Path: utzoo!censor!geac!torsqnt!lethe!yunexus!ists!helios.physics.utoronto.ca!news-server.csri.toronto.edu!bonnie.concordia.ca!thunder.mcrcim.mcgill.edu!snorkelwacker.mit.edu!apple!julius.cs.uiuc.edu!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: cjimenez@anyware.es (Carlos Jimenez)
Newsgroups: comp.virus
Subject: Re:obscure procedure in Yankee Doodle (PC)
Message-ID: <0011.9101111559.AA00331@ubu.cert.sei.cmu.edu>
Date: 10 Jan 91 15:13:56 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 24
Approved: krvw@sei.cmu.edu

>Send by Martin Zejma <8326442@AWIWUW11.BITNET>:
>
>hello virus-proofed community |
>Last week i found the ( or a ) oh-so-old-but-never-found Yankee ...
>...
>SO THE ONE AND ONLY QUESTION :
>Are there systems where this part of memory is accessible or would the
>virus just overwrite a resident other virus when the value in the
>BIOS-segment is below 280h due to a previous (already running)
>infection ?

The segment A000h of computer is used by graphics cards like EGA, MCGA
& VGA to implement graphics modes 0Dh to 13h and new modes of higher
resolution.  This segment of memory isn't used in text modes. Thus,
when you use text modes (the normal situation if you don't work in
Windows) the virus can use the segment A000h. Probably you have a CGA
or Hercules Graphic Card and then you can't use this segment (There
isn't RAM for the virus in this segment).  I hope this comment can
help you.

Carlos Jimenez    R+D Manager                    Phone: +34 1 556 92 15
                  ANYWARE Information Security          +34 1 556 92 16
                  General Peron, 32                Fax: +34 1 556 91 58
                  28020 Madrid (SPAIN)           EUnet: cjimenez@anyware.es