What did Microsoft customize on Windows 95 installation floppy disks?
I have a Windows 95 Upgrade 3.5" DMF installation disk set where several disks were infected by the boot sector virus known as "Chance.A". I'm interested in restoring these to their original contents.
Before rewriting the disks using disk images from another source, I imaged the contents, and started to compare those images with the other set. The affected Disk 1 has
- an altered region at the beginning of the disk including the boot sector,
- a partial backup of the original boot sector code in the normally-zeroed area at relative offset 0x3e00
- a different last 9 digits of the string "/U:xxxxx-xxx-xxxxxxx" (where "x" is a decimal digit) at offset 0x131376, which looks suspiciously like a Product ID although I cannot confirm this, and
- a binary difference around offset 0x15d960.
The first two of these are both things that I would expect to result from the modifications by "Chance.A", but the string difference especially makes me suspect that the disks' contents were different even without the involvement of "Chance.A".
What did Microsoft customize, if anything, on different installation disk sets, either at time of manufacture individually or across different batches / production runs, or through having the installer itself modify the disk contents?
Note: In Microsoft's terminology, a product ID is a sort of serial number that should not be confused with the product key a.k.a. CD-key that must be entered at install time, although for CD-based products the product ID is usually determined by the product key
floppy-disk windows-95
asked Nov 12 '18 at 22:07
rakslice
350110
add a comment |
I have a Windows 95 Upgrade 3.5" DMF installation disk set where several disks were infected by the boot sector virus known as "Chance.A". I'm interested in restoring these to their original contents.
Before rewriting the disks using disk images from another source, I imaged the contents, and started to compare those images with the other set. The affected Disk 1 has
- an altered region at the beginning of the disk including the boot sector,
- a partial backup of the original boot sector code in the normally-zeroed area at relative offset 0x3e00
- a different last 9 digits of the string "/U:xxxxx-xxx-xxxxxxx" (where "x" is a decimal digit) at offset 0x131376, which looks suspiciously like a Product ID although I cannot confirm this, and
- a binary difference around offset 0x15d960.
The first two of these are both things that I would expect to result from the modifications by "Chance.A", but the string difference especially makes me suspect that the disks' contents were different even without the involvement of "Chance.A".
What did Microsoft customize, if anything, on different installation disk sets, either at time of manufacture individually or across different batches / production runs, or through having the installer itself modify the disk contents?
Note: In Microsoft's terminology, a product ID is a sort of serial number that should not be confused with the product key a.k.a. CD-key that must be entered at install time, although for CD-based products the product ID is usually determined by the product key
floppy-disk windows-95
asked Nov 12 '18 at 22:07
rakslice
350110
1
BTW, serious about the virus name? I don't know any boot-virus named chance - there seams to be a file-virus with that name. microsoft.com/en-us/wdsi/threats/…
– Raffzahn
Nov 13 '18 at 0:04
2
@Raffzahn Microsoft's virus database only has very generic entries with no information; for instance here's the entry for Michaelangelo, perhaps the most famous boot sector virus, which has the same "this virus spreads by attaching its code to other files" text (something which is definitely incorrect). Here's Symantec's entry for Chance: symantec.com/security-center/writeup/2000-122010-0641-99
– rakslice
Nov 13 '18 at 1:36
1
Forgot the link to the Michaelangelo entry there: microsoft.com/en-us/wdsi/threats/… You'll note that the text is exactly the same as the Chance.A entry except for the threat name, suggesting that none of the other information is threat-specific.
– rakslice
Nov 13 '18 at 1:42
Why not apply the new images to the disks, then overwrite the data with the original data you saved?
– Moab
Dec 14 '18 at 23:19
@Moab Assuming that by "overwrite the data" you mean overwrite everything at the file level, the reason I didn't do this is that I can't rule out that there were changes to my disks at the file level -- the reason I'm even asking this question in the first place is to try to figure that out.
– rakslice
Dec 15 '18 at 3:45
add a comment |
I have a Windows 95 Upgrade 3.5" DMF installation disk set where several disks were infected by the boot sector virus known as "Chance.A". I'm interested in restoring these to their original contents.
