Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: frisk@rhi.hi.is (Fridrik Skulason)
Newsgroups: comp.virus
Subject: Re: Stealth viruses (PC)
Message-ID: <0001.9008301334.AA25774@ubu.cert.sei.cmu.edu>
Date: 25 Aug 90 12:27:44 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 23
Approved: krvw@sei.cmu.edu

mweiner@bene.at (Michael Weiner) writes:
>There is an additional problem: Many of these 386/486 memory managers
>allow you to define "high DOS memory" over the 640k barrier. 386max
>for example allows you to load device drivers and TSRs into this
>memory region (In my case, it is 96kB at C800 - E000).

I just wanted to mention that we already have one virus which is able to load
itself above the 640K barrier.   The E.D.V. boot sector virus starts to
look for free ram at E800:0000 and moves downward in 64K jumps - skipping the
area 9800-B000

As an extra twist, the virus will attempt to crash any program scanning high
memory - in intercepts the "timer-tick" interrupt, and if it finds that ES or
DS point to the region where it is hiding, it will halt the computer.

This of course makes scanning for this virus a bit complicated.

- -frisk

- --
Fridrik Skulason      University of Iceland  |
Technical Editor of the Virus Bulletin (UK)  |  Reserved for future expansion
E-Mail: frisk@rhi.hi.is    Fax: 354-1-28801  |