Urban legends have inundated the computer virus world such that any computer malady is blamed on a computer virus being in the system. But there are multitudes of situations blamed on viruses which are not. This paper is based on many customer situations through McAfee's Technical Support, questions raised on the Internet, with experience and contribution from the Tech Support or Customer Support of other companies in the industry.
Starting with the introduction of the IBM PS/2 in 1987, IBM and then others, started to fake the total memory count by one K or two by decrementing this number and using the space for additional system storage space. For IBM, this area was referred to as the Extended BIOS Data Area (EBDA). The IBM PS/2s reserved 1K.
It is true that most boot sector viruses do steal memory from 40:13 and place themselves at the memory it has reserved by doing so. So, when a user sees something other than 640K, he usually jumps up a nd down about having a virus.
Since DOS supplies other methods to reserve memory, in finer granularity than 1K, most software solutions will use DOS to reserve memory. However, many things which I call "hardware related software" (such as drivers for monitors, drivers for ROM addons, etc.), that require the use of some memory but cannot address DOS to reserve memory, will also "steal" a K or two using this architected way of reserving memory.
Officially, the architecture for this mechanism includes the requirement to store a word at xxxx:0 with the value of how many K is reserved in that block. Thus correct implementation of this scheme has values like this (assuming 640K available in system):
40:13 Address Value
0280h (full 640K)
027Fh 9FC0:0000 1
027Eh 9F80:0000 1
9FC0:0000 1
or
9F80:0000 2
etc.
So, if less than 640K is reported, check the memory using the table above. If
there is a boot sector virus in memory, chances are, you will also find the
values 55h AAh near the top of memory at a memory address of xxxx:xxFE.
A "former" programmer at American Megatrends managed to sabotage a BIOS run. The specific information is listed below:
BIOS Manufacturer: American Megatrends
BIOS Version: M82C498 Evaluation BIOS v1.55
BIOS Category: IBM PC/AT
BIOS ID Bytes: FC 01 00
BIOS Date: 04/04/93
If you have one of these BIOS chips, you can contact AMI to get a replacement.
Here is a sample of a Windows 95 directory as interpreted by DEBUG (uninteresting parts chopped out to save space):
0E0 41 50 00 72 00 6F 00 67-00 72 00 0F 00 20 61 00 AP.r.o.g.r... a. 0F0 6D 00 20 00 46 00 69 00-6C 00 00 00 65 00 73 00 m. .F.i.l...e.s. 100 50 52 4F 47 52 41 7E 31-20 20 20 11 00 00 00 00 PROGRA~1 ..... 110 00 00 00 00 00 00 CC 80-17 1F 81 1E 00 00 00 00 ................ 180 41 45 00 78 00 63 00 68-00 61 00 0F 00 15 6E 00 AE.x.c.h.a....n. 190 67 00 65 00 00 00 FF FF-FF FF 00 00 FF FF FF FF g.e............. 1A0 45 58 43 48 41 4E 47 45-20 20 20 10 00 78 BC 81 EXCHANGE ..x.. 1B0 17 1F 17 1F 00 00 BC 81-17 1F 38 16 00 00 00 00 ..........8..... 1C0 43 4F 4D 4D 41 4E 44 20-43 4F 4D 20 00 00 00 00 COMMAND COM .... 1D0 00 00 6E 20 00 00 40 4E-EB 1E 3D 42 C6 6A 01 00 ..n ..@N..=B.j..Here is the output of DiskEdit as it interprets the above information:
Name .Ext Size Date Time Cluster Arc R/O Sys Hid Dir Vol
------------------------------------------------------------------------
AP 7536741 3-12-80 12:03 am 0 R/O Sys Hid Vol
PROGRA~1 0 8-23-95 4:06 pm 7809 R/O Dir
AE 4294967295 15-31-7 7:63 pm 0 R/O Sys Hid Vol
EXCHANGE 0 8-23-95 4:13 pm 5688 Dir
COMMAND COM 92870 7-11-95 9:50 am 16957 Arc
This behavior by Windows 95 is often misinterpreted by unsuspecting users as a
virus which creates HUGE illegal files onto their drives, or as a virus which
corrupts file entries.
All it actually is, is people looking at absolutely correct information with inappropriate tools.
This activity has sometimes been interpreted as a virus constantly writing to diskettes. After all, the user has done nothing of note to cause a write to the diskette.
[Curiosity item: IHC and 4 spaces makes one believe that at one point, "OGACIHC" was the string being written in this location. "Chicago" was Microsoft's codename for Windows 4.0 which was later renamed to Windows 95.]
The first entry with a label bit in the root directory is interpreted to be the label of the disk.
If we look at Appendix A, you will note that if the label bit is set, all other fields are ignored. Windows 95 uses this trick for its LongFileName entries.
If you did not initially give your disk a label, the first LongFileName will then satisfy the LABEL criteria. And your disk will now bear a weird looking LABEL name.
Again, the most likely thing is indeed that a boot sector virus was responsible for this change. However, installation of certain security related software may also result in the report of this message.
Why is this not a virus? After all, it does indicate that a boot virus had at one point been on the machine.
If this occurs, it means a virus was once on the machine. It does not mean that the file is infected by a boot sector virus. After all, a boot sector virus is being reported in a file. But do boot clean and check the system. Also, delete the file.
Sometimes, a scanner will detect a virus in this file. There are a number of possible causes for this:
To remove or adjust its size, use the interface found in 386 Enhanced settings in the Control Panel. One last note, a "really big" swap file does not necessarily mean faster speed. There is an optimal setup for your machine depending on how you use it.
