMM: +34-56-823672 ------------------------------ Date: Wed, 17 Feb 93 14:39:41 -0500 From: Jim O'Shea Subject: Virus detection by code inspection A question for the virus experts. Could you recognise that a file had been infected by a virus purely by inspecting a disassembled listing? I do mean any virus, including one you might not have met before. I accept it might not be possible to be specific but answers like "Yes, given unlimited time." or " Seventy percent probability of a correct answer after spending 6 hours on inspection" will be useful. I am interested in applying AI to virus detection and I would like to know how effective "Natural" intelligence is first. Jim O'Shea ( the Manchester Metropolitan University) ------------------------------ Date: 18 Feb 93 09:53:24 +0000 From: phys169@csc.canterbury.ac.nz Subject: Re: Virus education CHIP@BDSO.Prime.COM (Chip Seymour) writes: > I couldn't agree with Mr. Peters more, but I find that I am the one in > need of the education. For PC's, the basic information you need is contained in Ralf Brown's interrupt list (plus various other lists of "inside" DOS information, like memory maps and BIOS listings). The most I can say, without giving ideas to virus writers, would be... (1) viruses have to modify something that may eventually be executed on another computer, such as a diskette's boot sector, a program's code, a program "fork" or whatever. You can detect a virus when it does this, via hardware or software (hardware is best), but they are sometimes changed for valid reasons, and false-alarms become annoying. (2) viruses like to (but don't really need to) intercept the system's code once they are running so they can change programs or boot sectors or whatever that they come in contact with. If they don't do that, they'd just modify the disks or files they see when they start up - usually making them more obvious to spot (by the longer time the computer takes then) and spread slower. Virus detectors can look for viruses staying in memory, because available memory is reduced, interrupts are changed, or important bytes in system code get changed that should never be modified. (3) Viruses also like to stay in memory to modify the way the system reports things that might give a clue to its presence, e.g. intercepting PC interrupt 13h to read the boot sector, and returning the original sector instead of the infected one. On the face of it, this seems to make viruses harder to detect, but a good virus detector can notice it is happening and by-pass it to see the real infection, or simply report software is doing something that only viruses tend to do. Personally, I like viruses doing this, since many "good guy" programs do things similar to (2) - the more unlike disk caches, etc a virus acts the better for detection in the long run. (4) There is basically a race between viruses and anti-virus software; whoever gets control of the system first has enormous power over stopping what comes after it - although it could waste a lot of computer power doing so. Viruses have the disadvantage that changes can be detected if you *know* what the various vectors & system routines should look like, either by running on a clean system and thereafter looking for differences, or by knowing where standard BIOSes (or whatever for non-PC's) store their important routines. The latter is becoming less relevant, with strange disk controllers and the ability of 386's to put RAM anywhere and make it look like ROM. But then it is very difficult for viruses to use the 386 to do this as it will probably conflict with the EMM386 running, and make the virus very obvious too early. But you don't need to know a lot about how the various viruses work - the best system of all is hardware that rings alarm bells when something out of the ordinary happens - writing to an area that should be sacra sant, or a boot sector containing suspicious code. If you know how your system normally behaves, and spot differences, you can detect new viruses, and be able to trace whatever disk or program caused the alarm to its source immediately, rather than a week later when a scan of the disk is made and the source long forgotten. Hope this helps, Mark Aitchison, University of Canterbury, New Zealand. ------------------------------ Date: Thu, 18 Feb 93 13:56:08 -0500 From: Doug Subject: YOUR opinions on virus legality needed! Greetings.... Some of you may read the infamous 40-Hex Virus magazine, published by us. If so, we'd like your opinions for a survery we're doing. The results of this survey will be published in 40-hex #10. Here are the survey questions. Please answer them, and respond via email to me. You may respond with simple Yes or No answers, or you may be as wordy as you want. Please note - ANY response given might be published in 40-hex magazine. Now, the questions: 1) Should it be Federally illegal to write a computer virus? 