funky virii

From: Michael Lorrey (retroman@together.net)
Date: Sun May 31 1998 - 18:33:25 MDT


Alejandro Dubrovsky wrote:

> this does not mean that the virus would be activated just by sticking it
> into the floppy drive. The virus protection software you are running is
> running all the time i guess (background in windows, and as a TSR in dos),
> and when you stick the disk in the drive and the boot sector is read, the
> virus protection detects the virus in the disk.

No the software is set only to detect write attempts to the hard drive. Sticking this
floppy in the slot is all it takes for this virus to make a write attempt to the boot
sector of the hard drive.

> The virus does not need to run for the virus protection software to detect
> it (in fact, if it runs, it's too late). Try the experiment. grab an old
> hard drive you don't need, stick the disk in the floppy, take it out, and
> then check if the virus is in the hard drive. I bet you 99-1 that it is
> not.

It does. Believe me, I was rather intrigued about this, and I and my sister (who was
sys admin at Sturm Ruger and is now sys admin at a local hospital) ran a series of
tests on this point, trying to see what the minimum effort was to get this virus to
make an attack. I just wish I had some means of getting this virus in a state where I
could take a look at the code.

> i think that the stealth virus you've got is a boot sector virus, but
> AFAIK, not all stealth virii are, by definition, boot sector virii.
>

Yeah, the main reason I thought that it was was because it made a write attempt to the
boot sector of my hard drive, and the antivirus software database said that virii of
the Stealth C family are boot sector virii.

--
TANSTAAFL!!!
   Michael Lorrey
------------------------------------------------------------
mailto:retroman@together.net Inventor of the Lorrey Drive
MikeySoft: Graphic Design/Animation/Publishing/Engineering
------------------------------------------------------------
How many fnords did you see before breakfast today?


This archive was generated by hypermail 2.1.5 : Fri Nov 01 2002 - 14:49:09 MST