Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: mweiner@bene.at (Michael Weiner)
Newsgroups: comp.virus
Subject: Stealth viruses (PC)
Message-ID: <0014.9008221137.AA19228@ubu.cert.sei.cmu.edu>
Date: 20 Aug 90 16:45:35 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 28
Approved: krvw@sei.cmu.edu


 woody@chinacat.Unicom.COM (Woody Baker) wrote:

 [on the possibility for viruses to alter ROM BIOS code shadowed
  into RAM on 386 machines]

 > One should not forget ram shadowing of the bios.  It is a simple
 > matter to determine whether this is in effect attempt to alter a
 > byte in the bios area, and see if it took.

In many cases ROM shadow is write protected (on my machine for
example) and on the machines of all people I asked. The only way to
check whether it is shadowed or not is timing ROM access and comparing
the timing to RAM timing.

Still, this write protection is software-based only. As I understand
it, these memory managers work by placing the machine in protected
mode and running the PC in Virtual-86 mode. If a virus was able to
switch into protected mode using some backdoor, it becomes feasible to
alter shadowed ROM which would be truly frigthening. Let's hope it
won't happen because we'll have a hard time protecting ourselves
against this type of attack.

+----------------------+-----------------------+
I Michael Weiner       I uucp: mweiner@bene.at I
I Ghelengasse 4        +-----------------------+
I A-1130 Wien  Austria I tel:  ++43 1 8232400  I
+----------------------+-----------------------+