2) Should it be Federally illegal to distribute computer viruses, to KNOWING individuals (ie on "virus" boards)? (This does NOT mean infecting another person with a virus - it means giving them a copy of a virus, and making sure they KNOW it is a virus) 3) If executable virus code is illegal, then should the SOURCE code to the viruses be illegal to copy, sell, or other wise distribute? Please mail me with YOUR opinions to the above, and feel free to explain your views, or present other opinions you may have. We are attempting to get a general idea as to the thoughts of people, therefore we are posting this to COMP.VIRUS, and ALT.SECURITY, and any other appropriate newsgroups. Please note - we are NOT interested in the legallity of SPREADING virus code by infection - that IS already illegal. We are also not interested in the ethic issues of viruses. We want your opinions as to what should be OUTLAWED, and what should be LEGAL. Of course, any other opinions you may wish to add are welcome. Thanks for your time and consideration.. --JDG111@PSUVM.PSU.EDU ------------------------------ Date: Thu, 18 Feb 93 22:41:46 +0000 From: ped@well.sf.ca.us (Philip Elmer-DeWitt) Subject: Re: TIME Magazine on "Cyperpunk": How Not to Define a "Worm" cmcurtin@bluemoon.use.com (Matthew Curtin) writes: >xrjdm@calvin.gsfc.nasa.gov (Joseph D. McMahon) writes: >> In last week's TIME magazine (with the "Cyberpunk" lead article), RTM's >> worm is is described as "not a virus, but a worm, since the damage was >> unintentional". >> >> This is the most singular lack of grasp of the subject I have seen in >> a long time. >There were quite a few people posting on alt.folklore.computers about how >many silly errors like that there were. I'd be interested in seeing people >post their gripes about the article, so that I coulds summarize everything >and write a letter to TIME's editor... Not to defend the bogus worm definition, but it was taken straight from Ed Krol's "Whole Internet Catalog." Please do write your letter to the editor. The mail on this story was pitiful. ------------------------------ Date: Wed, 17 Feb 93 18:36:42 +0000 From: pinman@magnus.acs.ohio-state.edu (Patricia C Inman) Subject: Uruguay on PS/2 Ref disk (PC) Fprot 2.06 reports: command.com "Infection: Uruguay" on all PS/2 Model 70/80 Reference Disks Version 1.06. Version 1.03 of the Ref Disk reports clean. CPAV is current and reports nothing. I recently went through a scare and collected all disks in the facility. This is all I have left to cleanup. Is this "normal"? Thanks, - -Patty Inman pinman+@osu.edu MUCIA 614/291-9646 ------------------------------ Date: 17 Feb 93 17:21:11 -0600 From: acrosby@uafhp.uark.edu (Albert Crosby) Subject: 1757 virus (PC) Today I found a variant of the 1575 'Green Caterpillar Virus' that was not detected by Scan v100. It was detected by VIRX 2.6, and detected/removed by F-PROT, fortunately. This variant never displayed the 'Green Caterpillar' described in F-PROT, but did take up _all_ of the UMB memory on some of the infected computers. Just another point in favor of keeping several scanning tools available... Albert - -- Albert Crosby | There are actually THREE things certain in this life: acrosby@uafhp.uark.edu | or AL.CROSBY on GENIE | Death, Taxes, and Parking Tickets. 1 501 575 4452 | Microcomputer and Network Support-UA College of Agriculture and Home Economics ------------------------------ Date: Wed, 17 Feb 93 18:41:24 -0500 From: peprbv@cfa0.harvard.edu (Bob Babcock) Subject: Re: Scanning memory (PC) >Yup. This is called ghost positive. It can be easily avoided by the >producer of the scanner with a little bit of intelligent programming. >I suggest that people REFUSE to use anti-virus software that is so >stupid. Isn't it better to be conservative and look everywhere in memory for active viruses? I'd much rather see a false alarm than have something be missed because a scanner was wrong about where viruses could lurk. Also, this sort of false alarm can only arise if you have scanned an infected floppy. If a user has an infected floppy, and doesn't know enough about viruses to understand the ghosting problem, they should consider getting expert help. ------------------------------ Date: Thu, 18 Feb 93 00:01:41 +0000 From: imeslsl@trex.oscs.montana.edu (LEPRICAN~~~) Subject: Michelangelo or STONED? (PC) The AUTOCAD lab at Montana State University has recently contracted a nasty virus, which we can't exactly identify. The older anti-virus programs we had would only see it some of the time. We tried McAfee v100, which would recognise the virus, but would not remove it from hard drives. It appears to be [Mich] when it is on a drive, but when it loads itself into memory, McAfee says it's [STONED]. It seems to be easily removed from floppies, but the virus infects the partition table of hard drives, where McAfee cannot remove it. Reformatting it from a write-protected