home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!spool.mu.edu!yale.edu!jvnc.net!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
- Newsgroups: comp.virus
- Subject: MS-DOS CHKDSK & why VER /R may not work (& something that might) (PC)
- Message-ID: <0013.9212161818.AA12845@barnabas.cert.org>
- Date: 14 Dec 92 20:05:17 GMT
- Sender: virus-l@lehigh.edu
- Lines: 38
- Approved: news@netnews.cc.lehigh.edu
-
- >From: Mike Ramey <mramey@u.washington.edu>
- >Subject: RE: Dangerous bug in CHKDSK that comes with MS-DOS 5.0 (PC) (fwd)
-
- >I called Microsoft and requested the updated version for my computer
- >labs, even tho' we have not encountered the failure conditions yet. I
- >was told that in MS-DOS version 5.0a, the date on COMMAND.COM is
- >11-11-91.
-
- Just tried the VER /R trick after booting from a (relatively) old floppy
- with IO.SYS, MS-DOS.SYS, and COMMAND.COM all dated 03-22-91 5:10a. Guess
- what the report was:
-
- MS-DOS Version 5.00
- Revision A
- DOS is in low memory
-
- Further, COMP finds no difference between this COMMAND.COM and the one I
- just expanded from a new set of distribution disks that is dated 11-11-91.
-
- However, COMP *does* find a difference between the earlier CHKDSK.EXE and
- the one dated 11-11-91, which has a three byte change (to make sure that
- the CH value is cleared ?)
-
- Assuming that this is causing the problem, DEBUG will find the string:
-
- 8b 4f 0f 8b f9 (MOV CX,[BX+0F] MOV DI,CX) at offset ds:263e in the "old" and
- 8b 7f 0f 32 ed (MOV DI,[BX+0F] XOR CH,CH) is at the same offset in the "new"
-
- CHKDSK.EXE. Both are 16,200 bytes long.
-
- Sounds like there may be more than one revision A (or why ver /r is
- undocumented).
-
- Warmly,
- Padgett
-
- Note: this was done without any advice/observations from Mircrosoft &
- only represents what I found in minimal testing. Caveat y'all.
-
