Path: utzoo!censor!geac!torsqnt!news-server.csri.toronto.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: CHESS@YKTVMV.BITNET (David.M.Chess)
Newsgroups: comp.virus
Subject: re: EB21 or PrintScreen virus (PC)
Message-ID: <0009.9012061357.AA16381@ubu.cert.sei.cmu.edu>
Date: 5 Dec 90 15:09:55 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 9
Approved: krvw@sei.cmu.edu

deepak@shakti.ernet.in asks how the PrintScreen virus can read/write
disks without doing INT13s (and therefore without being caught by some
INT13-hooking anti-virus program).  I don't want to give enough detail
to be of help to future virus writers, but in general boot viruses get
control early enough that they can easily access the INT13 call-chain
down below the level at which any given DOS program (or even DOS
itself) has woven itself in; that is, they can just call the "real"
INT13 code directly, without ever doing an actual INT13.  Many boot
viruses, including the PrintScreen, do this; no magic...  DC