Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson)
Newsgroups: comp.virus
Subject: re: Is there a 1024 virus? (PC)
Message-ID: <0002.9106171414.AA16331@ubu.cert.sei.cmu.edu>
Date: 13 Jun 91 16:52:56 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 29
Approved: krvw@sei.cmu.edu

>From:    Arthur Buslik <74676.2537@CompuServe.COM>
>
>As Rob Slade suggests, one possibility is a virus.  However, a much
>more likely possibility is that the computers have extended bios
>extended data areas.

This is certainly a vialble alternative. However, if running DOS 4.0
or later, CHKDSK will "normally" detect this and return "655360"
anyway.

A few years ago, when we received or first Compaq 386-20e in we
discovered the same thing: 1k missing from the TOM & DEBUG revealed it
to be essentially zero-filled (obviously not executable). After much
prodding, Compaq told us that it was a buffer area for the mouse
driver and that there is a jumper on the motherboard that can be moved
to restore the missing 1k.

Whenever a new machine comes in, it is a good idea to take some
baseline data for later reference.

For me, any time Int 12 is lowered, I check the memory area in
question.  If executable code is found, unless known, a look is taken
at other system integrity areas for a reason. If nulled or obviously
data, the manufacturer is called for an explination (often a
frustating & time consuming experience).

						Padgett

			Somewhere West of Orlando