Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!iuvax!ux1.cso.uiuc.edu!tank!eecae!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: CHESS@YKTVMV.BITNET
Newsgroups: comp.virus
Subject: RE: IBM-PC virus scanning program from IBM (PC)
Message-ID: <0003.8910241138.AA15306@ge.sei.cmu.edu>
Date: 23 Oct 89 00:00:00 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Lines: 24
Approved: krvw@sei.cmu.edu

Thomas Lapp <thomas@mvac23.uucp> writes:

>            Since it reports the number of files searched and number of
> disks checked, I suspect that this program would not be able to find
> those viruses which reside on sectors which are then marked bad.

All the viruses that I've heard of that live even partially in bad
sectors are boot-sector viruses; the "initial hook" of the virus
is written to the boot sector, and that hook then reads the rest
of the virus off of some sector elsewhere on the disk (which was
marked bad in the FAT at initial infection).   The IBM virus
scanner (and the McAfee one, and probably others) scans boot
records to detect this type of virus.

In general, a virus has to arrange to get executed; the viruses
we've seen so far do this either by modifying executable files,
or by modifying the boot record of a disk or diskette.   So
scanners for known viruses that scan executable files and
boot records are looking in the right places!   A "virus"
that just marked a sector as bad and wrote itself there,
without altering the boot sector or any other executable
object, would never get executed...

DC