Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!ub!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: CHESS@YKTVMV.BITNET (David.M.Chess)
Newsgroups: comp.virus
Subject: Mac Viruses vs. PC Viruses: Coding Comparison
Message-ID: <0007.9103251532.AA25003@ubu.cert.sei.cmu.edu>
Date: 21 Mar 91 20:08:10 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 27
Approved: krvw@sei.cmu.edu

A few nits on Jonathan E. Oberg (ph461a04@vax1.umkc.edu)'s basically
sound posting:

> PC viruses primarily attack the partition tables and boot sectors of a
> disk.

I'm not sure what this "primarily" means.  There are in fact more
file-infectors than there are boot-infectors for PC-DOS.

>PC viruses trap interupts, perform their task and then (hopefully)
>call the original interrupt.  Thus pc viruses can only activiate on
>BIOS calls.

No.  The typical file-infecting virus traps INT 21 calls, which are
DOS, not BIOS, calls.  Boot-infectors do typically trap BIOS calls.
But of course a virus doesn't *have* to trap any calls at all; the
Vienna-648 virus, which was reasonably widespread at one time, was a
non-resident virus that didn't trap anything.

>4. A PC virus is typically only a few dozen bytes long.

The typical file infector is 1000 or so bytes long; a typical short
one is a few hundred bytes, a typical long one is a few thousand.
Boot infector lengths are similar.  I know of only one virus that's
really "a few dozen bytes" (45, I think it is), but it's very unusual.

DC