Just sketching an idea, not testet. Requires OS to load first, but still - might be useful. Does not prevent infection, but lets you know on next reboot if something is changed (if you don't reboot often you could schedule this test to be run at certain intervals...)
Have a look at "MBRWORK" <http://www.terabyteunlimited.com/downloads/MBRWORK.ZIP> at <http://www.terabyteunlimited.com/utilities.html>. Page/readme does not say anything about FAT16 or 32...but it seems recently updated (July 2001)...(?) Use this (or similar software) to make backup copy of MBR, hide the file as txt or whatever. Then, upon every boot run MBRWORKS to create a temp file of current MBR. Then use a filecompare utility, comparing the temp file (current MBR) with the backup (last known good MBR). Figure out exit codes and routine to use if mismatch (fx. if mismatch - replace current MBR with backup, then reboot, or - sound alarm - or - whatever) But of course, by the time you compare and replace the current MBR with the backup, a virus might already be loaded in memory, infecting the new MBR instantly... It might still might be useful though, since if the new MBR is instantly infected again by the active virus, you will get another mismatch on the next boot (or next time you run test).. So at least you know something is wrong, can then use various scanners to try id/remove the virus.... if you try this approach, let us know...:) All the best, Bjorn To unsubscribe from SURVPC send a message to [EMAIL PROTECTED] with unsubscribe SURVPC in the body of the message. Also, trim this footer from any quoted replies. More info can be found at; http://www.softcon.com/archives/SURVPC.html
