12 Dec
2012
12 Dec
'12
3:26 p.m.
>> I also had an antivirus complaint with one of
the files with DOS/Stoned or
>> something similar, I just remember it was "Stoned". I wasn't too
worried
>> about it as 16-bit DOS virus on 64-bit Windows can't do anything.
> has a copy of windows 95 on floppy thats infected hehehe
On Wed, 12 Dec 2012, jim s wrote:
The win 95 makes more sense because the sequences that
AV scanners look
for besides a huge list of signatures are system calls and operations
between them that may enter known buggy areas of the Windows kernel in
odd ways. Win95 is the first version of Windows which was protected on
"top" and 'real mode bottom', in that the system went protected much
earlier than before.
"Stoned" is a boot sector virus. If a Windoze95 machine gets booted from
a DOS OR WINDOZE95 floppy that is infected, then it will infect the boot
sector of Windoze95.
HOWEVER, A "floppy boot" of Windoze95, after seeing the floppy (and maybe
being infected by it), will then ALSO use the hard disk boot sector,
thereby making it DIFFICULT to do a "clean floppy boot" from a known
NOT-infected disk. The solution was to set the CMOS to boot from the hard
disk, even when there is a floppy in the drive. THAT was not available on
all machines.
with sequences which look suspicious to virus
scanners
. . .
the hits on the maslin archive should not contain any x86 code unless it
is for something like an Atrona which has dual boards. And in that case
There are plenty of MS-DOS disk images in Don's collection (where else
would you go to get an image of an 8" MS-DOS?). It is likely that they
are NOT all false-positives.
So, check the boot sectors of any MS-DOS disks that you make from images.
AND, scan all executables for malware that was NOT boot-sector.
--
Grumpy Ol' Fred cisin at xenosoft.com