Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!usc!ucsd!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) Newsgroups: comp.virus Subject: Re: Lateral Thinking Message-ID: <0013.9012041357.AA13652@ubu.cert.sei.cmu.edu> Date: 30 Nov 90 19:00:51 GMT Sender: Virus Discussion List Lines: 32 Approved: krvw@sei.cmu.edu RZOTTO@DKNKURZ1.BITNET (Otto.Stolz) writes: > Hellow fellow, > > > disk. > > > ... doing a reboot with int 19h, this would be difficult. > > I think, no virus would be able to survive a genuine, complete re-boot > in memory AND re-gain controll. (Take this as an educated guess, as A very good friend of mine, who sometimes watches this group, has written a nifty gadget that he calls Acabus. It survives everything you do short of powering the machine off. The routine when installed, grabs a complete snapshot of the interrupt vector area of dos, and stores it internally. It then changes all the vectors to point to it's entry point. Due to the segmented architecture of the PC, it does this by manipulating the paragraph and offset values so that they are all diffrent, but point to the same physical spot. When Acabus gains control, it merely has to examine the address on the stack, to determine which vector it was entered by. It then vectors to the old location for that vector. Upon coming back from the vector, Acabus again has control and runs a check of the interrupt vector area. If any of the vectors have changed, it copies them, chains them back into the old vector and replaces the vector with what it wants to be there. This is done very rapidly, and as a result, things operate like normal. As a matter of fact, it can gain such a secure hold on the system that it can survive a boot of an ENTIRELY diffrent operating system. It can handle a reboot to CPM or XENIX or DOS and still maintain control. Cheers Woody Brought to you by Super Global Mega Corp .com