floppy didn't remove it, either. Does anyone have any suggestions on how to combat this virus? thanks, Leprican~~~ ------------------------------ Date: 18 Feb 93 00:19:39 +0000 From: heathh@cco.caltech.edu (Heath Ian Hunnicutt) Subject: Possible new Virus found. HELP! (PC) Hello, I've recently had the misfortune of experiencing what I believe was a virus infection. Unfortunately, ver100 of McAfee's SCAN cannot identify the virus involved. I have also tried older versions of Norton and Central Point Anti-Virus, to no avail. Here's what happenned: At about 1am on the 15th, Windows crashed with a Severe Disk Error screen. I rebooted into DOS, and found that I would get many, many "Sector not Found" errors when I would try to access anything on my C: drive. (I also have a D: drive.) I tried to run Norton Disk Doctor, but it crashed. Thinking that my FAT was messed up on the C: drive, I tried to switch to the D: drive, where I at least had some minimal disk-doctor type software, along with the unformat command. (I was think of using unformat to restore my old FATs, and just taking a loss on work done that day...) Here comes the virus part: C:\DOS>D: (I typed this) Try that again and you'll die. (Was the response, as near as I can recall.) C:\DOS>DIR D: Try that again and you'll die. I powered off the machine. At this point, my partition table and boot records had been screwed up. I managed to fix the drive's woes using unformat, and my file system is now Ok. However, SCAN cannot find a virus at all on my drive C:. (I have removed drive D:, since it is very important to me, and I want to have this problem understood before I access that drive again.) I have even scanned every file that was installed in the last month or so for the word "die". No joy -- I assume it must be encrypted. The message was along the lines of the one given above. The only words that I am sure appear in it are: "[Tt]ry that again and you* die" There may have been a period after the "die" So, has anybody heard of a virus that does anything like this? I cannot believe that this is anything but an infection, since the "error message" seems so much like what a virus-writer would do. Thanks for any help. Heath - -- - -- >From the Home for Amnesiac Computer Scientists.... heathh@cco.caltech.edu ------------------------------ Date: 18 Feb 93 11:24:18 +0000 From: phys169@csc.canterbury.ac.nz Subject: Re: New way of opening files??? (PC) Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) writes: > >> More then that: A product like the one you described will only work on 38 6, > >> or higher, in protected mode.... >> > Well, there are several ways to spot writing to the disk port directly. > > Obviously, software-only methods would be limited in speed... > Isn't that what I said?... Well, you don't need a 386 with protected mode, but it is nice of course. You can emulate or trace instructions, plus a few other sneaky hardware-dependent methods which I probably shouldn't mention. > What you suggest is a bit too expensive for a user to get... That's true. I'm an advocate of relatively simple, cheap methods being used by virtually all computer users (I talked a lot last year about what could be built into DOS and BIOS, for example). But I have to acknowledge that the level of protection you need to make a standard Mac or PC safe against the kinds of viruses that *could* be made is well beyond what average users can stand. Not just cost, but inconvenience in responses needed from users, time taken to scan, and the need for serious, consistent security considerations. The whole beauty of the "openness" of the PC to getting at the works is also its greatest weakness. Although a lot can be done to tighten up the system (there are really stupid loopholes at the moment that could be fixed without bumping up the cost more than a few dollars), the whole popularity and philosophy of the PC (and Mac) makes them prone to virus writers. I really don't think water-tight security is what average users should be heading for (organisations, yes!), rather it is important to discourage virus writers. > > The big problem with viruses on PC's, at least, at the > > moment is that there is > > a large fuzzy area filled with programs (like Norton's > > DS and sel... > I wish it were the only problem. I think everybody realises the problems in relying on old fashioned fixed string scanners. But going on from there is difficult. Heuristics for boot sector viruses are reasonably good (I could talk at length about this - email me if you want to chat about it), but file infectors are a nuisance. If I said that using the "call next instruction" sequence was a pretty good detector of suspicious programs, all the virus writers would go out and change their code to "call next-plus-one instruction". Similarly, anything that can be disassembled from present heuristic detectors can be used to the benefit of virus