Path: utzoo!attcan!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: franks@cicux.neth.hp.com (Frank Slootweg CRC) Newsgroups: comp.virus Subject: Re: Viruses surviving warm boots. (PC) Message-ID: <0004.9012181426.AA01528@ubu.cert.sei.cmu.edu> Date: 22 Nov 90 15:18:28 GMT Sender: Virus Discussion List Lines: 26 Approved: krvw@sei.cmu.edu > From: Michael_Kessler.Hum@mailgate.sfsu.edu > > 2. To avoid infecting the network should a student use outside > software on various stations, we recommend that all stations be turned > off after use so that nothing stays in memory (Jerusalem B survives > warm reboots). I think reports of viri which survive warm reboots are caused by misunderstanding the viri and/or the viri scanners. The essential parts in the above text are "stays in memory" (true) and "survives warm boots" (false). I had Jerusalem B on my PC and when warm booting from a clean floppy and running McAfee's SCAN from that floppy, SCAN indeed says that Jerusalem B is in memory. However because of the warm boot the virus can not *execute* anymore. Often if you first skip SCAN's scan of memory (i.e. no /M), memory will be "cleared" (i.e. overwritten with SCAN's data space) and a subsequent SCAN /M will not say that Jerusalem B is in memory (because it isn't anymore). Perhaps virus scanners should include an option or a seperate program which can be used to clear all of memory after a virus has been found in memory, so this class of false alarms can be eliminated. Frank Slootweg, Hewlett-Packard, The Netherlands, (*not* in PC support).