Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!usc!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) Newsgroups: comp.virus Subject: 4096 (PC) Message-ID: <0002.9008081811.AA05229@ubu.cert.sei.cmu.edu> Date: 3 Aug 90 04:00:00 GMT Sender: Virus Discussion List Lines: 18 Approved: krvw@sei.cmu.edu I have been surprised to the the excitement caused by this virus. Admittedly, it uses some "stealth" techniques to hide itself, but the "stealth" itself should be detectable in memory. Certainly a thorough virus checking routine will not rely on DOS to provide accurate information. Next, despite roumors of CMOS and Modem viruses, to be able to become resident in an XT class machine, some memory MUST be used somewhere and this is detectable. Thus there are (at the moment) three checkpoints: either available memory has been reduced, interrupts are being vectored into never-never land (virus hiding in unassigned memory - note: this may not be obvious from the interrupt table), or crashes will occur often as the virus is overwritten. While I have not yet seen the 4096 (a copy is coming but not yet arrived), I feel certain that it is detectable reasonably easily in memory - if not directly then by its process of hiding. As soon as I determine an easy way to detect it, the answer will be posted. In the meantime, booting from a write- protected floppy and running a clean SCAN of version 53 or later is known to be effective.