writers. You could say that the fact that there are any viruses at all is the problem, but to really analyse what is stopping a truely good virus detector (not just 2nd generation/heuristics but 3rd generation), I think it would be the fact that so many "naughty" things that *should* identify viral activity have already been done in commercial software! > Personally I prefer that they will just stop writing viruses, or better yet > write usual ones that are easy to solve with generic methods like FDISK /MBR > or SYS or... > and let the PC users work without fear. Are you among those that will > sacrifice the user's benefit for an academic interest? No, I wish they'd stop too, but that won't happen without effort - like making it so common to spot a new virus as soon as it gets on your system that the *source* of viruses can be tracked while the scent is warm. And stop giving them the glory of new virus names. Even before mutation engines, the rate of "new" viruses was alarming. The popularity of virus writing D-I-Y kits is a great nuisance, but at least it has delayed the next stage of virus developments. I believe there are several more generations of virus detector left in the evolution process even for traditional "Personal" (insecure) computers. They would have to abandon looking for known viruses, unless you are interested in understanding what is there (which I, at least, am). To do better they have to distinguish between what is viral activity and what a common PC program might do. If it is hard enough at the moment for a human to do that, think how hard it is for AI software. I personally think there is reason to hope boot sector viruses can be eradicated - it is so obvious what you are supposed to have in a boot sector, and there's only 512 bytes to play with. But infected executables are difficult to tackle. I know of some "tricks" viruses tend to do, which makes the present generation of heuristics tick quite nicely. But that won't last. As virus writers and virus detectors play a game of cat and mouse, e.g. going to greater lengths to bypass DOS to open files to either infect, or to tell if they are infected, the code gets larger and less like conventional programs. That helps the average user - an infected file will grab a lot of extra disk space, and go slow, and it helps the 3rd generation of virus detector, simply because some virus writer who thinks he's clever is trying to bypass the 2nd generation of detector. Those that get around the 1st generation of detector (string scanners) are difficult for humans to detect as well. That's why I take the radical stand of hoping virus writers will move onto the next generation (provided anti-virus writers are ready for them). Mark Aitchison, Department of Physics & Astronomy, University of Canterbury, NZ ------------------------------ Date: Thu, 18 Feb 93 12:04:43 +0000 From: swesterback@tne01.tele.nokia.fi Subject: Minimal virus scan? (PC) We have an automatic virus-scan (in autoexec.bat) on all computers here at work. As it slows down the boot process to much on some computers i am planning to scan only parts of the files instead of the whole disk. My question now is if these assumptions are correct: - - viruses only infects: *.EXE and *.COM -files that has been used when a virus is in memory the boot sector command.com - - it is enough to scan only memory, the boot sector and for example the following files: command.com smartdrv.exe emm386.exe keyb.com win.com win386.exe lat.exe redir.exe Is that correct? If not please tell me why not! I can also think about varying the scanned directories from day to day. Also is there really any need to scan DLL, DRV, OVL and SYS-files? Sten ============================================================================ Sten Westerback (BSc. electronics) Telephone: +358+0 +5115891(work) X400 : c=fi, a=Elisa, p=Nokia Telecom, S=Westerback, G=Sten, (u=SWS) Internet : Sten.Westerback@ntc.nokia.com Time zone: EET (=GMT+3) Test the utility at WSMR-SIMTEL20.Army.mil::pd1:swxd303d.zip ============================================================================ ------------------------------ Date: Thu, 18 Feb 93 18:13:57 +0000 From: treeves@magnus.acs.ohio-state.edu (Terry) Subject: Re: windows virus (PC) - is WALDO one? andywang@crown.berkeley.edu (Andrew Wang) writes: >chess@watson.ibm.com (David M. Chess) writes: > >We have been experiencing a problem with Windows that also may >be connected with a virus. Recently a couple machines have been >producing a "WALDO has caused a General Protection Fault" error, >and then crashing hard. .. >seriously. Here's some info: We run Word for Windows, Corel Draw, and Excel I've seen his. Corel draw is sending the message. It's not a virus. I think you need to update corel to make this go away. Call them and ask - also tell them cute messages should be stoped or have an explanation attached! ------------------------------ Date: 18 Feb 93 18:39:56 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: New Virus (PC) ilfc826@vax2.concordia.ca (Tan Bui) writes: >Well, from my point of view, the Whale virus is one of the better viruses >written by the virus authors. Well, "better" only in the sense "more heavily armored" than other viruses. It has one flaw, however. It doesn't work (well, most of the time, that is). - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: 18 Feb 93 19:23:23 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Suggestion to the developers of resident scanners (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Ah, yes, I forgot about that. Yes, the file should be scanned when >executed from a network drive too. BTW, one thing that Frisk really >*MUST* implement soon is an option to re-activate VirStop after the >network shell has been loaded... Will be done in 2.08, or possibly earlier. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: Fri, 19 Feb 93 01:23:08 +0000 From: mdewaele@TrentU.CA (martin dewaele) Subject: Re: MtE Infected... (PC) >However, what bothers me is that you are talking about a single file >(if I've understood you correctly). In this case, it is likely to be a >false positive alarm (for more information about that, please read the >FAQ). Thus, you are advised to try a couple of other scanners that are >able to detect MtE-based viruses reliably. Two general-purpose >scanners (shareware) that can do that are SCAN 100 and F-Prot 2.07. An >MtE-only detector, called CatchMtE is freeware and is available from >most anti-virus sites, including ours. If no other scanners reports >the file as infected, it is almost certainly a false positive. In this >case you are advised to contact your local Symantec tech support. Yes you are correct, there are only three files on my system which NAV states are infected. In the last week I have tried other virus scanners, such as SCAN99. The result was that the system did not contain the virus, so I am content that it is just a false positive. Martin ------------------------------ Date: Thu, 18 Feb 93 21:35:11 -0500 From: HAYES@urvax.urich.edu Subject: CLU-011.ZIP (PC) Hi fellows. just received and made available for FTP processing CLU-011.ZIP. This file contains a collection of utilities created by Andy Balog for use on his site. Following is a short description written by Andy: These programs were written especially for use in batch files and for use in campus computer labs; I think they can be a useful addition to other software tools. These programs are copyrighted freeware. Please address questions and/or comments directly to Andy at one of the following addresses: Internet: | U.S. Mail: abalog@babbage.ecs.csus.edu | Andy Balog | P.O. Box 277341 | Sacrament, CA 95827-7341 Thanks for the programs, Andy! - ---------- Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. - ---------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Thu, 18 Feb 93 20:30:43 -0600 From: ST29701@vm.cc.latech.edu Subject: SCAN 101 (PC) Anyone notice how slow SCAN 101 has become?? I like and use Scan but it has become extreamly slow. I know people that at onetime put it in their AUTOEXEC.BAT file with /FAST /CF /CERTIFY parrameters. Now SCAN is so slow they have to break out unless they turn on the computer and go out for coffee. This is under the fast mode. Remember SCAN without /FAST is more reliable and /A is evem more reliable (/A looks at all files and more of the EXE and COM file's). Thes parrameters make SCAN even SLOWER Alan ------------------------------ Date: Fri, 19 Feb 93 10:45:13 +0000 From: chowes@sfu.ca (Charles Howes) Subject: FDISK buggy? (PC) Hi. I recently had a hard disk failure. A single 135Meg partition. (I'd really like to find a program that would tell me what was corrupted.. NDD wouldn't read it, nor NU, FORMAT, SYS, etc. But I digress.) So, after recovering the data, I used fdisk to try to create several smaller partitions. Problem was, the #@#$ program refused to let me create a second partition! I either had to create a 135 meg partition, or leave part of my disk unused! Is this a bug in fdisk, or what? (Hardware notes: 135meg IDE drive, 80286 machine, no viruses, DOS 5.0) (Actually, scan99 refused to admit the existence of the drive, so that was kinda moot.) - -------ON ANOTHER TANGENT------ Has anyone written a program that will allow you to create a new partition table sector from scratch, and if the numbers you give correspond to the previous partition table's numbers, *poof*, you have a working hard disk again? (Fdisk /mbr didn't work in this case.) And then do the same thing for the boot sector if called for? I actually found NDD 6.0 to be impotent with regards to this. NDD 4.5, too. NDD detects a problem, asks if you want it fixed, then fails to fix it. ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 30] *****************************************