Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: tomah@sssab.se (Tomas Ahl) Newsgroups: comp.virus Subject: Re: Viruses surviving warm boots. (PC) Message-ID: <0012.9011261543.AA06200@ubu.cert.sei.cmu.edu> Date: 22 Nov 90 09:46:34 GMT Sender: Virus Discussion List Lines: 38 Approved: krvw@sei.cmu.edu LANDEN@HROEUR5.BITNET writes: [...] >I have experimented quite a bit with Jerusalem-B but I have never seen >it survive a warm boot. Could anyone explain to me how it is possible >for any virus to survive a warm boot by any method other than >infecting something on the boot disk. In my experience a warm reboot >always re-initializes the interrupt vectors, a process that no virus >in memory would survive. Take this scenario: The virus traps the hardware keyboard interrupt and sorts out Ctrl-Alt-Del. When it detects C-A-Del it 'simulates' a reboot through stepping the floppy motors blanking the screen etc. After this the computer seems to restart and voila the virus can continue its 'work'. Not to mention I have a description of a virus doing excactly this, all other keyboard interrupts are passed on to the regular interrupt handler ofcourse... > >Peter van der Landen >Erasmus University, Rotterdam. In my view, the most important thing to remember when discussing viruses is that if BIOS and/or Dos can do it **any program can do it** and thus a virus can too. Ofcource this is true for any computer/operating system not utilizing hardware to block the normal user out from system areas in the machine. Not only Dos-systems. Dos-systems on the other hand are more voulnerable(sp?) than they need to because it is common practice for programs to fiddle around in the system areas to get things done that they need to do! ============================================================================ Tomas Ahl | phone +46 13 111660 Computer 'n' Ranch | fax +46 13 115193 | mail tomah@sssab.se