Before rewriting the disks using disk images from another source, I imaged the contents, and started to compare those images with the other set. The affected Disk 1 has
- an altered region at the beginning of the disk including the boot sector,
- a partial backup of the original boot sector code in the normally-zeroed area at relative offset 0x3e00
- a different last 9 digits of the string "/U:xxxxx-xxx-xxxxxxx" (where "x" is a decimal digit) at offset 0x131376, which looks suspiciously like a Product ID although I cannot confirm this, and
- a binary difference around offset 0x15d960.
The first two of these are both things that I would expect to result from the modifications by "Chance.A", but the string difference especially makes me suspect that the disks' contents were different even without the involvement of "Chance.A".
What did Microsoft customize, if anything, on different installation disk sets, either at time of manufacture individually or across different batches / production runs, or through having the installer itself modify the disk contents?
Note: In Microsoft's terminology, a product ID is a sort of serial number that should not be confused with the product key a.k.a. CD-key that must be entered at install time, although for CD-based products the product ID is usually determined by the product key
floppy-disk windows-95
asked Nov 12 '18 at 22:07
rakslice
350110
I have a Windows 95 Upgrade 3.5" DMF installation disk set where several disks were infected by the boot sector virus known as "Chance.A". I'm interested in restoring these to their original contents.
Before rewriting the disks using disk images from another source, I imaged the contents, and started to compare those images with the other set. The affected Disk 1 has
- an altered region at the beginning of the disk including the boot sector,
- a partial backup of the original boot sector code in the normally-zeroed area at relative offset 0x3e00
- a different last 9 digits of the string "/U:xxxxx-xxx-xxxxxxx" (where "x" is a decimal digit) at offset 0x131376, which looks suspiciously like a Product ID although I cannot confirm this, and
- a binary difference around offset 0x15d960.
The first two of these are both things that I would expect to result from the modifications by "Chance.A", but the string difference especially makes me suspect that the disks' contents were different even without the involvement of "Chance.A".
What did Microsoft customize, if anything, on different installation disk sets, either at time of manufacture individually or across different batches / production runs, or through having the installer itself modify the disk contents?
Note: In Microsoft's terminology, a product ID is a sort of serial number that should not be confused with the product key a.k.a. CD-key that must be entered at install time, although for CD-based products the product ID is usually determined by the product key
floppy-disk windows-95
floppy-disk windows-95
asked Nov 12 '18 at 22:07
rakslice
350110
asked Nov 12 '18 at 22:07
rakslice
350110
edited Nov 13 '18 at 2:11
asked Nov 12 '18 at 22:07
rakslice
350110
asked Nov 12 '18 at 22:07
rakslice
350110
asked Nov 12 '18 at 22:07
rakslice
350110
350110
1
BTW, serious about the virus name? I don't know any boot-virus named chance - there seams to be a file-virus with that name. microsoft.com/en-us/wdsi/threats/…
– Raffzahn
Nov 13 '18 at 0:04
2
@Raffzahn Microsoft's virus database only has very generic entries with no information; for instance here's the entry for Michaelangelo, perhaps the most famous boot sector virus, which has the same "this virus spreads by attaching its code to other files" text (something which is definitely incorrect). Here's Symantec's entry for Chance: symantec.com/security-center/writeup/2000-122010-0641-99
– rakslice
Nov 13 '18 at 1:36
1
Forgot the link to the Michaelangelo entry there: microsoft.com/en-us/wdsi/threats/… You'll note that the text is exactly the same as the Chance.A entry except for the threat name, suggesting that none of the other information is threat-specific.
– rakslice
Nov 13 '18 at 1:42
Why not apply the new images to the disks, then overwrite the data with the original data you saved?
– Moab
Dec 14 '18 at 23:19
@Moab Assuming that by "overwrite the data" you mean overwrite everything at the file level, the reason I didn't do this is that I can't rule out that there were changes to my disks at the file level -- the reason I'm even asking this question in the first place is to try to figure that out.
– rakslice
Dec 15 '18 at 3:45
add a comment |
1
BTW, serious about the virus name? I don't know any boot-virus named chance - there seams to be a file-virus with that name. microsoft.com/en-us/wdsi/threats/…
– Raffzahn
Nov 13 '18 at 0:04
2
@Raffzahn Microsoft's virus database only has very generic entries with no information; for instance here's the entry for Michaelangelo, perhaps the most famous boot sector virus, which has the same "this virus spreads by attaching its code to other files" text (something which is definitely incorrect). Here's Symantec's entry for Chance: symantec.com/security-center/writeup/2000-122010-0641-99
– rakslice
Nov 13 '18 at 1:36
1
Forgot the link to the Michaelangelo entry there: microsoft.com/en-us/wdsi/threats/… You'll note that the text is exactly the same as the Chance.A entry except for the threat name, suggesting that none of the other information is threat-specific.
