|
Virus- L Digest, Vol 1, Issue 55
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
From: Kenneth R. van Wyk (The Moderator) <[email protected]>
Errors-To: [email protected]
To: [email protected]
BCC: [email protected]
Subject: VIRUS-L Digest V1 #55
Reply-to: [email protected]
--text follows this line--
VIRUS-L Digest Wednesday, 21 Dec 1988 Volume 1 : Issue 55
Today's Topics:
Warm vs. Cold boots
Re: software override of write protect tabs?
Vendor Viruses
Re: dangers of distributing software (PC & General)
Re: Can virus be placed on blank formatted disk? (PC)
---------------------------------------------------------------------------
Date: Tue, 20 Dec 88 19:24 EST
From: <[email protected]>
Subject: Warm vs. Cold boots
>From: "Michael J. Steiner " <[email protected]>
>Subject: Cold boot vs. warm boot... (PC)
>
>How can a virus stay "effective" after a warm boot? Aren't both kinds of
>boots the same? (Evidently, there must be differences; what are they?)
> Michael Steiner
> Email: [email protected]
Warm boots and cold boots differ in the amount of memory they clear
when they are executed. A cold boot is considered to be when the
machine's power is cut, and then turned back on be it by flipping the
switch, pulling the plug or whatever other metaphor/method you want to
toss in here. A warm boot is simply a reset which can be done by
issuing a system command, pressing an interrupt/ reset switch or
whatever.
The point is that with a warm boot, the system still has power, so
some areas of memory can retain data, even though much of it is
cleared. Thus, it is conceivable that a virus could survive a warm
boot if it was off in a secluded/ non-general area of memory. Usually
when a warm boot occurs, the only thing that is cleared is main memory
and lots of pointers and tables are reset. Special caches, ram-disks,
clock/calendar memory, all normally retain their contents prior to the
warm boot.
- ------------------
Steve Okay [email protected]/[email protected]/CSR032 on The Source
"Chipmunks roasting over an open fire,
Jack Frost ripping up your nose..."
------------------------------
Date: Tue, 20 Dec 88 21:39:05 CST
From: <[email protected]>
Subject: Re: software override of write protect tabs?
In my IBM tech reference, in the section for the diskette drive: "If
the diskette is write-protected, a write protect sensor disables the
drive's circuitry, and an appropriate signal is sent to the interface
(diskette controller)."
Also:
"The write protect sensor disables the diskette drive's electronics
whenever a write protect tab is applied to the diskette."
In the section on the diskette adapter:
"Write Enable line (from the adapter to the drive): The drive disables
write current in the head unless this line is active."
In the schematics in back, the diagram for the diskette drive has the
Write Protect sensor (on the drive) and the Write Enable line (from
the controller) wired in such a way that WP must be false and WE must
be true in order for a logic 0 to be applied to a pin of some mystery
IC. I'm not an electronics expert, but it seems likely to me that the
drive won't let the controller override the WP switch. If this is
true, then there's no way for software to override it either.
Rich
------------------------------
Date: Tue, 20 Dec 88 23:59 EST
From: [email protected]
Subject: Vendor Viruses
> two issues back in pc magazine, john dvorak wrote an article
>pertaining to the issue of software manufacturers imbedding viruses
>in their applications.
> he stated that many companies are doing this to sort of 'do away
>with the competition'. the virus writes itself to the boot disk and
>when booted up searches for the competition. if found, it does some
>damage.
[Hypothetical omitted.]
> i hope that software (as well as hardware) manufactureres do not
>continue implenting viruses to monopolize the market. heaven knows we small
> at users will have to program our own applications!
> swifty LeBard OO--=+
It is Mr. Dvorak's style to be provocative. In the interest of that
style he often crosses the line between reporting and speculating. I
am not aware of any evidence that this assertion of his is any more
substantial than any of his others. While we do not seem to have
discovered any sanctions to discourage the rude, disorderly, impolite,
and irresponsible behavior of the non-professionals in our midst, you
can be sure that the market would mete prompt and effective sanctions
against vendors behaving in such a manner.
There are a few anecdotes in other markets of firms that tried to
trash the reputations of their competitors. Most of these backfired,
but none are recorded to have been successful. There is no reason to
believe that this market is any different.
Only users have a greater interest in an orderly marketplace than do
vendors. Vendors seem to have a better idea of where their real
interests rest.
You need not hope idly for the end of a practice for which the only
evidence of its existence is sensational assertion.
William Hugh Murray, Fellow, Information System Security, Ernst & Whinney
2000 National City Center Cleveland, Ohio 44114
21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
------------------------------
Date: Wed, 21 Dec 88 06:26:59 EST
From: "Homer W. Smith" <[email protected]>
Subject: Re: dangers of distributing software (PC & General)
> 1) Disks containing only source code are *not* absolutely safe, but
>they would be much safer, in my opinion, if carefully examined. There
>is nothing to prevent a virus or some such thing from writing hidden
>files or storing things in "bad" sectors where the average person
>doing a DIR wouldn't see them. Furthermore, a virus could write the
>essential part of itself onto the boot sector (like brain does) and
>wait for someone to boot their system with the disk in place, at which
>time it could become active.
This assumes the disk is bootable? I am sending out disks
with NOTHING on them but copied ascii files using the dos copy
command. They are formated with the format command and then
copied. No system. What dangers remain?
Homer
------------------------------
Date: Wed, 21 Dec 88 06:44:57 EST
From: "Homer W. Smith" <CTM%[email protected]>
Subject: Re: Can virus be placed on blank formatted disk? (PC)
>From: Joe Simpson <[email protected]>
>Subject: MS-DOS and write protected diskettes
>
>1. Media susceptible to virus attack.
> Formatted MS-DOS diskettes with or without an operating system
> have a boot block. Some viruses, including Brain, can subvert
> this boot block and use it as a vector for infection. Some
> viruses also can survive a warm boot. Thus it is quite possible
> for a disk containing only Fortran source code to be infected.
> This can happen while DOS as we know it is active, or after an
> attempt to warm boot the diskette on an infected computer.
Still not clear on this. If I put a fresh floppy in the A drive
and format it, can the virus be laid down on the floppy at this time?
If I then copy files from the C drive, can the virus be laid down at
this time?
If I attempt to warm boot the machine with the empty floppy in
place, this results in a failure to boot of course, but can the virus
be laid down at this time?
Let's say the floopy gets infected. How can it then infect
another machine? During a warm or cold boot with the floppy in
place (causing boot failure)?
If the floppy is infected must it have bad sectors? Won't
checkdsk find this out? If the disk has no bad sectors, does this
mean the floppy is clean of all or just certain viruses?
The implication in a past posting is that some brain viruses
will cause debug to not execute properly d0:0. Is this the boot
sector? And is this correct about brain?
Homer
------------------------------
End of VIRUS-L Digest
*********************
|
|
