Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!wuarchive!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: mweiner@bene.at (Michael Weiner) Newsgroups: comp.virus Subject: Stealth viruses (PC) Message-ID: <0007.9008221137.AA19228@ubu.cert.sei.cmu.edu> Date: 18 Aug 90 07:40:02 GMT Sender: Virus Discussion List Lines: 34 Approved: krvw@sei.cmu.edu woody@chinacat.Unicom.COM (Woody Baker wrote) : > MW> Something else: Does anyone know of a virus scanner that examines high > MW> memory (as used by 386max and similar utilities) for "stealth-type" > MW> viruses ? > > Good point. This is a fertile breeding ground, imagine a large > virus, that stuffs it'self up there, and then pages back and forth by > changing the LIM memory driver, so that interrupts to it pass > control to the virus. Since LIM drivers are easy to access, live in > ram, it would be no big deal to patch the actual code, and not touch the > interrupt vectors. The same goes double for device drivers. > Suppose a device driver that does some nice thing, like fix the @#$%@$#% > daily rollover bug in dos. The driver perhaps unpacks a bit of nasty > that goes to work at midnight... There is an additional problem: Many of these 386/486 memory managers allow you to define "high DOS memory" over the 640k barrier. 386max for example allows you to load device drivers and TSRs into this memory region (In my case, it is 96kB at C800 - E000). If a file infected with a "stealthy" virus into this memory region, I doubt many scanners will detect it when they look for virus signatures in memory. To my knowledge, most only scan the "low" 640k. A friend told me that this has already occured in a number of cases he knows about. cheers, mike +----------------------+-----------------------+ I Michael Weiner I uucp: mweiner@bene.at I I Ghelengasse 4 +-----------------------+ I A-1130 Wien Austria I tel: ++43 1 8232400 I +----------------------+-----------------------+