Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!bcm!dimacs.rutgers.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: 8326442@AWIWUW11.BITNET (Martin Zejma)
Newsgroups: comp.virus
Subject: obscure procedure in Yankee Doodle (PC)
Message-ID: <0012.9101092021.AA06041@ubu.cert.sei.cmu.edu>
Date: 9 Jan 91 17:44:33 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 40
Approved: krvw@sei.cmu.edu

hello virus-proofed community |

Last week i found the ( or a ) oh-so-old-but-never-found Yankee Doodle
Virus at a friend , savely jailed on a floppy disk.

I worked through the code quite heavy ,found nothing unbelieveable
clever but : after copying the virus-code to the top of memory ( i
worked hard to figure out the meaning of TOM in recent issues) , it
gets the size of the absolute system memory for DOS from a word in the
BIOS-segment ( 280h) multiplies this by various things to get the end
of memory ( A000:0000 )

AND THEN ::: checksums 61 words starting from A000:014E ( or 012E ,
i'm not sure without the source next to me ) , simply adding all these
61 words together , and if the result is something like 0b52 , it
writes a jump instruct ion into high memory , pointing to a small
procedure which changes Int 13h (disk interupt).

On my system ( a 286 Neat with 2 MB Ram running at 20 MHz 1 WS ) there
is nothing accessible after a000:0000 , everything just HIGH-VALUE
(FFh), not possible to change a byte .

I tried using Shadow RAM enabled at A000  , but that also failed .

SO THE ONE AND ONLY QUESTION :

Are there systems where this part of memory is accessible or would the
virus just overwrite a resident other virus when the value in the
BIOS-segment is below 280h due to a previous (already running)
infection ?

                                 Please many answers and soon , i'm puzzled

                                 Sincerly yours , Martin

+-----------------------------------------------------------------------+
| Martin Zejma                                8326442 @ AWIWUW11.BITNET |
|                                                                       |
| Wirtschaftsuniversitaet Wien  ---   Univ. of Economics Vienna/Austria |
+-----------------------------------------------------------------------+