– rakslice
Nov 13 '18 at 1:42
Why not apply the new images to the disks, then overwrite the data with the original data you saved?
– Moab
Dec 14 '18 at 23:19
@Moab Assuming that by "overwrite the data" you mean overwrite everything at the file level, the reason I didn't do this is that I can't rule out that there were changes to my disks at the file level -- the reason I'm even asking this question in the first place is to try to figure that out.
– rakslice
Dec 15 '18 at 3:45
1
1
BTW, serious about the virus name? I don't know any boot-virus named chance - there seams to be a file-virus with that name. microsoft.com/en-us/wdsi/threats/…
– Raffzahn
Nov 13 '18 at 0:04
BTW, serious about the virus name? I don't know any boot-virus named chance - there seams to be a file-virus with that name. microsoft.com/en-us/wdsi/threats/…
– Raffzahn
Nov 13 '18 at 0:04
2
2
@Raffzahn Microsoft's virus database only has very generic entries with no information; for instance here's the entry for Michaelangelo, perhaps the most famous boot sector virus, which has the same "this virus spreads by attaching its code to other files" text (something which is definitely incorrect). Here's Symantec's entry for Chance: symantec.com/security-center/writeup/2000-122010-0641-99
– rakslice
Nov 13 '18 at 1:36
@Raffzahn Microsoft's virus database only has very generic entries with no information; for instance here's the entry for Michaelangelo, perhaps the most famous boot sector virus, which has the same "this virus spreads by attaching its code to other files" text (something which is definitely incorrect). Here's Symantec's entry for Chance: symantec.com/security-center/writeup/2000-122010-0641-99
– rakslice
Nov 13 '18 at 1:36
1
1
Forgot the link to the Michaelangelo entry there: microsoft.com/en-us/wdsi/threats/… You'll note that the text is exactly the same as the Chance.A entry except for the threat name, suggesting that none of the other information is threat-specific.
– rakslice
Nov 13 '18 at 1:42
Forgot the link to the Michaelangelo entry there: microsoft.com/en-us/wdsi/threats/… You'll note that the text is exactly the same as the Chance.A entry except for the threat name, suggesting that none of the other information is threat-specific.
– rakslice
Nov 13 '18 at 1:42
Why not apply the new images to the disks, then overwrite the data with the original data you saved?
– Moab
Dec 14 '18 at 23:19
Why not apply the new images to the disks, then overwrite the data with the original data you saved?
– Moab
Dec 14 '18 at 23:19
@Moab Assuming that by "overwrite the data" you mean overwrite everything at the file level, the reason I didn't do this is that I can't rule out that there were changes to my disks at the file level -- the reason I'm even asking this question in the first place is to try to figure that out.
– rakslice
Dec 15 '18 at 3:45
@Moab Assuming that by "overwrite the data" you mean overwrite everything at the file level, the reason I didn't do this is that I can't rule out that there were changes to my disks at the file level -- the reason I'm even asking this question in the first place is to try to figure that out.
– rakslice
Dec 15 '18 at 3:45
add a comment |
1 Answer
1
active
oldest
votes
Neat question ... and I may have found only a partial answer when looking through my notes. I did find some information about Win95 product/activation keys to be entered when installing from CD. Basically 3 formats.
10 Digit Key
For one there is the basic 10 digit number in 3-7 format, where the first group (3) are not checked, while the second (7) has to have a digit sum modulo 7 (*1)
20 Digit Key
OEM versions (starting with 95B) had a 5-3-7-5 format with
5 digits as dddyy marking the day and year the Version got produced
3 characters, always
OEM7 digits again checked as digit sum modulo 7, but the frist two now must be zero
5 digits as kind of serial number, this time the first may not be zero
11 Digit Key
There seems also to be another 11 digit key, coded as 4-7, much like the fist, but now the first group defines if it's meant as a full install (0401) or an update (0402)
What Version will be Checked
A further step would be to lookup SETUPPP.inf which should have an entry ProductType=n. Its value defined the ID to be checked. Here 1 notes a volume install media (no install key to be entered), 2 (*2), 5 and 6 make install ask for a 10 digit number, while 9 marks an OEM version using a 20 digit key. Everything else is invalid.
