cjimenez@anyware.es (Carlos Jimenez) (01/10/91)
>Is there any way to prevent a virus from infecting a hard disk when >you cold boot with an infected diskette in drive a: ? (I should have >written "when you unfortunately have left a diskette in drive a:" or >"when you leave your computer unattended and someone boots from a >diskette"). > >Paul M. Monat Lab Manager Phone: 613-564-6895/6500 > Faculty of Administration Fax: 613-564-6518 > Canada K1N 6N5 Bitnet: Monat @ Uottawa When you light the computer the ROM BIOS checks the machine and then searchs for someone disquette in drive A:. If it can read a boot sector, read it in 0000:7C00 and run it. (There is someones BIOS for AT's,'386 & '486 that permits configure which is the drive for start and stores this information in CMOS memory. I don't know if this is your case). When a boot sector virus infects a disquette (with or without operating system) it can make a boot sector that can infect any hard disk using - direct access to hard disk port (I don't know any virus that use this method actually), - BIOS Int 13h Function 03 (Write sector) (like Stoned) - DOS Int 26h (Write absolute sector). (like Bouncing Ball, I don't know any solution throw software for the two first method of infection but I can suggest that you change the ROM or add some EPROM that prevents boot from A:. The third method of infection has a solution using software. If you clear the partition table of your hard disk, the DOS can't recognize the hard disk (like it hasn't low level format), and Int 26h calls will fail. For a sucessfull boot from hard disk you must change the original bootstart routine by another, that writes the original partition table and then reads the boot sector of the active partition and execute it. You must include a program that clears again the partition table (I have a driver in CONFIG.SYS) WARNING: - This method forces two writes in the partition sector (for create and erase the partition table) in each warm or cold boot. It can reduce MTBF (Mean Time Between Failures) of this sector, and a write error can to be dangereus. - If you don't have the DOS in the active partition, the problem is more complicated. (I can send you some ideas). Carlos Jimenez R+D Manager Phone: +34 1 556 92 15 ANYWARE Information Security +34 1 556 92 16 General Peron, 32 Fax: +34 1 556 91 58 28020 Madrid (SPAIN) EUnet: cjimenez@anyware.es
frisk@rhi.hi.is (Fridrik Skulason) (01/10/91)
MONAT%UOTTAWA@acadvm1.uottawa.ca writes: >Is there any way to prevent a virus from infecting a hard disk when >you cold boot with an infected diskette in drive a: ? Not without additional hardware I'm afraid. Any program run from AUTOEXEC.BAT or CONFIG.SYS is run after the disk has booted, and (possibly) infected the hard disk. You can get software which will detect the infection as soon as it happens, but to prevent it, you need additional hardware, which will prevent writes to the hard disk, unless some conditions are met. - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |