frisk@rhi.hi.is (Fridrik Skulason) (04/12/91)
Mark Aitchison, U of Canty; Physics) writes: >(2) The mention of direct calls to BIOS by viruses... A friend of mine >has a method (well, two really, one for diskettes and one for hard >disks) that should prevent this, but we can't test it with many real >viruses- any volunteers? I had a method which used to work pretty well - it even stopped the 'TRYOUT' program in Dr. Solomon's package, which made a direct JMP to F000:xxxx, but some of the most recent viruses are able to bypass it. I guess they would be able to defeat your friend's method as well...but it would not hurt to try. >(3) Does any virus take interrupts by not changing the vector but by >changing the first few bytes of the present routine to be a far jump >to the virus? If so, my comments in (1) need the addition of checking >the first few bytes. A few viruses do - very few, but they exist - yes. >(5) I had hoped that the checksum in the header of .EXE files would >help spot viruses, but few programs have a valid checksum. Can anyone >tell me whether, if I go to the effort of correcting the checksum in >all my programs, will any virus be smart enough to rewrite a corrected >checksum? I know of no virus which bothers with the checksum - but I would rather suggest you put an invalid checksum there - perhaps compute the "correct" checksum and XOR it with your initials (or something) - even if the virus computes a new checksum, it will be incorrect. If the virus ignores the checksum it will also be incorrect. However - this will not be of any use against "stealth" viruses. >The answer is going to have to mean radical changes to BIOS, DOS and >MSWINDOWS (which, for a new product, makes a lot of stupid mistakes, >it seems). In the short term, a slight change to BIOS, and a not much >more than DRDOS's password protection system, should suffice. Try telling that to Microsoft. (sigh) - -frisk