LANDEN@HROEUR5.BITNET (11/20/90)
> From: Michael_Kessler.Hum@mailgate.sfsu.edu > > 2. To avoid infecting the network should a student use outside > software on various stations, we recommend that all stations be turned > off after use so that nothing stays in memory (Jerusalem B survives > warm reboots). I have experimented quite a bit with Jerusalem-B but I have never seen it survive a warm boot. Could anyone explain to me how it is possible for any virus to survive a warm boot by any method other than infecting something on the boot disk. In my experience a warm reboot always re-initializes the interrupt vectors, a process that no virus in memory would survive. The only method I can think of is by intercepting the Ctrl-Alt-DEL keystroke and doing a reboot with int 19h, this would be difficult because it would require the virus to store the original interrupt vectors before anyone could alter them and hide in the top of the system memory. The only type of virus that could perform this would probably be a bootsector-virus. If a virus would use the above method it would probably alarm even a novice user because the system would no longer go through the BIOS startup tests. Maybe the 386+ processors have capabilities that make other methods possible? Peter van der Landen Erasmus University, Rotterdam.
tomah@sssab.se (Tomas Ahl) (11/22/90)
LANDEN@HROEUR5.BITNET writes: [...] >I have experimented quite a bit with Jerusalem-B but I have never seen >it survive a warm boot. Could anyone explain to me how it is possible >for any virus to survive a warm boot by any method other than >infecting something on the boot disk. In my experience a warm reboot >always re-initializes the interrupt vectors, a process that no virus >in memory would survive. Take this scenario: The virus traps the hardware keyboard interrupt and sorts out Ctrl-Alt-Del. When it detects C-A-Del it 'simulates' a reboot through stepping the floppy motors blanking the screen etc. After this the computer seems to restart and voila the virus can continue its 'work'. Not to mention I have a description of a virus doing excactly this, all other keyboard interrupts are passed on to the regular interrupt handler ofcourse... > >Peter van der Landen >Erasmus University, Rotterdam. In my view, the most important thing to remember when discussing viruses is that if BIOS and/or Dos can do it **any program can do it** and thus a virus can too. Ofcource this is true for any computer/operating system not utilizing hardware to block the normal user out from system areas in the machine. Not only Dos-systems. Dos-systems on the other hand are more voulnerable(sp?) than they need to because it is common practice for programs to fiddle around in the system areas to get things done that they need to do! ============================================================================ Tomas Ahl | phone +46 13 111660 Computer 'n' Ranch | fax +46 13 115193 | mail tomah@sssab.se
franks@cicux.neth.hp.com (Frank Slootweg CRC) (11/22/90)
> From: Michael_Kessler.Hum@mailgate.sfsu.edu > > 2. To avoid infecting the network should a student use outside > software on various stations, we recommend that all stations be turned > off after use so that nothing stays in memory (Jerusalem B survives > warm reboots). I think reports of viri which survive warm reboots are caused by misunderstanding the viri and/or the viri scanners. The essential parts in the above text are "stays in memory" (true) and "survives warm boots" (false). I had Jerusalem B on my PC and when warm booting from a clean floppy and running McAfee's SCAN from that floppy, SCAN indeed says that Jerusalem B is in memory. However because of the warm boot the virus can not *execute* anymore. Often if you first skip SCAN's scan of memory (i.e. no /M), memory will be "cleared" (i.e. overwritten with SCAN's data space) and a subsequent SCAN /M will not say that Jerusalem B is in memory (because it isn't anymore). Perhaps virus scanners should include an option or a seperate program which can be used to clear all of memory after a virus has been found in memory, so this class of false alarms can be eliminated. Frank Slootweg, Hewlett-Packard, The Netherlands, (*not* in PC support).
hartnegg@SUN1.RUF.UNI-FREIBURG.DE (Klaus Hartnegg) (12/20/90)
franks@cicux.neth.hp.com (Frank Slootweg CRC) writes: > I think reports of viri which survive warm reboots are caused by >misunderstanding the viri and/or the viri scanners. . > Perhaps virus scanners should include an option or a seperate >program which can be used to clear all of memory after a virus has >been found in memory, so this class of false alarms can be eliminated. I am not sure whether these are really false alarms in all cases. Viri CAN survive warm boot because not all verctors are reset in a warm boot! I know for example a CGA emulator for hercules cards that does survive warm boot. It CAN be done! I do however not know whether there are already viri that really do it. - -- - --------------------------------------------------------------- Klaus Hartnegg, Kleist-Str. 7, D-7835 Teningen, Tel 07641/48652 BITNET : HAKL@DFRRUF1 Internet : HAKL@ibm.ruf.uni-freiburg.de