LISTSERV - PCBUILD Archives - LISTSERV.ICORS.ORG

PCBUILD Archives

Personal Computer Hardware discussion List

PCBUILD@LISTSERV.ICORS.ORG

	LISTSERV Archives
	PCBUILD Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: anticmos
From:	David Gillett <[log in to unmask]>
Reply To:	PCBUILD - Personal Computer Hardware discussion List <[log in to unmask]>
Date:	Thu, 15 Oct 1998 19:20:18 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (50 lines)

On 13 Oct 98 at 19:04, Roberto Safora wrote:

> Does any body have some information on virus that, as I heard, are
> able to write the cmos and do our system non operable? Any trick to
> watch the writing in the cmos?

  ALthough overwriting CMOS can make a machine unbootable, most
modern motherboards provide a mechanism for restoring a default CMOS
configuration and if the BIOS can also auto-detect your drives,
you're back in business.  The tricks are (a) figuring out that this
is what has happened, and (b) getting rid of the virus before it
kicks you out again.

  What you may have heard about, far nastier, are a couple of new
virii (THIS year -- anticmos is 3-5 years old, I think) which rewrite
"flash" BIOS chips (which aren't *quite* ROMs).  [Coincidentally,
these probably include the default CMOS configurations alluded to
above....]
  Many manufacturers distribute updated BIOSes with utilities to
allow users to "write" these into flash RAM in place of the original
(or most recently written...).  A disruption of the process, or
loading the BIOS for a different board, can leave a machine
inoperative, and there may be a few virii out there that deliberately
cause similar effects.

  It is much harder to write code that has this kind of access to the
underlying hardware under NT than under anything that can run legacy
DOS applications.  [The manufacturer utilities often work only from a
very plain DOS prompt for this very reason.]  In theory, Windows 9x
could also catch and block such attempts, but where NT regards
unrecognized accesses as bugs, 9x assumes they are part of support
for obscure legacy devices and permits them to execute.  [So the
extra hoops the virus creator must jump throuigh for NT amount to
convincing the OS that the virus is really a device driver.]

  Many modern motherboards include some kind of virus protection in
the BIOS code.  [This is usually turned off, though; it's best known
for preventing Win 9x installation from completing successfully!]  I
have ONE system that claims to offer something a little more
advanced.  But in general, an antivirus scanner program WITH A
CURRENT/RECENT SET OF PATTERN DEFINITIONS, imperfect though it is, is
more reliable protection than anything that tries to spot unknown
virii by what they DO.

David G

                                  -----
                PCBUILD mailing list -  http://nospin.com
         Bob Wright:[log in to unmask] - Drew Dunn:[log in to unmask]

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG