padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (11/27/90)
a) To those who have sent me E-Mail without reply, there are two
possibilities: 1) my "baroque" (as Ken puts it) server/address lost
the mail (I get about 2/3rds of what is sent)
2) the same system could not decode the return
address & I could not figure out an alternative
route (not being very experienced in Internet)
In any event I do try to answer all mail received but can make no
guarentees.
b) There seems to be a bit of hysteria builing about magical qualities
of viruses. T'aint so ! On a PC at least, ALL viruses (and trojans,
worms, etc) must execute to infect a system. Some have rather convoluted
means of doing so but must execute FIRST in order to activate. The
user is part of this process since a PC will not execute anything new
unless told to do so. Incidently, the MAC is no different, only when a
floppy is inserted, the O/S immediately looks for a DESKTOP file on the
floppy and executes it.
The CMOS RAM (clock, etc) cannot be executed. PERIOD. It might act as
a storage facility for malicious software that knows where it is, but
code executing from DOS memory addressable by the IP must have stored
such information and is necessary to retrive it. DOS currently won't.
Boot sector infectors (Stoned, Brain, Joshi, etc) are executable code
that is stored in an area executed during the boot process. Without
initiating a boot, you can leave the floppy in the drive forever and
not become infected. COPYing or XCOPYing files from an infected disk
will not infect a machine however DISKCOPY can pass the infection to
a new disk. To infect a machine, the infected disk must be in the
drive when a boot (warm or cold) is initiated.
"Stealth" viruses simply trap interrupts (usually 21h) when they go
resident and remove the virus code when an application requests an
infected file so that a validator just "sees" the original file, but
they must be resident in memory to work. Most go after COMMAND.COM
first since the transient portion is usually loaded right after a
upper memory virus goes resident. Good validation programs will flag
this on the next load, but if the user says to "go ahead anyway", all
bets are off. Every one of these that I have seen is easily detectable
in memory just with what comes with DOS. The WHALE may have 30 different
encyption algorithms, but all take memory from DOS.
One of the biggest myths about nearly every virus is the "survives
warm boots (ctrl-alt-del)". Yes, some do, but the few I am aware of
all become resident in one area at the top of memory, change the
Int 12h return (280h for a 640k machine), and trap the "warm boot"
mechanism. Neither the common varieties of the Jerusalem nor the Stoned
do this, however, to be safe, NOTHING survives a cold boot from a
clean, protected floppy.
Finally, for those just starting with Virus-L, I would suggest the
following reading: Advanced MS-DOS by Ray Duncan, Microsoft Press;
The 8086 Family User's Guide from Intel (later versions are also good);
System BIOS for IBM PC/XT/AT Computers and Compatables from Phoenix
Technologies Ltd, Addison-Wesley; Assembly Language Programming for the
IBM PC AT, Brady; the Winn Rosch Hardware Bible by Winn Rosch, Brady;
and THEN the Virus Information Summary List by Patricia Hoffman,
available electronically.
As a final exam, write a functional floppy boot record using LODSB,
Int 10h (fn 0Eh), and Int 16h. For extra credit, use Int 12h and XLAT
to report system memory at boot & validate your boot record. HINT: in
the boot record, PUSH CS - POP DS won't work as you expect.
Padgett