Armed with F-PROT 2.24 on a write-protected 3.5" floppy disk I tackled the infected machine.
First
of all I wanted to be sure that the computer was infected. So I let it
boot normally, then ran F-PROT from the floppy, which halted during RAM
test with this warning:
![A very visible message is printed on a computer screen informing the user that the machine RAM memory is infected.](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibYdnAXvcPzQ8JcfbGnl5g0fXopfhJPNgJCS2id_gzdfh0Ss2Ps1fN0DNtlqaGMwqsjf1Y05Eig1-Bs0OZ0mjRHjEYgcN_Ds-_P4xISuKjVBZBWGjTnwPDypRiMhTSe8XwxGVGRCb9ON7iUtbaIJV2y9wo75qBAnotrsOZ9Txntx0s_2MP-F4jWfxnukw5/w400-h300/photo1716327021.jpg) |
It's a pretty alarming message.
|
So I
booted it off a DOS 3.2 on a floppy dsk (write protected) and ran a
second scan. This time the memory was clean but it obviously detected
Junkie in the hard-disk MBR, which could not be cleaned. That was
expected. Unfortunately DOS on that floppy would not recognise the
hard-disk so I could not issue the [FDISK /MBR] command.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiw0LYm5YHhHeGSFi8prVo2zgZsp9fdXq6QhgydFTdTdCLS8z4L2YjV-cUxOuiOdV9cR_rB5Lv9fQk42Xxspj_ZM_sVyVGpJ3NoRCzIO5_ZZoCnQd-SgkbbxB4SAf-Jy7PnFFVLz8QMtb1E8uFrCfx8WsZgqmIj__vJSrZp3UJtAhADm4BfRLooe_GGS8r_/w150-h200/photo1716327021_2.jpg) |
What's the infected program?
|
Time
for a... reinstall! This time I used the three 3.5" floppies with
MS-DOS 5.0, booted off the first one and followed the guided procedure.
We should note that since it detected a formatted HDD, there was no need
to format the disk and wipe the content: it simply copied itself over
C:\DOS. Unfortunately this probably left me with an infected MBR and at
the end of the install process it wanted to reboot. Hitting F-keys I
managed to get a DOS prompt where I could run FDISK /MBR (maybe the
setup wizard had already done that, but I preferred to avoid a second
reinstall).
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9Q0DfFmDmp41zd7FHLELMDDZavl7hDmDY9-W1_WbhlXwe6qy8KsKRvfzASB_M4xXNp2rSvvHaWjgnkcgcoLGL3tSvhKV3lj-yls6xxxtx1nU8FdSjDnLgu8WCit0-RHYyUDZIgkLIkiZ-3oYPQeMdhCWSAmPl_6-6e3jmFgosuTHr3NszpP34KXtFFaaH/w150-h200/photo1716327021_1.jpg) |
1996 F-PROT in 2024 action!
|
Rebooted from HDD. Loaded
F-PROT from the floppy and let it scan the disk. It located two infected
.COM files I remember I had executed, which were cleaned. Now we're
ready to go. No, there's the pile of 5.25" floppies I DIR'ed to check!
So
I spent more than a few minutes scanning all 5.25" disks that were at
hand's reach and found nothing. In order to prevent similar mistakes I
have now write-protected these apparently clean disks.
Side
note on F-PROT. The executable can be run with /OLD option to bypass
the "signatures expired" block. Apparently /OLD on 2.24 does not work so
I simply
set the system date a month later than the signature timestamp.