On Thursday, 12-22-1994  Robert King wrote to Brian May about "Virus
Alert!" as follows:

RK> #1, Writing to executing executables is simple and is in fact done
RK>     quite often by shareware and some comercial applications.

Not under OS/2, it isn't. The OS/2 loader opens the .EXE with sharing
denied to write applications; try running LINK386.EXE on a file you
are currently running. You _can_ modify the extended attributes, but
these are not loaded as part of the executable code.

RK> #2, Protected mode means nothing to the virus programmer.

I suppose "page descriptor table" means nothing also. Such concepts do
tend to limit the memory access of ring 3 (normal program)
applications. Getting into ring 0 (operating system) privileges is
impossible without being booted as a device driver or the kernel and
having ring 0 privileges established at boot time. All ring 3 access
to ring 0 functions is done by API calls that have ring transitions
established when the system is booted, or inherited from such.

RK> #3, Even a DOS based program can read/write to HPFS drives under
RK> OS/2
RK>     just as they do in DOS. NO VIRUS uses BIOS/DOS calls 
RK> for reads and     writes. Such operations are performed at 
RK> the port level which, as you
RK>     apparently aren't aware, bypasses the operating system entirely.

Actually, the hardware itself prevents this. There is a flag bit
called I/O Privilege Level that can only be set at ring 0 (when the
descriptor table entry is built) and VDM's do not have this privilege.
When IOPL is off, you cannot touch the I/O ports. All VDM's have their
legitimate I/O requests (INT 21H, various functions) escalated back to
OS/2; illegitimate attempts result in the program being killed by the
operating system. A virus dies with its host.

RK> #4, The OS/2 scanners that are available, DO NOT detect several
RK> virusi.
RK>     One that I can demonstrate readily is the Frankenstien 
RK> virus which I     have on a floppy. Not only do the OS/2 
RK> scanners not see it, but the DOS
RK>     based scanners don't recognise it either when run under OS/2. And at 
RK>     this point, the ONLY scanner I've found that DOES find that particular
RK>     virus is Symantec's Anti-Virus for DOS/Windows.

Central Point Anti-Virus (for DOS and Windows) works fine in a VDM, at
least as far as the signatures it has currently installed are
concerned. You have to keep updating the signature file (from CP,
nowadays Symantec) if you want to keep up-to-date with the morons. Any
virus scanner is no better than its signature file. Incidentally, the
plural of "virus" is "viruses".

Regards

Dave

 * KWQ/2 1.2i * NO, I'm not a Kennedy.  My pants just fell down.
--- Maximus/2 2.02