• Please review our updated Terms and Rules here

PSA: Floppies showing corruption when mounted in Linux = possibly Bootsector virus

mikerofone

mikerofone

Experienced Member
Joined
Aug 9, 2020
Messages
69
Location
Switzerland
Hi all,

some things happened so long ago that best practices have fallen out of my memory.

TL;DR: Do not use write-enabled floppies on unknown / newly acquired systems before doing a full virus scan.

I was surprised to find that I was no longer able to mount some floppies on my Linux Mint machine. Upon insertion into my USB floppy drive, dmesg showed error messages like `partition table partially beyond EOD, truncated` and the floppy was reported to have partitions. Mounting the floppy resulted in garbled directories, i.e. filenames with all sorts of weird characters, 2GB file size etc.

Turns out, a machine I recently got had the AntiExe bootsector virus, and was spreading it onto my disks. Linux interprets the virus code as partition information (?) and gets confused. I actually had this happen before, where I spread Parity Boot across a bunch of disks by using them in an infected laptop I had gotten.

So, in the future, I hope I'll remember to:

1) Write-protect all my boot and utility disks.
2) Run f-prot antivirus first thing on any system / disk I add to my collection.
3) Format disks / hard drives using a bootdisk, not via the system that is installed.

Posting this here since my googling for the dmesg errors or failing floppy mounts in Linux didn't yield any results. Maybe this will save someone else similar headaches.

Now, don't mind me while I go scanning some floppy disks... *grumble*

Cheers
mikerofone
 
Long ago, I was doing some work for some folks. It was some C coding for Windows.

I got some specs or something from a friend on a floppy.

Now, since 95% of the work was "just C", I was doing the work on my NeXTStation and my Mac (I didn't actually own a PC). I just moved the data back and forth from my machines and used this original floppy as the sneakernet mule.

When I went in to the office to do the final work, I found out that, indeed, the floppy have a bootsector virus that I was completely unaware of. I think I managed to infect 2 or 3 machines before I figured it all out.

I guess yours is large enough that they corrupt not just the bootsector, but other important sectors on the floppy. My Mac and and NeXT had no issue mounting and using this one.
 
To be clear, may we assume that the boot sector virus was obtained by running the floppies on the Windows/DOS system? We should all be well-acquainted with Win95/98's volume-tracking code that rewrites boot sectors if write enabled.
 
I haven't tried the floppies on other systems, just one DOS 6.22 machine (the virus host) and my linux box. I've disinfected the disks on a Win95C machine that had F-Prot installed. As far as I can tell, reading and modifying a floppy on that Win95C didn't give the Linux box any trouble afterwards. So whatever fudgery Windows applies to floppies upon insertion doesn't faze my linux box. I wasn't aware Win9x writes to floppies when only reading, but now vaguely remember hearing this mentioned in the past when inserting non-PC floppies... Another good reason for using write-protected as the new default for my floppies. ;)

I've since created a set of F-Prot emergency boot disks (2x 3.5 or 5.25 inch disks) which was a bit of a challenge, as the virus definition files are a couple MB in size. I found an older version (3.12 from ~2002) which I was able to split, and using the
Code: 
/loaddef
flag, F-Prot will load everything into memory on start, prompting for disk changes. So whatever system I'll be using next, I'll boot these first and do a full scan.

As for the originally infected system, F-Prot was unable to remove the MBR virus. I don't know why, maybe because the drive used DriveSpace compression. Removing everything in FDISK didn't help, only
Code: 
fdisk /mbr
managed to get rid of it, but I only remembered that after everything else had failed. Luckily, the drive had nothing interesting on it in the first place. ;)

Cheers
mikerofone
 
greetings!

if you suspect you have a virus you can try my antivirus called VCHECK I wrote years ago, it would run on 286+ machines

1drv.ms

Public

Folder
1drv.ms

thanks
 
Hey, thanks for the pointer! What viruses can it detect, does it mainly check for modified boot sectors or also do full file scans? Did you maintain your own virus database? Sounds like a lot of work, very cool. :)

I haven't tried f-prot on a 286 yet, would be interesting to know whether it worked. It does load about 2MB worth of files into memory, so i doubt it would run on a 640k machine. If yours is compatible with these lower specs, that'd certainly be useful.

Cheers
mikerofone
 
mikerofone said:
Hey, thanks for the pointer! What viruses can it detect, does it mainly check for modified boot sectors or also do full file scans? Did you maintain your own virus database? Sounds like a lot of work, very cool. :)

I haven't tried f-prot on a 286 yet, would be interesting to know whether it worked. It does load about 2MB worth of files into memory, so i doubt it would run on a 640k machine. If yours is compatible with these lower specs, that'd certainly be useful.

Cheers
mikerofone
Click to expand...
about 200+ of the most known and common DOS viruses. it can detect like almost 90% of the most common boot sector viruses of that period like Stoned, NYB, Anti-EXE and their variants, it can disable the virus in memory so no need to boot from clean boot disk. it does full or selective scans. please give it go mate and thanks in advance, I appreciate it
 
Last edited:
mikerofone said:
TL;DR: Do not use write-enabled floppies on unknown / newly acquired systems before doing a full virus scan.
Click to expand...
@mikerofone , do you still have any of these infected floppies?

