Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!samsung!usc!wuarchive!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: LANDEN@HROEUR5.BITNET
Newsgroups: comp.virus
Subject: Viruses surviving warm boots. (PC)
Message-ID: <0013.9011201348.AA00696@ubu.cert.sei.cmu.edu>
Date: 20 Nov 90 13:11:00 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 30
Approved: krvw@sei.cmu.edu

> From:  Michael_Kessler.Hum@mailgate.sfsu.edu
>
> 2.  To avoid infecting the network should a student use outside
> software on various stations, we recommend that all stations be turned
> off after use so that nothing stays in memory (Jerusalem B survives
> warm reboots).

I have experimented quite a bit with Jerusalem-B but I have never seen
it survive a warm boot. Could anyone explain to me how it is possible
for any virus to survive a warm boot by any method other than
infecting something on the boot disk. In my experience a warm reboot
always re-initializes the interrupt vectors, a process that no virus
in memory would survive.

The only method I can think of is by intercepting the Ctrl-Alt-DEL
keystroke and doing a reboot with int 19h, this would be difficult
because it would require the virus to store the original interrupt
vectors before anyone could alter them and hide in the top of the
system memory. The only type of virus that could perform this would
probably be a bootsector-virus.

If a virus would use the above method it would probably alarm even a
novice user because the system would no longer go through the BIOS
startup tests.

Maybe the 386+ processors have capabilities that make other methods
possible?

Peter van der Landen
Erasmus University, Rotterdam.