-=> Quoting The Visionary to Rick Collins <=-
-=> FidoMail to 1:163/215, please.-=<
rc> And how, pray tell, does that stuff loaded in the "read" buffer
rc> get executed to "infect from?" 
TV> Why is it that I can take a completely clean hard drive and
TV> system, boot it up to the hard drive (after cleaning it with
TV> scanner on a "clean" floppy, then insert a disk with NYB on it,
TV> read some data from it, copy some data to it, and then boot back
TV> to that clean floppy and scan again, and it will detect NYB on
TV> the MBR? If you want, I 
Remember, you said the system could be infected by no more than doing
a "DIR" on an infected floppy.  You have now changed the story.  To
answer your question, one of your suppositions (clean system and
clean floppy) is wrong.
Meanwhile, you didn't answer my question.
tv> send you the floppy this happens with. It's 1,000,000%
tv> consistant. FP225 can't see it unless you boot to floppy and
tv> scan that way. We have 
That suggests the virus is memory-resident and stealthed.  BTW,
popular terminolgy has one booting _from_, not _to_ a floppy.  You
boot the system, not the disk.
tv> One machine was cleaned the night before, and the user came in
tv> the next morning, and installed some software onto the hard
tv> drive (AutoSketch) and infected his system again with NYB (it
tv> was put on the floppies when his machine was infected and he
tv> copied some drawings to it). 
I'd say it was infected by one of the floppies he used for the
installation.  NYB is like that:  it will infect nearly every non
write-protected floppy that it put in the drive.
Your AV strategy needs some work.  Start by scanning, on a known
clean system, _every_ floppy that could conceivably be put in a
machine.  You'll doubtless find that many of them are infected.
TTFN. Rick.
Ottawa, ON 26 Dec 17:23 
--- Blue Wave/DOS v2.20
---------------