One thing I've been doing on my Linux machine is running clamav/clamscan on disk images before using the images with my computer. I've seen it catch infected files before, but I haven't seen it spot a boot sector virus, and I'm curious to know if it can do that. It would be nice if it did --- clamav is easy to apt install.

I'm pretty sure I'm not the only one to do this kind of thing... I once uploaded a hard drive image to Google Drive with an infected .com file, and Google locked it down with a scary warning! I would not have expected them to be on the lookout for 35-year-old DOS viruses, but I guess it saved me some trouble.
 
Hi stepleton,

I remember clamav finding DOS viruses in files in disk images, but I do not remember anything about boot sector viruses. But yes, I was surprised to find some alerts on images I made myself. ;)

If I find a disk with a boot sector virus, I'll try to image it and see what happens. I nowadays upload any retro stuff to VirusTotal.com first, if I get it from the net.

Cheers
mikerofone
 
stepleton said:
@mikerofone , do you still have any of these infected floppies?

One thing I've been doing on my Linux machine is running clamav/clamscan on disk images before using the images with my computer. I've seen it catch infected files before, but I haven't seen it spot a boot sector virus, and I'm curious to know if it can do that. It would be nice if it did --- clamav is easy to apt install.

I'm pretty sure I'm not the only one to do this kind of thing... I once uploaded a hard drive image to Google Drive with an infected .com file, and Google locked it down with a scary warning! I would not have expected them to be on the lookout for 35-year-old DOS viruses, but I guess it saved me some trouble.
Click to expand...
as far I as remember clamav doesn't disinfect infected files let alone disinfect infected sectors as it doesn't scan them as well
 
MasawVx said:
as far I as remember clamav doesn't disinfect infected files let alone disinfect infected sectors as it doesn't scan them as well
Click to expand...
Correct, clamav only reports. My hi-tech way of fixing certainly does NOT involve writing the image to a floppy, fixing it in f-prot on a real machine, and then reimaging it.

...sounds like something I should just set up a dosbox script for, maybe.
 
MasawVx said:
as far I as remember clamav doesn't disinfect infected files let alone disinfect infected sectors as it doesn't scan them as well
Click to expand...

That's correct about disinfection, but the "doesn't scan them as well" part is what I want to verify. If you have a disk image and you scan the entire image, will clamav find the signature of the virus in the image's boot sector?

To me the answer that seems more likely is "yes". If clamav is looking for a characteristic string that marks the presence of a virus, it seems easier for it to scan every byte of the disk image for that signature than for it to isolate individual files in the disk image and scan those one-by-one. (For the latter strategy to be useful, clamav would have to be aware of multiple disk image formats, and it would have to know how to interpret multiple different filesytems: all the FATs, NTFS, the CD-ROM filesystems, probably Linux and MacOS filesystems too, the works. Seems complicated!)

But I don't know what really happens. Scanning a real infected disk image is an experiment that puts my "yes" theory to the test.

I tried to find a disk image infected with a boot sector virus to scan with clamav, but I didn't try too hard --- anyway, I was only able to find archives of modern malware or of what looks like older, defanged DOS executable file viruses. Is there a chance that you have a disk image infected with a boot sector virus?
 
stepleton said:
That's correct about disinfection, but the "doesn't scan them as well" part is what I want to verify. If you have a disk image and you scan the entire image, will clamav find the signature of the virus in the image's boot sector?

To me the answer that seems more likely is "yes". If clamav is looking for a characteristic string that marks the presence of a virus, it seems easier for it to scan every byte of the disk image for that signature than for it to isolate individual files in the disk image and scan those one-by-one. (For the latter strategy to be useful, clamav would have to be aware of multiple disk image formats, and it would have to know how to interpret multiple different filesytems: all the FATs, NTFS, the CD-ROM filesystems, probably Linux and MacOS filesystems too, the works. Seems complicated!)

But I don't know what really happens. Scanning a real infected disk image is an experiment that puts my "yes" theory to the test.

I tried to find a disk image infected with a boot sector virus to scan with clamav, but I didn't try too hard --- anyway, I was only able to find archives of modern malware or of what looks like older, defanged DOS executable file viruses. Is there a chance that you have a disk image infected with a boot sector virus?
Click to expand...
yes clamav will scan disk images (.img) and will probably find the virus using the signature if its known to it. mine on the other hand will detect the boot sector virus in the image (.img) if its not compressed, but needs the image to be mounted perhaps in a vm to be able to remove the virus and restore the original sectors ( mbr or boot sector).. I have disk images (floppy and hard disk) infected with a boot sector virus. I can pass you one
 
Thanks for sharing those disk images with me! clamscan found all the viruses. It's nice to know that a tool like yours can deal with them.
 
You must log in or register to reply here.
Back
Top