Path: utzoo!mnetor!uunet!husc6!mit-eddie!uw-beaver!tektronix!dadla!amadeus!jamesa From: jamesa@amadeus.TEK.COM (James Akiyama) Newsgroups: comp.sys.ibm.pc Subject: Re: An observation... Message-ID: <989@amadeus.TEK.COM> Date: 5 Feb 88 21:53:51 GMT References: <17790@topaz.rutgers.edu> Organization: Tektronix Inc., Beaverton, Or. Lines: 56 Keywords: burnout, fansi, trojan, virus Jonathan Joshua asks whether it is possible to damage hardware thru a software "Trojan". First I was hesitant to reply since this information may actually cause more Trojans to appear. But I also feel it is important that others know so they can be aware of the dangers and threats posed by "Trojan Horses" and "Viruses". It is possible to damage certain IBM PC hardware configurations thru software. The orignal IBM monochrome monitor (not sure about current ones) depended entirely on the monochrome (or compatible) card to provide the sync signals. Although the monitor did blank if a sync signal was missing (to prevent damage if the monitor cable became disconnected) it did not detect an improper sync frequency. Incorrect frequencies would cause part of the sync circuitry inside the monitor to overheat. This was common with older "screen save utilities" since these utilities re-program the video controller chip (6845). Note that IBM and others (e.g. Hercules, etc) recommend that software which re-program the 6845 controller chip NOT RELY ON PREVIOUS STATES OF THE 6845 REGISTERS and highly recommends RE-PROGRAMMING ALL OF THE REGISTER. This is to prevent damage to certain monitors. Also it is imperative that when you do re-program the video controller, you know exactly what you're doing. Note that several "clone" monitors do incorporate better sync circuitries which prevent this from happening. Also, I do not believe this is a problem with the CGA, EGA, or VGA monitors. Note that this is not intended to be a flame at IBM--they made a cost conscious decision when designing the monitor and probably did not intend others to bypass BIOS calls or to provide alternate monitor adapter cards (e.g. Hercules). Remember that this monitor/card combination were designed when IBM was not even sure how well the PC would do--their competition being the Apple II and CPM based systems. This problem (as well as direct writes to the WD1010 fixed disk controller registers) is why many so called "Anti-Trojan Horse" programs fail. The only sure way to prevent such attacks is to provide physical hardware to prevent direct access to these ports. Note that such hardware would probably prevent many commercial software packages from working (those which write directly to hardware). Another method (which is not quite as secure) is to implement "pseudo-registers" in the 80286 (80386) "protected-mode". Basically, one would protect the I/O registers, which would cause an exception trap when any software attempted direct I/O access. The operating system would then examine the access and restart the program if the access was deemed unharmful. Note that this would be a major software undertaking since you would have to write a protected version of the BIOS, implement the "pseudo-register" code, and handle the pecularities of the 80286 (80386) protected-mode. To prevent damage to your monitor, one could probably build a small circuit which connects inline with the monitor cable to the adapter card. This circuit would then limit the sync frequency to the limits acceptable to the particular monitor (different for IBM's monochrome, CGA, EGA, and VGA monitors). Hope this helps. James E. Akiyama Tektronix, Inc.