Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!thunder.mcrcim.mcgill.edu!snorkelwacker.mit.edu!usc!wuarchive!uwm.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson)
Newsgroups: comp.virus
Subject: Low-Level Protection (PC)
Message-ID: <0008.9102061308.AA27330@ubu.cert.sei.cmu.edu>
Date: 4 Feb 91 05:00:00 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 16
Approved: krvw@sei.cmu.edu

p1@arkham.wimsey.bc.ca (Rob Slade) writes concerning "boot sector
protection":
>It would not, unfortunately, deal with "stealth" boot viri like Joshi, and I
>can see virus writers getting around it in other ways as well.

	I must disagree though the boot sector is a difficult place to
put it and all sorts of housekeeping would be required. The partition
table on the other hand is a nice place. The "stealth" viruses (JOSHI
et al) operate by redirecting low-level interrupts to return only
uninfected code.  To do so, they must go resident in RAM. Once the OS
loads, this is very difficult to detect since each OS does its own
redirection. Prior to the OS load however, only the bare BIOS or ROM
extension interrupts are available and these can be verified very
easily and are sufficient to detect such attacks immediately.

						Padgett