Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!swrinde!zaphod.mps.ohio-state.edu!ub!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) Newsgroups: comp.virus Subject: Re: Is there a 1024 virus? (PC) Message-ID: <0011.9106181359.AA17901@ubu.cert.sei.cmu.edu> Date: 18 Jun 91 01:16:00 GMT Sender: Virus Discussion List Lines: 32 Approved: krvw@sei.cmu.edu frisk@rhi.hi.is (Fridrik Skulason) writes: > Arthur Buslik writes: >>As Rob Slade suggests, one possibility is a virus. However, a much >>more likely possibility is that the computers have extended bios >>extended data areas. > : >>Moreover, INT 15H, AH=C1H will return the segment address >>of the base of the extended bios area. > > Well, not always - I have a HP/Vectra, where the BIOS reserves a 4K > area just below the 640K mark. However, INT 15H, AH=C1H is not > implemented in the BIOS (I know - I traced through it), and INT 15H, > AH=C0H will return the information that no Extended BIOS area is used. > - -frisk I have heard that often the port address of LPT4 (location 40E hex) contains the segment address when a kilobyte or so is "stolen" for (e.g.) a mouse driver. So that's another thing to look for. But it, and the int 15 test, shouldn't be taken as definative answers that a virus isn't there. I suspect the answer is to: (a) go through each important interrupt (13, 21, 2F, etc), tracing to see if any use that area, and (b) look through the code to see if there are interrupt calls, far calls to BIOS, disk port accesses, signs of self-modifying code, etc. Alternatively, you could have some "known" valid users of the area in a database and check that it is one of them there (and nothing else). Wouldn't it be nice if someone compiled a list of software and BIOSes that used the area? (any volunteers?) Mark Aitchison, Physics, University of Canterbury, New Zealand.