Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!mips!pacbell.com!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) Newsgroups: comp.virus Subject: Re: My final comments on the six-byte method (PC) Message-ID: <0001.9104101917.AA00785@ubu.cert.sei.cmu.edu> Date: 10 Apr 91 01:04:00 GMT Sender: Virus Discussion List Lines: 46 Approved: krvw@sei.cmu.edu A few thoughts... (1) It would be best to check a few key interrupt vectors (via their low memory locations, not via DOS), as well as the memory size, since either a virus may be living in video RAM (and some key vector would point there), or in an used area of the vector table (etc), again the check would help spot a virus freshly resident. (2) The mention of direct calls to BIOS by viruses... A friend of mine has a method (well, two really, one for diskettes and one for hard disks) that should prevent this, but we can't test it with many real viruses- any volunteers? (3) Does any virus take interrupts by not changing the vector but by changing the first few bytes of the present routine to be a far jump to the virus? If so, my comments in (1) need the addition of checking the first few bytes. (4) I really prefer blocking viruses before they get a chance to run, but spotting them very soon after they load is at least better than scanning disk every few days or weeks. (5) I had hoped that the checksum in the header of .EXE files would help spot viruses, but few programs have a valid checksum. Can anyone tell me whether, if I go to the effort of correcting the checksum in all my programs, will any virus be smart enough to rewrite a corrected checksum? Personally, I think that ultimately boot sector viruses will disappear, since the odds are in the favour of the anti-virus people, assuming users do sensible things. That doesn't involve inconveniences to operations, or changes to DOS or BIOS (although the latter would be very nice). However, IMHO, non-boot sector viruses will probably eventually win over the best efforts of anti-virus software coupled with the present generation of BIOSes and DOS (even DRDOS), and that will hurt "serious" users of the PC, like businesses and universities. The answer is going to have to mean radical changes to BIOS, DOS and MSWINDOWS (which, for a new product, makes a lot of stupid mistakes, it seems). In the short term, a slight change to BIOS, and a not much more than DRDOS's password protection system, should suffice. By the way, I keep asking, has anyone found a virus that gets past DRDOS 5.0's password protection system yet? Has anyone else tried? (I haven't got a lot of viruses to test). Mark Aitchison, University of Canterbury, New Zealand.