Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!uakari.primate.wisc.edu!aplcen!ginosko!usc!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: damon@umbc2.umbc.edu (Damon Kelley; (RJE))
Newsgroups: comp.virus
Subject: A question on detecting viruses on bootable disks (PC)
Message-ID: <0005.8909151206.AA24769@ge.sei.cmu.edu>
Date: 14 Sep 89 19:10:00 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Lines: 16
Approved: krvw@sei.cmu.edu


    I've recently read George Woodside's file on how viruses work
(obtained from SIMTEL20.ARPA, VIRUS101.001-004).  He says that a virus
latches on a read/write interrupt to spread itself.  Would the
instructions the interrupt calls be near or located at the first JMP
instruction in the boot sector?
    From reading a certain reference that concerns the programming of
the IBM PC, I have the impression that that JMP instruction in the
boot sector is quite consistant for the type of PC a user uses.  If
that JMP instruction is changed, does that signal a virus present, or
have virus writers skipped around that limitation and had the virus
write over what code is found at that JMP destination?

jnet%"damon@umbc"
damon@umbc.bitnet
damon@umbc2.umbc.edu