Considering the above information, is it possible that your data starts with something like 12095 or 15096 (Both numbers I had noted, but there may be others)
*1 - That is adding up all seven digits and dividing them by 7 must result in Zero.
*2 - I have 'update' scribbled across the 2, so 2 may be marking disks reserved for update installation, where a previous windows is checked.
answered Nov 12 '18 at 23:00
Raffzahn
45.8k5103186
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "648"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fretrocomputing.stackexchange.com%2fquestions%2f8250%2fwhat-did-microsoft-customize-on-windows-95-installation-floppy-disks%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Neat question ... and I may have found only a partial answer when looking through my notes. I did find some information about Win95 product/activation keys to be entered when installing from CD. Basically 3 formats.
10 Digit Key
For one there is the basic 10 digit number in 3-7 format, where the first group (3) are not checked, while the second (7) has to have a digit sum modulo 7 (*1)
20 Digit Key
OEM versions (starting with 95B) had a 5-3-7-5 format with
5 digits as dddyy marking the day and year the Version got produced
3 characters, always
OEM7 digits again checked as digit sum modulo 7, but the frist two now must be zero
5 digits as kind of serial number, this time the first may not be zero
11 Digit Key
There seems also to be another 11 digit key, coded as 4-7, much like the fist, but now the first group defines if it's meant as a full install (0401) or an update (0402)
What Version will be Checked
A further step would be to lookup SETUPPP.inf which should have an entry ProductType=n. Its value defined the ID to be checked. Here 1 notes a volume install media (no install key to be entered), 2 (*2), 5 and 6 make install ask for a 10 digit number, while 9 marks an OEM version using a 20 digit key. Everything else is invalid.
Considering the above information, is it possible that your data starts with something like 12095 or 15096 (Both numbers I had noted, but there may be others)
*1 - That is adding up all seven digits and dividing them by 7 must result in Zero.
*2 - I have 'update' scribbled across the 2, so 2 may be marking disks reserved for update installation, where a previous windows is checked.
answered Nov 12 '18 at 23:00
Raffzahn
45.8k5103186
add a comment |
Neat question ... and I may have found only a partial answer when looking through my notes. I did find some information about Win95 product/activation keys to be entered when installing from CD. Basically 3 formats.
10 Digit Key
For one there is the basic 10 digit number in 3-7 format, where the first group (3) are not checked, while the second (7) has to have a digit sum modulo 7 (*1)
20 Digit Key
OEM versions (starting with 95B) had a 5-3-7-5 format with
5 digits as dddyy marking the day and year the Version got produced
3 characters, always
OEM7 digits again checked as digit sum modulo 7, but the frist two now must be zero
5 digits as kind of serial number, this time the first may not be zero
11 Digit Key
There seems also to be another 11 digit key, coded as 4-7, much like the fist, but now the first group defines if it's meant as a full install (0401) or an update (0402)
What Version will be Checked
A further step would be to lookup SETUPPP.inf which should have an entry ProductType=n. Its value defined the ID to be checked. Here 1 notes a volume install media (no install key to be entered), 2 (*2), 5 and 6 make install ask for a 10 digit number, while 9 marks an OEM version using a 20 digit key. Everything else is invalid.
Considering the above information, is it possible that your data starts with something like 12095 or 15096 (Both numbers I had noted, but there may be others)
*1 - That is adding up all seven digits and dividing them by 7 must result in Zero.
*2 - I have 'update' scribbled across the 2, so 2 may be marking disks reserved for update installation, where a previous windows is checked.
answered Nov 12 '18 at 23:00
Raffzahn
45.8k5103186
add a comment |
Neat question ... and I may have found only a partial answer when looking through my notes. I did find some information about Win95 product/activation keys to be entered when installing from CD. Basically 3 formats.
