Path: utzoo!attcan!uunet!know!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: CHESS@YKTVMV.BITNET (David.M.Chess)
Newsgroups: comp.virus
Subject: re: Detecting Stealth Virus (PC)
Message-ID: <0010.9010111649.AA06500@ubu.cert.sei.cmu.edu>
Date: 10 Oct 90 21:03:26 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 12
Approved: krvw@sei.cmu.edu

Um, how thoroughly have you tested that?   From looking at the
code, it appears that it will only work if the current INT21
vector points at the virus's far-JMP.   That won't be true,
I don't think, if any INT21-hooking programs have been run
since the virus installed itself (or, for viruses like the
4096 that find the "real" DOS entry point in various ways,
if any INT21-hooking programs have been installed at all).
INT21-hooking programs are very common (NDOSEDIT and so on);
if they stop your detector from working, you might want to
include that as a caveat when distributing it...

DC