home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!think.com!yale.edu!jvnc.net!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
- Newsgroups: comp.virus
- Subject: Re: Invalid Boot Sectors (PC)
- Message-ID: <0005.9301071651.AA16031@barnabas.cert.org>
- Date: 5 Jan 93 22:58:25 GMT
- Sender: virus-l@lehigh.edu
- Lines: 51
- Approved: news@netnews.cc.lehigh.edu
-
- >From: "Roger Riordan" <riordan@tmxmelb.mhs.oz.au>
-
- >I recently wrote
-
- >>In a recent comment on a query by MOPURC01@ULKYVM.LOUISVILLE.EDU
- >>(Michael Purcell) about a virus which allegedly made disks
- >>unreadable I wrote.
-
- >>> If you put the wrong byte in the wrong place you can get the
- >>> symptoms described. ...
-
- >It appears the original message got lost, but the gist was that,
- >IN THEORY, it is possible to write a BS virus which is invisible
- >on an infected PC, but impossible to detect on an uninfected PC
- >with any existing scanner because DOS will crash if any attempt is
- >made to access an infected disk.
-
- This is something that experimentation has been done on. What I have
- found is that:
-
- a) If the Partition table is missing certain DOS signature bytes, DOS
- will refuse to recognise the disk (but a floppy boot will still work).
-
- b) If certain bytes in an otherwise good P-Table have certain wrong values
- a floppy boot may hang (which bytes and what values are DOS version
- dependant).
-
- c) Even given (a) or (b), BIOS software can restore bootability (I have
- a version of FIXMBR that loads and runs from the BIOS just like
- the early Microsoft Flight Simulator).
-
- d) *Every* MBR infection that I have seen is detectable if you
- look in the right places. "Stealth" can always be bypassed with a
- direct BIOS call.
-
- In other words, every infection I have seen is recoverable with the
- right tools (usually DEBUG, FDISK, & SYS). Sometimes it is not worth
- the bother since repair via E-Mail is somewhat more difficult, but
- whatever is not corrupted can be retrieved and that which has been
- corrupted can usually be restored. In general I have found that the
- stupider the program, the more likely it will work.
-
- I am glad that the above said "IN THEORY" since an undetectable,
- invisible virus that can make a system completely unbootable except
- from the hard disk just cannot exist. (Note, I am not including
- access control programs that encrypt the whole disk and rely on
- input of the key by the user for decryption - this could be made
- "strong enough" - but a self-contained program cannot. Period.
-
- 82 today - what Floridians put up with summer for,
- Padgett
-