rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) (03/12/91)
In one of our public labs, we have a Zenith 159 with hard disk attached to a laser printer. We have SOPHCO's PROTEC system installed on said Zenith and we offer 3 flavors of Word Perfect (and charge a quarter per page for printing). We had been experiencing problems accessing files and printing (users have their documents on their floppy; we don't want them playing too much with the hard disk, hence the PROTEC system). Upon examination we found the Stoned virus on the hard disk. I didn't do the scanning, but the person who did said Stoned didn't show up in memory (the scan was done by exiting out of PROTEC by using the supervisor's password). Said person also cleaned things up. (The virus got on the machine by some student trying to break in to the machine by booting off a floppy that happened to be infected.) I find this interesting. Short of re-infecting the machine to investigate further, I'm curious as to why Stoned didn't show in memory when a boot from floppy hadn't been done. I'm also curious about the mechanism of transferral under PROTEC. Does anyone have any insight to offer? Thanks. Richard Travsky Bitnet: RTRAVSKY @ UWYO Division of Information Technology Internet: RTRAVSKY @ CORRAL.UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668
bdh@uchicago.UCAR.EDU (Brian D. Howard) (03/19/91)
rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) writes: >I find this interesting. Short of re-infecting the machine to >investigate further, I'm curious as to why Stoned didn't show in >memory when a boot from floppy hadn't been done. Probably because stoned steals 2K for itself(why 2K I dunno, I think he only needs to dec al once?, figured its a bug). It then updates the BIOS data segment (413h) to indicate that the tip-top of memory is right below it. Scan utilities that rely on that table being accurate might not bother to check any higher. (An aside note: the 'stoned' program compares the jump at its first location with that of the boot sector on the potential target in order to decide if its already 'infected' said target. If you haven't already you might dis-assemble and modify your boot sector code to reflect the identical jump so that it looks like its already infected...) - -- "Hire the young while they still know everything."