padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) (07/25/90)
Have been absent for a while as a result of vacation followed by acute bronchitis (still recovering so possibly a bit incoherant - sorry) but do have a few comments to make. 639K: I saw this first in early 1989 on a Compaq 386/20. Turned out that in the "as shipped" condition the manufacturer allocated 1k at TOM to a "mouse buffer" & was essentially null-filled (also changing a jumper on the mother board would restore it to the user). Since then several other uses for that last k of memory have surfaced, few of which are adeqately documented. Though of course it is feasible, I have not yet seen a virus that just uses 1k. For example, the BRAIN reduces memory by 7K (a 640k machine drops the TOM from 280h segments to 279h or 633k. Differences in reporting memory: Essentially there are two ways of reporting memory. The original is to use either Int 12h or locations 0:413h & 414h to report total DOS RAM available in segments (280h for 640k). The other common method is to use Int 21h Fn 48 (Allocate memory) with FFFFh in Bx to return available memory. Not all programs prorperly handle the results, particularly when innovative means of avoiding RAM-CRAM are in use. 4096/Stealth Virus: One of the first things I was taught in doctoral work was to "Review the Literature", another was to seek multiple citations. While there has been some confusion concerning multiple names for the same virus (e.g. 1813 vs Jerusalem) the essential charactoristics are what determine a listing. A description of the 4096 appeared in Patricia Hoffman"s VSUM listing in January, 1990. Consequentially, any later quibbling concerning discovery would indicate a lack of research. Further, there has been some mindless denegration of some sources. In my opinion, ANY source may provide some insight, if only in how misconceptions propagate. At the same time, it must be recognized that it takes 10-20 hours per week of reading just to stay current in the field. Virus-L provides a valuable forum for discussion, but I would strongly suggest that participants try to review at least the last six months of discussion before casting stones (but always welcome new ideas). On the authentication vs checksum question, we beat on this fairly heavily a few months ago but two points still stand out: Ultimately viral signature analysis routines are doomed through latency and sheer mass, and simple checksum analysis of existing programs is adequate so long as the algorithm used is unknown. The wide number of anti-virus routines available simply indicates that the "good enough" solution has not yet been found. Personally, I like the approach being used by Enigma-Logic's Virus-Safe that takes a "snapshot" of the system and its files using a machine-unique algorithm to encrypt the signatures. It is the first system I have seen that can be installed & maintained by a non-expert and does not require an administrator. Padgett Peterson, 10 miles North of DisneyWorld.