Return-Path: XPUM04@prime-a.central-services.umist.ac.uk
Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3)
        id AA25831; Tue, 12 Jun 90 06:34:46 -0400
Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5)
        id AA12933; Tue, 12 Jun 90 06:34:43 -0400
Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3)
        id AA04138; Tue, 12 Jun 90 06:34:37 -0400
Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK 
           via Janet with NIFTP  id aa09351; 12 Jun 90 11:05 BST
From: Anthony Appleyard <XPUM04@prime-a.central-services.umist.ac.uk>
To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu>
Date:         Tue, 12 Jun 90 11:06:44 BST 
Message-Id:   <$TGVTCZHTCBRJ at UMPA>
Subject:      Virus-L vol 0 issue #0806



Virus-L Digest Sat, 6 Aug 88, Volume 0 : Issue #0806

Today's Topics

Gerbil virus?
Viruses and Screen Output

------------------------------

Date:         Sat, 6 Aug 88 07:46:53 EDT
Reply-To:     Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender:       Virus Discussion List <VIRUS-L@LEHIIBM1>
From:         "Kenneth R. van Wyk" <LUKEN@LEHIIBM1>
Subject:      Gerbil virus?

Loren - in reading a previous VIRUS-L posting of yours, I see that you
mention having knowledge of a Gerbil virus.  Could you please tell us
more about that specific virus?

Ken

Kenneth R. van Wyk                    Milo: We're out of helium for the
User Services Senior Consultant             balloons!  Who's been suckin'
Lehigh University Computing Center          the helium?!
Internet: <luken@Spot.CC.Lehigh.EDU>  Gang: Not me!  Not me! ...
BITNET:   <LUKEN@LEHIIBM1>            Opus: Eeeeeep!  Eeeeeep!

--------------------

Date:         Sat, 6 Aug 88 10:41:49 EDT
Reply-To:     Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender:       Virus Discussion List <VIRUS-L@LEHIIBM1>
From:         "David M. Chess" <CHESS@YKTVMV>
Subject:      Viruses and Screen Output

David.Slonosky@QUEENSU.CA wonders if a very clever virus couldn't
"hide" really well by subverting the output from sector-examiners
and things, to lie about the true condition of the disk, and make
it look like things are normal (uninfected).
  As someone else said, the answer is sort of "yes".   On the
other hand, the simple way to do this (just intercepting the
BIOS calls to read the sector of the disk that the virus is on,
and returning a false "uninfected" image of the sector to the
caller), won't really work for a virus, for the simple and
amusing reason that such a virus could hardly spread!  When you
did a COPY, or a LOAD-AND-EXECUTE, or a boot, or whatever, the
system would call BIOS to get the code to execute, the virus
would intercept that call and return an uninfected image, the
system would then copy (or load, or boot from) that uninfected
image, and it would be as though the virus never existed!  So
it wouldn't spread very well.   To make this work, a virus
would have to be REAL clever, and present an uninfected image
when examination was being done, but an infected image when
the data was actually going to be used as code.   Sounds sort of
hard to do, to say the least...
  Not to say that it's impossible, of course.  But it's not as
simple as it might seem.                  DC

--------------------

*** end of Virus-L issue ***