Alan_J_Roberts@cup.portal.com (02/28/90)
This is a forward from John McAfee ================================================================= Nino Margetic raised a good point yesterday that I have not seen discussed yet. His question was - "why would a virus be detected in memory when there is no indication of the virus in any of the system's files?". A very good question. To begin with, as Nino pointed out, the system was infected and then disinfected. Herein lies the mystery. In the disinfection process files are read in through the DOS internal buffers, disinfected and written back out -- again passing through the DOS internal buffers. DOS has a very peculiar habit of insisting that all file creations occupy a full cluster, whether you need it or not, and rather than zeroing out the remainder of the cluster, DOS further insists on padding the remainder with whatever is currently hanging out unused in the buffer area. Why it does the I do not know -- perhaps a sense of nostalgia for what was once useful code -- who knows, but in any case this is what it does. When a file is disinfected then, and written back as a clean file, everything beyond the end of file mark is residual from whatever has passed through the DOS buffers. Inevitably, pieces of the original virus will end up in the buffer area, located just at the end of the disinfected program. These virus pieces are then written to the disk as filler for the remainder of the cluster. This process is not unique to disinfecting. Any file creations performed while a system is infected may have this end result. Now, whenever the file is scanned, DOS reads to the end of the file mark and passes the information to the scan routine. SCAN sees a clean file, as indeed it is. However, in the process of scanning the file, DOS had to read the entire cluster into the internal buffers (God knows why -- perhaps, again, from some sense of nostalgia for lost data) and in the process it may bring pieces of the virus into its buffers. A memory scan will then detect this. The virus is of course not functional or harmful at this point. It is possible, of course, to design a memory scan that could differentiate between a live and a dead virus. But this would cause weaknesses in the memory scan function due to possible modifications of the virus by unknown hackers that would fool the scan. It's easy to relocate code. Not so easy to re-code the segments that being scanned for (assuming the hacker does not know the segments being used as the I.D.). In any case, that's neither here nor there. The causes of Nino's observations are hopefully exposed. ....