padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (11/27/90)
a) To those who have sent me E-Mail without reply, there are two possibilities: 1) my "baroque" (as Ken puts it) server/address lost the mail (I get about 2/3rds of what is sent) 2) the same system could not decode the return address & I could not figure out an alternative route (not being very experienced in Internet) In any event I do try to answer all mail received but can make no guarentees. b) There seems to be a bit of hysteria builing about magical qualities of viruses. T'aint so ! On a PC at least, ALL viruses (and trojans, worms, etc) must execute to infect a system. Some have rather convoluted means of doing so but must execute FIRST in order to activate. The user is part of this process since a PC will not execute anything new unless told to do so. Incidently, the MAC is no different, only when a floppy is inserted, the O/S immediately looks for a DESKTOP file on the floppy and executes it. The CMOS RAM (clock, etc) cannot be executed. PERIOD. It might act as a storage facility for malicious software that knows where it is, but code executing from DOS memory addressable by the IP must have stored such information and is necessary to retrive it. DOS currently won't. Boot sector infectors (Stoned, Brain, Joshi, etc) are executable code that is stored in an area executed during the boot process. Without initiating a boot, you can leave the floppy in the drive forever and not become infected. COPYing or XCOPYing files from an infected disk will not infect a machine however DISKCOPY can pass the infection to a new disk. To infect a machine, the infected disk must be in the drive when a boot (warm or cold) is initiated. "Stealth" viruses simply trap interrupts (usually 21h) when they go resident and remove the virus code when an application requests an infected file so that a validator just "sees" the original file, but they must be resident in memory to work. Most go after COMMAND.COM first since the transient portion is usually loaded right after a upper memory virus goes resident. Good validation programs will flag this on the next load, but if the user says to "go ahead anyway", all bets are off. Every one of these that I have seen is easily detectable in memory just with what comes with DOS. The WHALE may have 30 different encyption algorithms, but all take memory from DOS. One of the biggest myths about nearly every virus is the "survives warm boots (ctrl-alt-del)". Yes, some do, but the few I am aware of all become resident in one area at the top of memory, change the Int 12h return (280h for a 640k machine), and trap the "warm boot" mechanism. Neither the common varieties of the Jerusalem nor the Stoned do this, however, to be safe, NOTHING survives a cold boot from a clean, protected floppy. Finally, for those just starting with Virus-L, I would suggest the following reading: Advanced MS-DOS by Ray Duncan, Microsoft Press; The 8086 Family User's Guide from Intel (later versions are also good); System BIOS for IBM PC/XT/AT Computers and Compatables from Phoenix Technologies Ltd, Addison-Wesley; Assembly Language Programming for the IBM PC AT, Brady; the Winn Rosch Hardware Bible by Winn Rosch, Brady; and THEN the Virus Information Summary List by Patricia Hoffman, available electronically. As a final exam, write a functional floppy boot record using LODSB, Int 10h (fn 0Eh), and Int 16h. For extra credit, use Int 12h and XLAT to report system memory at boot & validate your boot record. HINT: in the boot record, PUSH CS - POP DS won't work as you expect. Padgett