FECO 3000 # 42
 |
FECO |
3000 # 42 |
|
Modification No |
N/A | |
|
Product |
ALL NCR/AT+T 3000 SYSTEMS | |
|
Sub-Assembly |
N/A | |
|
Estimated Man Hours |
N/A | |
|
Class Of Change |
MANDATORY | |
|
Reason For Change |
DEFENCE AGAINST BOOT SECTOR VIRUS |
1. The purpose of this bulletin is to alert the
field to the spread of boot sector viruses.
Boot sector viruses are transmitted
on bootable dos flex diskettes such as a micro
channel reference disk, eisa
configuration utility (ecu) or flash diskette. When
booting from the infected diskette,
the virus uses bios to locate and corrupt the
boot sector (sector zero) on the
system boot disk. Subsequent boots from the
system disk will fail in a variety
of ways dependent on the
type of virus and the hardware
platform.
2. For multi-processor systems (34xx, 35xx) the
symptom could be a cougar nmi
(non-maskable interrupt), system
hang, or a reboot following the message "booting
with cache on". For
uni-processor systems one symptom is continuous post testing
restarting after the message
"booting...". To verify if the problem is a boot sector
virus scan all dos bootable
diskettes for boot sector viruses. If you use a laptop or
work station for downloading
reference diskettes from a bbs, scan your workstation
after every download and before
creating the diskette. Do not create copies of the
reference and flash diskette
without first scanning the workstation creating the
copy.
(tech serv ref: cssb95-0072a)
3. procedures for implementing anti-virus safeguards
3.1. McAfee anti-virus software
Mcafee anti-virus software is the
current recommendation of at+t gis wwis
(world wide information systems). The
latest copy of mcafee software can be
obtained from your local wwis
representative or via anonymous ftp
Ftp.attgis.com (192.127.82.244), /pub/wwis_softmgmt/vshield
3.2. maintaining the integrity of edp equipment
To ensure that edp is not the breeding
ground for viruses, all dos based
workstations should have mcafee
anti-virus software installed.
3.3. diagnostics and software used by edp
All installation, maintenance and diagnostic
software(including reference/ecu and
flash diskettes) must be scanned for viruses
immediately. Once it is determined that
all software is virus free, the disks should be
write protected to prevent the disk from
possible virus infection from other systems.
Prior to booting a customer system with
personal copies of reference/ecu or flash
disks, the diskettes must be virus scanned.
3.4. downloading from external sources
Downloading software from bulletin board
services, copying software from foreign
systems and using shareware can be a
significant source of new viruses. Before using
software from any of these sources scan it for
any viruses and then write protect the
diskette. Write protected diskettes can not be
infected.
3.5. report all incidents of viruses
Report all viruses to technical services.
3.6. customer provided software
There are occasions when software,
shipped new from the manufacturer, can be
infected with a virus. All dos based
software provided to edp by customers for
installation and client administration
should be scanned for viruses.
3.7. sharing software
Do not lend your software (diagnostic,
client admin.,reference disks) to anyone. If
you must provide software to another user
and it is not a violation of copyright laws,
provide them with a copy. If making
copies is not feasible, be sure to scan for
viruses when the disks are returned.
3.8. testing customer equipment
To ensure that customer owned
equipment is virus free, run mcafee anti-virus on the
equipment prior to performing any
repairs, installations or client administration.
Change
4. how to recover from a boot sector virus - unix mpras
4.1. do not perform this section unless you have verified avirus has infected the
system.
The following procedure requires some unix
knowledge and experience. Do not
perform any command unless you completely
understand the procedure! Call the o/s
support center if you have any questions.
4.2. boot sector viruses corrupt the bootstrap program insector zero. This
program is
written to the disk by the fdisk utility when
the disk is partitioned. A new version of
fdisk is available. This new fdisk now
validates the boot code in sector zero, if the
code is different from that which fdisk wrote
initially, thesector is re-written,
maintaining the existing partition information.
The early version of fdisk will not
detect that the bootstrap is corrupted and
rewrite it.
4.3. if the version of fdisk (pbaseg203) on the system isdated 5/18/95 or later
you may
not need to perform the following procedure.
Simply mount the root disk and runfdisk
to rewrite the bootstrap code in sector zero.
4.4. if the version of fdisk is dated before 5/18/95 then we will need to zero
out sector
zero before running fdisk.
4.5. boot the maintenance file system and mount themaintenance diskette.
# prtvtoc -f root.vtoc /dev/rdsk/cxtxdxs0 <-- cxtsdxs0="root/boot" disk>
# vi root.vtoc <---change the starting sector forslice 0 from 1 to 0>
Do not change the size of slicezero
# edvtoc -f root.vtoc /dev/rdsk/cxtxdxs0
**note** verify there are no mounted file systems on the rootdisk;
Unmount if necessary
# dd if=/dev/zero of=/dev/rdsk/cxtxd0s0 count=1 <--thiswill zero out sector 0>
!!!^^^^^^^!!!
!!!very important (count=1) !!!
1+0 records in
1+0 records out
# fdisk /dev/rdsk/cstxdxs0
4.6. the recommended default partitioning for your disk is:
A 100% "unix systems" partition
To select this, please type "y".
To partition you harddisk differently, type "n" and the
"fdisk" program willlet you
select other partitions. (answer y).
# vi root.vtoc <-- change the starting sector back tooriginal value (1)>
#edvtoc -f root.vtoc /dev/rdsk/cxtxdxs0
# exit
4.7. reboot the system from hard disk.
4.8. if the system still fails to boot additional analysiswill be needed to
determine the
problem. Call theservice centre for assistance.
Testing
5. test for normal function.
Recording action
6. report virus details to technical services.
Note details in site log book.