VIRUS-L Digest Wednesday, 21 Dec 1988 Volume 1 : Issue 55 Today's Topics: Warm vs. Cold boots Re: software override of write protect tabs? Vendor Viruses Re: dangers of distributing software (PC & General) Re: Can virus be placed on blank formatted disk? (PC) --------------------------------------------------------------------------- Date: Tue, 20 Dec 88 19:24 EST From: Subject: Warm vs. Cold boots >From: "Michael J. Steiner " >Subject: Cold boot vs. warm boot... (PC) > >How can a virus stay "effective" after a warm boot? Aren't both kinds of >boots the same? (Evidently, there must be differences; what are they?) > Michael Steiner > Email: U23405@UICVM.BITNET Warm boots and cold boots differ in the amount of memory they clear when they are executed. A cold boot is considered to be when the machine's power is cut, and then turned back on be it by flipping the switch, pulling the plug or whatever other metaphor/method you want to toss in here. A warm boot is simply a reset which can be done by issuing a system command, pressing an interrupt/ reset switch or whatever. The point is that with a warm boot, the system still has power, so some areas of memory can retain data, even though much of it is cleared. Thus, it is conceivable that a virus could survive a warm boot if it was off in a secluded/ non-general area of memory. Usually when a warm boot occurs, the only thing that is cleared is main memory and lots of pointers and tables are reset. Special caches, ram-disks, clock/calendar memory, all normally retain their contents prior to the warm boot. - ------------------ Steve Okay ACS045@GMUVAX.BITNET/acs045@gmuvax2.gmu.edu/CSR032 on The Source "Chipmunks roasting over an open fire, Jack Frost ripping up your nose..." ------------------------------ Date: Tue, 20 Dec 88 21:39:05 CST From: Subject: Re: software override of write protect tabs? In my IBM tech reference, in the section for the diskette drive: "If the diskette is write-protected, a write protect sensor disables the drive's circuitry, and an appropriate signal is sent to the interface (diskette controller)." Also: "The write protect sensor disables the diskette drive's electronics whenever a write protect tab is applied to the diskette." In the section on the diskette adapter: "Write Enable line (from the adapter to the drive): The drive disables write current in the head unless this line is active." In the schematics in back, the diagram for the diskette drive has the Write Protect sensor (on the drive) and the Write Enable line (from the controller) wired in such a way that WP must be false and WE must be true in order for a logic 0 to be applied to a pin of some mystery IC. I'm not an electronics expert, but it seems likely to me that the drive won't let the controller override the WP switch. If this is true, then there's no way for software to override it either. Rich ------------------------------ Date: Tue, 20 Dec 88 23:59 EST From: WHMurray@DOCKMASTER.ARPA Subject: Vendor Viruses > two issues back in pc magazine, john dvorak wrote an article >pertaining to the issue of software manufacturers imbedding viruses >in their applications. > he stated that many companies are doing this to sort of 'do away >with the competition'. the virus writes itself to the boot disk and >when booted up searches for the competition. if found, it does some >damage. [Hypothetical omitted.] > i hope that software (as well as hardware) manufactureres do not >continue implenting viruses to monopolize the market. heaven knows we small > at users will have to program our own applications! > swifty LeBard OO--=+ It is Mr. Dvorak's style to be provocative. In the interest of that style he often crosses the line between reporting and speculating. I am not aware of any evidence that this assertion of his is any more substantial than any of his others. While we do not seem to have discovered any sanctions to discourage the rude, disorderly, impolite, and irresponsible behavior of the non-professionals in our midst, you can be sure that the market would mete prompt and effective sanctions against vendors behaving in such a manner. There are a few anecdotes in other markets of firms that tried to trash the reputations of their competitors. Most of these backfired, but none are recorded to have been successful. There is no reason to believe that this market is any different. Only users have a greater interest in an orderly marketplace than do vendors. Vendors seem to have a better idea of where their real interests rest. You need not hope idly for the end of a practice for which the only evidence of its existence is sensational assertion. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Wed, 21 Dec 88 06:26:59 EST From: "Homer W. Smith" Subject: Re: dangers of distributing software (PC & General) > 1) Disks containing only source code are *not* absolutely safe, but >they would be much safer, in my opinion, if carefully examined. There >is nothing to prevent a virus or some such thing from writing hidden >files or storing things in "bad" sectors where the average person >doing a DIR wouldn't see them. Furthermore, a virus could write the >essential part of itself onto the boot sector (like brain does) and >wait for someone to boot their system with the disk in place, at which >time it could become active. This assumes the disk is bootable? I am sending out disks with NOTHING on them but copied ascii files using the dos copy command. They are formated with the format command and then copied. No system. What dangers remain? Homer ------------------------------ Date: Wed, 21 Dec 88 06:44:57 EST From: "Homer W. Smith" Subject: Re: Can virus be placed on blank formatted disk? (PC) >From: Joe Simpson >Subject: MS-DOS and write protected diskettes > >1. Media susceptible to virus attack. > Formatted MS-DOS diskettes with or without an operating system > have a boot block. Some viruses, including Brain, can subvert > this boot block and use it as a vector for infection. Some > viruses also can survive a warm boot. Thus it is quite possible > for a disk containing only Fortran source code to be infected. > This can happen while DOS as we know it is active, or after an > attempt to warm boot the diskette on an infected computer. Still not clear on this. If I put a fresh floppy in the A drive and format it, can the virus be laid down on the floppy at this time? If I then copy files from the C drive, can the virus be laid down at this time? If I attempt to warm boot the machine with the empty floppy in place, this results in a failure to boot of course, but can the virus be laid down at this time? Let's say the floopy gets infected. How can it then infect another machine? During a warm or cold boot with the floppy in place (causing boot failure)? If the floppy is infected must it have bad sectors? Won't checkdsk find this out? If the disk has no bad sectors, does this mean the floppy is clean of all or just certain viruses? The implication in a past posting is that some brain viruses will cause debug to not execute properly d0:0. Is this the boot sector? And is this correct about brain? Homer ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253