padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) (04/11/91)
>From: "Mark Aitchison, U of Canty; Physics" <PHYS169@csc.canterbury.ac.nz> >(1) It would be best to check a few key interrupt vectors (via their >low memory locations, not via DOS), as well as the memory size... Agree & should do this before DOS loads while interrupt vectors are still predictable. >(3) Does any virus take interrupts by not changing the vector but by >changing the first few bytes of the present routine to be a far jump >to the virus? Boot sector infectors that grab Int 13 do this backwards: The virus takes 13 from the BIOS but when DOS loads, the vector is repointed to DOS and after its check, a far call is made to the previous vector (virus). Joshi & Stoned look like this after DOS loads. >However, IMHO, non-boot sector viruses will probably >eventually win over the best efforts of anti-virus software... I am not sure about this. A good integrity management system will be able to block anything that tries to take power after DOS but an BSI has the opportunity to go resident on any accidental boot. Unless a BIOS level checker is in place (like my experiment), this can be very difficult to detect given some techniques we (thankfully) have not seen, yet.