Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!iuvax!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) Newsgroups: comp.virus Subject: Re: Stealth viruses (PC) Message-ID: <0006.9008171919.AA16211@ubu.cert.sei.cmu.edu> Date: 17 Aug 90 00:15:12 GMT Sender: Virus Discussion List Lines: 29 Approved: krvw@sei.cmu.edu mweiner@bene.at (Michael Weiner) writes: > frisk wrote: > > INT 40h should definitely be included, it might also become necessary > to check INT 0Dh and INT 0Eh at some point in the future. One should not forget ram shadowing of the bios. It is a simple matter to determine whether this is in effect attempt to alter a byt in the bios area, and see if it took. If so, then overlay one of the known entry points (most bioses attempt to be IBM compatabile, right down to the entry points in the rom), and patch part of the bios. Now you are below DOS, below the BIOS interface, below the IRQ's etc. > Something else: Does anyone know of a virus scanner that examines high > memory (as used by 386max and similar utilities) for "stealth-type" > viruses ? Good point. This is a fertile breeding ground, imagine a large virus, that stuffs it'self up there, and then pages back and forth by changing the LIM memory driver, so that interrupts to it pass control to the virus. Since LIM drivers are easy to access, live in ram, it would be no big deal to patch the actual code, and not touch the interrupt vectors. The same goes double for device drivers. Suppose a device driver that does some nice thing, like fix the @#$%@$#% daily rollover bug in dos. The driver perhaps unpacks a bit of nasty that goes to work at midnight... Cheers Woody