Hi BA,
I just downloaded IBM PC-DOS Guinan beta rev.3.
The files are infected by a virus: DOS/Junkie.1027!

If i am double-posting, sorry for that.

Just curious, where did you download this from? I don't see a PC-DOS 3 Beta on the FTP for English or international.

It is version 7.0, from BA FTP

Yip Downloaded it to check and got a similar warning

Compgeke: /(Beta) Operating Systems/PC/IBM PC-DOS 7.0 (''Guinan'') (1994-10-13) (beta rev3).rar

MSE reports here as well.

But could it be better if we submit this sample to Microsoft?

This probably was dumped from an infected PC.

I've got same virus alert on my McAfee


EDIT: I used Virus Total too; Detection ratio: 30 / 42

Both SETUP.COM and COMMAND.COM on Disk1 are infected, I've disinfected them and put them back onto the floppy and uploaded the archive again. Please test it out and report back.

I'm afraid the IMG file is still being reported as Virus:DOS/Junkie.1027, files extracted from the image aren't detected as virus, though.

Hmm, the img file wasn't detected by my software, only the contents. Is it on just the first floppy or all of them?

Only the first image itself is reported; image 2 to 5 are not reported as malware here.

Well I am guessing it's in the bootsector then. I could move the files to a clean floppy image but then we'll lose the bootsector and then it can't be booted.

Actually that virus seems to also infect the MBR.

Found this for ya: http://www.securelist.com/en/descriptions/old18778
Pwned was right, virus does infect MBR.

Rather pointless to say, but MBR = Master Boot Record, i.e bootsector... i.e exactly what I said . Any ideas on how to clean it out and keep a working boot record?

I think you gotta run an AV scanner somehow. I'm not sure: http://www.virusbtn.com/support/tutorials/boot.xml

If it's only the MBR, would the virus infect a newly created MBR? If not (and this has sys.com), adding a 2nd virtual floppy to a VM and then running sys B: should create a clean boot record, correct? After that then just copying the contents of original infected image to the newly created image should create a almost 1:1 copy of the image, only minus the virus..

Edit: Seems the disk isn't even bootable...meh.

Edit 2:
Here's a fixed version. It does have the PC-DOS 7 RTM MBR, however all the files are from the PC-DOS 7.0 Guinan v3 disk 1.

The way I fixed it was using the disk 1 files by extracting them then creating a new disk using WinImage with those files (and no boot record). Then I installed PC-DOs 7 RTM into a VM. From there I loaded the disk image containing only the files and copied them to a directory on the VM's C: drive. Then format A: /q. After that copy C:\PCDOS7BETA\*.* A:\*.*. Created a bootable PC-DOS 7 Beta v3 install disk that actually works, and is virus free.

Or is the header of the file infected?

Right now I'm working at getting a disk done in the original 1.8 MB format, requires a special formatting tool but shouldn't be too hard to do.

Virus infects .COM files and bootsector.

Nice find!
Do we know that old virii don't have damaged executable files inside the images on FTP like deleting a few functions for own code purposes?
I assume NEXTSTEP and Solaris and the like are clean.

The DOS virus won't effect anything if it's on a 64-bit host typically as 64-bit OS won't run 16-bit programs, even more so if it's Windows NT instead of DOS-based system as NT is completely different.

A virus has to be run before it can do any damage to files. Even if it were run on the FTP Server, I highly doubt it would be able to infect .rar archives.

As every description says, it's a DOS virus, which means it only affects DOS environments. That most likely includes Win9x as well but it depends on how the virus works. It won't affect NT environments since the bootsector is different and its boot routine differs as well. A virus can't just attach itself to whatever com-file and expect it to be run if the OS running is completely different. And no, it does not infect rar-files since it only attaches itself to com-files and bootsector, not rar-files. Even if it were to attach to a rar-file it would never run, and the rar-file would indicate damage when unpacked or tested.