Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!ucsd!nosc!crash!pnet01!jca
From: jca@pnet01.cts.com (John C. Archambeau)
Newsgroups: comp.sys.ibm.pc
Subject: Re: Write protect for hard drive
Message-ID: <2978@crash.cts.com>
Date: 3 Jun 90 01:36:01 GMT
Sender: root@crash.cts.com
Organization: People-Net [pnet01], El Cajon CA
Lines: 39

frisk@rhi.hi.is (Fridrik Skulason) writes:
>They don't work, even if they intercept interrupts.  Many "write-protecting"
>programs only intercept INT 13, but it is easy to write to the
>hard disk without using INT 13, so monitoring it won't help.  As a matter of
>fact, there are two or three Bulgarian viruses able to do it already.

I stand corrected.  After the explanation of how a trojan/virus bypasses the
interrupt, I can easily see how it would work.  The only connection that I
couldn't quite make (which was explained to me in e-mail) is how the virus
gets the address for the far write call.

That's the problem with not using DOS or only using it under DOSWindows or
VP/ix.  You forget so easily that you can get around an interrupt vector.

To your knowledge, will any of these trojan/viruses function as the author
intended under Unix applications such as DOSMerge or VP/ix?  My instinct about
it is no since they're applications under a protected mode OS, but I would
like to hear from somebody with experience in this matter.

And what about situations such as the user who uses Concurrent DOS or
PC-MOS?  Are those of us who run DOS sessions that run in virtual 8086 mode
safe from these MS-DOS viruses or are these trojan/virus writers starting to
venture in to that area?

My initial answer, personally, is inclined to be no since the virus has to
bypass the protection that the 80386[DS]X gives you.  It is probably possible
to get around the protection if you know the OS well enough, but from what
I've read on the 386 thus far, it would not be easy.
 
     // JCA

 /*
 **--------------------------------------------------------------------------*
 ** Flames  : /dev/null                     | Small memory model only for
 ** ARPANET : crash!pnet01!jca@nosc.mil     | Unix?  Get the (*bleep*) out
 ** INTERNET: jca@pnet01.cts.com            | of here!
 ** UUCP    : {nosc ucsd hplabs!hd-sdd}!crash!pnet01!jca
 **--------------------------------------------------------------------------*
 */