CCTR132@csc.canterbury.ac.nz (Nick FitzGerald) (12/19/90)
In V3 #203 franks@cicux.neth.hp.com (Frank Slootweg CRC) wrote: >> From: Michael_Kessler.Hum@mailgate.sfsu.edu >> >> 2. To avoid infecting the network should a student use outside >> software on various stations, we recommend that all stations be turned >> off after use so that nothing stays in memory (Jerusalem B survives >> warm reboots). > > I think reports of viri which survive warm reboots are caused by >misunderstanding the viri and/or the viri scanners. > > The essential parts in the above text are "stays in memory" (true) and >"survives warm boots" (false). > > I had Jerusalem B on my PC and when warm booting from a clean floppy >and running McAfee's SCAN from that floppy, SCAN indeed says that >Jerusalem B is in memory. However because of the warm boot the virus >can not *execute* anymore. Often if you first skip SCAN's scan of >memory (i.e. no /M), memory will be "cleared" (i.e. overwritten with >SCAN's data space) and a subsequent SCAN /M will not say that >Jerusalem B is in memory (because it isn't anymore). This may be true of the Jerusalem family, but I understand that there are virii that (attempt to) intercept Ctrl/Alt/Del so they are not removed by a "warm boot". It would be possible to write a crude boot simulation (which would easily fool most users) but would leave the viral code "active". I would recommend that you turn off then restart a PC left by another user, or if you have the option press the hardware Reset switch (on HD machines this has obvious advantages). (Some students here revel in writing DOS command line simulator progs that they leave running when they leave a terminal. An unsuspecting user comes along, logs in, enters password, the program writes both to a file, and then when the new user tries to execute a command the prog will return some plausible sounding error message suggesting that a re-boot is needed. The user obliges and the author of the prog has another usercode and password to add to their list.) - --------------------------------------------------------------------------- Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337