10 Digit Key
For one there is the basic 10 digit number in 3-7 format, where the first group (3) are not checked, while the second (7) has to have a digit sum modulo 7 (*1)
20 Digit Key
OEM versions (starting with 95B) had a 5-3-7-5 format with
5 digits as dddyy marking the day and year the Version got produced
3 characters, always
OEM7 digits again checked as digit sum modulo 7, but the frist two now must be zero
5 digits as kind of serial number, this time the first may not be zero
11 Digit Key
There seems also to be another 11 digit key, coded as 4-7, much like the fist, but now the first group defines if it's meant as a full install (0401) or an update (0402)
What Version will be Checked
A further step would be to lookup SETUPPP.inf which should have an entry ProductType=n. Its value defined the ID to be checked. Here 1 notes a volume install media (no install key to be entered), 2 (*2), 5 and 6 make install ask for a 10 digit number, while 9 marks an OEM version using a 20 digit key. Everything else is invalid.
Considering the above information, is it possible that your data starts with something like 12095 or 15096 (Both numbers I had noted, but there may be others)
*1 - That is adding up all seven digits and dividing them by 7 must result in Zero.
*2 - I have 'update' scribbled across the 2, so 2 may be marking disks reserved for update installation, where a previous windows is checked.
answered Nov 12 '18 at 23:00
Raffzahn
45.8k5103186
Neat question ... and I may have found only a partial answer when looking through my notes. I did find some information about Win95 product/activation keys to be entered when installing from CD. Basically 3 formats.
10 Digit Key
For one there is the basic 10 digit number in 3-7 format, where the first group (3) are not checked, while the second (7) has to have a digit sum modulo 7 (*1)
20 Digit Key
OEM versions (starting with 95B) had a 5-3-7-5 format with
5 digits as dddyy marking the day and year the Version got produced
3 characters, always
OEM7 digits again checked as digit sum modulo 7, but the frist two now must be zero
5 digits as kind of serial number, this time the first may not be zero
11 Digit Key
There seems also to be another 11 digit key, coded as 4-7, much like the fist, but now the first group defines if it's meant as a full install (0401) or an update (0402)
What Version will be Checked
A further step would be to lookup SETUPPP.inf which should have an entry ProductType=n. Its value defined the ID to be checked. Here 1 notes a volume install media (no install key to be entered), 2 (*2), 5 and 6 make install ask for a 10 digit number, while 9 marks an OEM version using a 20 digit key. Everything else is invalid.
Considering the above information, is it possible that your data starts with something like 12095 or 15096 (Both numbers I had noted, but there may be others)
*1 - That is adding up all seven digits and dividing them by 7 must result in Zero.
*2 - I have 'update' scribbled across the 2, so 2 may be marking disks reserved for update installation, where a previous windows is checked.
answered Nov 12 '18 at 23:00
Raffzahn
45.8k5103186
edited Nov 13 '18 at 17:26
answered Nov 12 '18 at 23:00
Raffzahn
45.8k5103186
answered Nov 12 '18 at 23:00
Raffzahn
45.8k5103186
answered Nov 12 '18 at 23:00
Raffzahn
45.8k5103186
45.8k5103186
add a comment |
add a comment |
Thanks for contributing an answer to Retrocomputing Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fretrocomputing.stackexchange.com%2fquestions%2f8250%2fwhat-did-microsoft-customize-on-windows-95-installation-floppy-disks%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
BTW, serious about the virus name? I don't know any boot-virus named chance - there seams to be a file-virus with that name. microsoft.com/en-us/wdsi/threats/…
– Raffzahn
Nov 13 '18 at 0:04
2
@Raffzahn Microsoft's virus database only has very generic entries with no information; for instance here's the entry for Michaelangelo, perhaps the most famous boot sector virus, which has the same "this virus spreads by attaching its code to other files" text (something which is definitely incorrect). Here's Symantec's entry for Chance: symantec.com/security-center/writeup/2000-122010-0641-99
– rakslice
Nov 13 '18 at 1:36
1
Forgot the link to the Michaelangelo entry there: microsoft.com/en-us/wdsi/threats/… You'll note that the text is exactly the same as the Chance.A entry except for the threat name, suggesting that none of the other information is threat-specific.
– rakslice
Nov 13 '18 at 1:42
Why not apply the new images to the disks, then overwrite the data with the original data you saved?
– Moab
Dec 14 '18 at 23:19
@Moab Assuming that by "overwrite the data" you mean overwrite everything at the file level, the reason I didn't do this is that I can't rule out that there were changes to my disks at the file level -- the reason I'm even asking this question in the first place is to try to figure that out.
– rakslice
Dec 15 '18 at 3:45