TIP: Click on subject to list as thread! ANSI
echo: virus_info
to: ALL
from: RICHARD ST. JOHN
date: 1996-12-30 09:15:00
subject: Not A Virus [1/8]
I thought people might like to see this white paper that was written
about what system events/problems are NOT virus. This was written very
well, and I have seen many of these messages/problems pop up in my day to
day activity working with my companies WAN and PC's.
RS
===========================================================================
                           What's NOT a Virus
                            Chengi Jimmy Kuo
                         Director, AV Research
                         McAfee Associates Inc.
The "Virus Lab" is a misnomer. But "Where They Explain to You Why it's NOT a
Virus" just doesn't have the same ring. However, each day, far more cases
of "Not A Virus" are reported by customers than actual cases of virus
infections. This phenomenon is true at all levels of customer support. So,
instead of talking about some neat, new antivirus technology, I hope to be
able to help you with something useful in your everyday work.
Urban legends have inundated the computer virus world such that any computer
malady is blamed on a computer virus being in the system. But there are
multitudes of situations blamed on viruses which are not. This paper is
based on many customer situations through McAfee's Technical Support,
questions raised on the Internet, with experience and contribution from
the Tech Support or Customer Support of other companies in the industry.
1.0 PC Architecture
        1.1 I don't have 640K
                At memory location 40:13 is a word representing how much base
                memory is in the machine. The value usually found at 40:13 is
                280h which means the machine has its full complement of 640K
                (655,360). Utilities such as CHKDSK or MEM can be used to
                fetch this value.
                Starting with the introduction of the IBM PS/2 in 1987, IBM
                and then others, started to fake the total memory count by
                one K or two by decrementing this number and using the space
                for additional system storage space. For IBM, this area was
                referred to as the Extended BIOS Data Area (EBDA). The IBM
                PS/2s reserved 1K.
                It is true that most boot sector viruses do steal memory from
                40:13 and place themselves at the memory it has reserved by
                doing so. So, when a user sees something other than 640K, he
                usually jumps up and down about having a virus.
                Since DOS supplies other methods to reserve memory, in finer
                granularity than 1K, most software solutions will use DOS to
                reserve memory. However, many things which I call "hardware
                related software" (such as drivers for monitors, drivers for
                ROM addons, etc.), that require the use of some memory but
                cannot address DOS to reserve memory, will also "steal" a K
                or two using this architected way of reserving memory.
                Officially, the architecture for this mechanism includes the
                requirement to store a word at xxxx:0 with the value of how
                many K is reserved in that block. Thus correct implementation
                of this schemehas values like this (assuming 640K available
                in system):
                        40:13 Address Value
                        0280h (full 640K)
                        027Fh 9FC0:0000 1
                        027Eh 9F80:0000 1
                        9FC0:0000 1  or  9F80:0000 2
                        etc.
                So, if less than 640K is reported, check the memory using the
                table above. If there is a boot sector virus in memory,
                chances are, you will also find the values 55h AAh near the
                top of memory at a memory address of xxxx:xxFE.
        1.2 Happy Birthday on November 13th
                On November 13th, some PCs around the world will play the
                Happy Birthday song through the PC speaker.
                A "former" programmer at American Megatrends managed to
                sabotage a BIOS run. The specific information is listed 
low:
                        BIOS Manufacturer: American Megatrends
                        BIOS Version: M82C498 Evaluation BIOS v1.55
                        BIOS Category: IBM PC/AT
                        BIOS ID Bytes: FC 01 00
                        BIOS Date: 04/04/93
                If you have one of these BIOS chips, you can contact AMI to
                get a replacement.
2.0 Windows 95
        2.1 LongFileName directory entries
                The way Windows 95 manages its LongFileNames is to use a 
rick
                associated with volume labels. According to documentation 
See
                Appendix A.), if the volume label bit is set, all other
                information in that directory entry is ignored.
                Here is a sample of a Windows 95 directory as interpreted by
                DEBUG (uninteresting parts chopped out to save space):
***>>> CONTINUED NEXT MESSAGE <<<***
--- GEcho 1.20/Pro
---------------
* Origin: Slings & Arrows BBS St. Louis, Mo. (1:100/205.0)
SOURCE: echomail via exec-pc

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.