Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!elroy.jpl.nasa.gov!lll-winken!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: 74676.2537@CompuServe.COM (Arthur Buslik)
Newsgroups: comp.virus
Subject: Is there a 1024 virus? (PC)
Message-ID: <0010.9106131515.AA13504@ubu.cert.sei.cmu.edu>
Date: 12 Jun 91 23:30:42 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 59
Approved: krvw@sei.cmu.edu

Stan Orrell writes:

 "Can anyone suggest an explanation of our observation on several
 computers (various IBM pc types) of a result from chkdsk of 654336
 bytes of total memory?"

As Rob Slade suggests, one possibility is a virus.  However, a much
more likely possibility is that the computers have extended bios
extended data areas. (See, e.g. "The New Peter Norton Programmer's
Guide to the IBM PC & PS/2",2nd edition, 1988, page 62.)  INT 15H,
AH=C0H will return ES:BX as the segment:offset of a configuration
table.  The fifth byte of this configuration table gives configuration
flags.  Bit 2 of this byte is set if an extended Bios data area is
allocated.  Moreover, INT 15H, AH=C1H will return the segment address
of the base of the extended bios area.  The word at 0040:0013H is
modified to reflect the reduced amount of memory available to
programs.  This is what chkdsk returns as "bytes total memory", and
also what INT 12H returns in AX.  On my COMPAQ 386/20e at work, I
obtain the following when I use DEBUG:

- -a100
1AFA:0100 mov ah,c0
1AFA:0102 int 15
1AFA:0104
- -g104

AX=0000  BX=E6F5  CX=0000  DX=0000  SP=FFEE  BP=0000  SI=0000  DI=0000
DS=1AFA  ES=F000  SS=1AFA  CS=1AFA  IP=0104   NV UP EI PL ZR NA PE NC
1AFA:0104 0000          ADD     [BX+SI],AL                         DS:E6F5=6E
- -df000:e6f5 l 9
F000:E6F0                 08 00 FC-01 00 74 00 00 00              .....t...

The configuration flag byte is 74H=01110100B, and since bit 2 is set, my
machine has an extended bios data area allocated.

Moreover, using DEBUG again, this time for INT 15H, AH=C1H, I obtain:

- -a100
1C6B:0100 mov ah,c1
1C6B:0102 int 15
1C6B:0104
- -g104

AX=C100  BX=0000  CX=0000  DX=0000  SP=FFEE  BP=0000  SI=0000  DI=0000
DS=1C6B  ES=9FC0  SS=1C6B  CS=1C6B  IP=0104   NV UP DI NG NZ AC PO NC
1C6B:0104 7205          JB      010B
- -d9fc0:0
9FC0:0000  01 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
etc., all following bytes being zero.

My machine has 1Kb of memory reserved, at the top of memory for an extended
bios data area.  The first byte gives the number of Kb of memory reserved.
On my machine all the other bytes are zero, whenever I look at them
with DEBUG.  (I don't know what they are when I don't look at them.)
For what it is worth, the machines at work which have the extended bios
data area implemented, and for which chkdsk returns 639K total memory,
all have a socket in the back for a bus mouse.

Art Buslik