8326442@AWIWUW11.BITNET (Martin Zejma) (01/10/91)
hello virus-proofed community | Last week i found the ( or a ) oh-so-old-but-never-found Yankee Doodle Virus at a friend , savely jailed on a floppy disk. I worked through the code quite heavy ,found nothing unbelieveable clever but : after copying the virus-code to the top of memory ( i worked hard to figure out the meaning of TOM in recent issues) , it gets the size of the absolute system memory for DOS from a word in the BIOS-segment ( 280h) multiplies this by various things to get the end of memory ( A000:0000 ) AND THEN ::: checksums 61 words starting from A000:014E ( or 012E , i'm not sure without the source next to me ) , simply adding all these 61 words together , and if the result is something like 0b52 , it writes a jump instruct ion into high memory , pointing to a small procedure which changes Int 13h (disk interupt). On my system ( a 286 Neat with 2 MB Ram running at 20 MHz 1 WS ) there is nothing accessible after a000:0000 , everything just HIGH-VALUE (FFh), not possible to change a byte . I tried using Shadow RAM enabled at A000 , but that also failed . SO THE ONE AND ONLY QUESTION : Are there systems where this part of memory is accessible or would the virus just overwrite a resident other virus when the value in the BIOS-segment is below 280h due to a previous (already running) infection ? Please many answers and soon , i'm puzzled Sincerly yours , Martin +-----------------------------------------------------------------------+ | Martin Zejma 8326442 @ AWIWUW11.BITNET | | | | Wirtschaftsuniversitaet Wien --- Univ. of Economics Vienna/Austria | +-----------------------------------------------------------------------+
cjimenez@anyware.es (Carlos Jimenez) (01/10/91)
>Send by Martin Zejma <8326442@AWIWUW11.BITNET>: > >hello virus-proofed community | >Last week i found the ( or a ) oh-so-old-but-never-found Yankee ... >... >SO THE ONE AND ONLY QUESTION : >Are there systems where this part of memory is accessible or would the >virus just overwrite a resident other virus when the value in the >BIOS-segment is below 280h due to a previous (already running) >infection ? The segment A000h of computer is used by graphics cards like EGA, MCGA & VGA to implement graphics modes 0Dh to 13h and new modes of higher resolution. This segment of memory isn't used in text modes. Thus, when you use text modes (the normal situation if you don't work in Windows) the virus can use the segment A000h. Probably you have a CGA or Hercules Graphic Card and then you can't use this segment (There isn't RAM for the virus in this segment). I hope this comment can help you. Carlos Jimenez R+D Manager Phone: +34 1 556 92 15 ANYWARE Information Security +34 1 556 92 16 General Peron, 32 Fax: +34 1 556 91 58 28020 Madrid (SPAIN) EUnet: cjimenez@anyware.es
CHESS@YKTVMV.BITNET (David.M.Chess) (01/11/91)
Martin Zejma <8326442@AWIWUW11.BITNET>: > Are there systems where this part of memory is accessible or would the > virus just overwrite a resident other virus when the value in the > BIOS-segment is below 280h due to a previous (already running) > infection ? I haven't verified it myself, but a reasonably authoritative rumor says that the checksum the virus does will detect a Bouncing Ball (a.k.a. "Ping Pong") infection active in memory, and patch it so that it (eventually?) stops infecting. There are a few other cases of viruses that look for other viruses; the Den Zuk / Ohio family look for and remove the Brain (before installing themselves), the TPxxVIR look for and remove earlier members of the family, and so on. DC