Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!elroy.jpl.nasa.gov!ncar!asuvax!ukma!cs.widener.edu!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: bdh@uchicago.UCAR.EDU (Brian D. Howard)
Newsgroups: comp.virus
Subject: Re: PROTEC System & Stoned Virus (PC)
Message-ID: <0012.9103201343.AA20555@ubu.cert.sei.cmu.edu>
Date: 18 Mar 91 19:31:45 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 20
Approved: krvw@sei.cmu.edu

rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) writes:

>I find this interesting.  Short of re-infecting the machine to
>investigate further, I'm curious as to why Stoned didn't show in
>memory when a boot from floppy hadn't been done.

Probably because stoned steals 2K for itself(why 2K I dunno, I think
he only needs to dec al once?, figured its a bug). It then updates the
BIOS data segment (413h) to indicate that the tip-top of memory is
right below it.  Scan utilities that rely on that table being accurate
might not bother to check any higher.

(An aside note: the 'stoned' program compares the jump at its first
location with that of the boot sector on the potential target in order
to decide if its already 'infected' said target.  If you haven't
already you might dis-assemble and modify your boot sector code to
reflect the identical jump so that it looks like its already
infected...)
- --
"Hire the young while they still know everything."