In this case, Windows simply wasn't able to read in the sprite associated with its current environment. Thus, the sprite is just a black box.
This temporary file is created in the directory designated by the TEMP environment variable.
As it happens, DOS creates 2 temporary files for the process "DIR | MORE". These two files have names generated as some random set of 8 characters. Thus, each invocation creates 2 differently named files.
No one happenstance generates more phone calls and questions than this one.
[I happen to use NDOS, a derivative of 4DOS. It also creates temporary files in the directory designated by the TEMP environment variable. But, this set of circumstances only creates one file and it is always a constant name.]
Well, that's not all that easy to do, except... if you're in the root directory. Any subdirectory with its cluster number set to 0 will point back to the root directory. So, if you overlay a random data file over the root directory, a random byte will have the subdirectory bit set and if there happens to be a NULL in the cluster field, you will create this situation.
No virus currently presents this message to the user.
Until you hear otherwise, the answer is, "No."
Presently, Word Perfect manages its macros in a separate file from that of the text. Since it's the macros that would contain a virus, should there ever be one, and since people don't generally pass macros when they pass around Word Perfect documents, chances of a Word Perfect virus becoming a threat to users is close to nil.
The truth is, UNWISE.EXE is a program called Wise Uninstall which is included with some Windows shareware programs.
What the heuristic analyzers are perhaps finding are viral snippets that are used to identify viruses. But it is not the complete virus.
A similar situation arises when some antivirus packages are used to scan data files when "Scan All Files" is chosen. In this situation, the viruses "detected" are usually some kind of polymorphic virus. This brings forth the issue, "Should you be scanning all files?" My answer is, each product is presented to you with a default mode. Careful thinking is applied to choose the right set of defaults. Yet no product that I'm aware of has a default setting of scanning all files. All products recommend a certain configuration. Think about that.
[The chance that an antivirus package is distributed with a virus is actually relatively high if you are not downloading the package from a known and trusted site. Antivirus packages have been known to be trojanized many times in secondary redistribution channels.
Be safe. Download originals from official supported sites.]
This message has been removed as of last summer.
The most common behavior blocking issue raised to our technical support is, "Something is writing to my boot sector!" This could be a virus. But it could be that the user just typed FORMAT.
I would recommend, in a corporate environment, you allow users to decide for themselves whether they wish to run a behavior blocker. If the user is unaware that he is using behavior blocking technology, you will be confronted with more non-virus cases than situations where it actually stopped a virus. Yet, you may decide that you would be able to live with a 10 to 1 non-viral to viral ratio because the one virus infection that it catches costs more to clean up than the on-going support.
The choice of using an antivirus is the determination that the cost of running an antivirus is less than the cost of cleaning up after virus infections. Therefore, only you can evaluate the cost for your organization.
From the alt.comp.virus FAQ:
"It appears to be a practical joke, coded into the keyboard's ROM, that causes the keyboard to output that text (as if it was typed) after a period of keyboard inactivity. The only practical fix is to replace the keyboard."
Actually, this is good advice, because the rest of the message is bound to be worthless.
A message warning of the Good Times virus first appeared in November of 1994. The warning for the virus reports that if you read a message with "Good Times" in the title, your hard disk will be damaged beyond repair as well as a number of other wondrous things. When the reports first surfaced, the report was easily and quickly dismissed. Nothing can have such effects across the spectrum of operating systems and processors as claimed by this omnipotent e-mail virus.
However, fall of 1995 saw a resurgence of messages warning again of the Good Times virus. It is believed that news stories regarding macro viruses lent more credence to the e-mail aspects of the report. But, the story remains a hoax. The things it claims to be possible across the spectrum of e-mail programs remain an impossibility.
The reports continue to spread. And in effect, the message itself has become the virus.
Because it was written during the initial hoopla over Word macro viruses, many people have also included FormatC in their list of Word macro viruses. Also, many people freely associate trojan horses as viruses. Thus FormatC is often referred to as a virus. It is not. It is a trojan horse.
It is being discussed here because it may have had a bearing on lending credibility to the Good Times scare.
The truth behind the ability of software to destroy hardware is that generic software cannot destroy generic hardware. However, every piece of hardware has recommended parameters of use. Thus, in order to damage hardware, one either uses the hardware outside its recommended parameters or wears it out through repetitive overuse.
No virus has yet to do this. Chances of any virus successfully accomplishing this (and spreading) are not high. In real terms, this issue is myth, not fact.
Remember, the only possible ways to destroy hardware through software is through a directed attack or through repetitive overuse.
Byte Description
0-7 Filename
Byte 0 indicates the status of the directory entry.
Value Meaning
00h This entry has never been used. (Directory searches can stop here.)
05h The actual first character is an E5h.
E5h This entry has been erased (it's free).
2Eh Dot. This is the entry which holds information about this directory cluster.
If the second character is also 2Eh, then this entry is dot-dot, or the parent
directory. If the parent directory is the root directory, then cluster number
will be 0000h.
8-10 Filename extension
11 File Attribute
The file attribute is a bit mapped value.
Bit Meaning
01h 1 = Read-only file. If function 3Dh or 6Ch is used to open the file for output,
an error code is returned.
02h 1 = Hidden file. This file is excluded from normal directory searches.
04h 1 = System file. This file is excluded from normal directory searches.
08h 1 = Volume ID in the first 11 bytes. This file is excluded from normal
directory searches. No other fields are interpreted. Windows 95 marks
this bit for its LongFileName entries.
10h 1 = Subdirectory file. This entry points to a subdirectory and thus is not
searched.
20h 1 = (Archive bit) File has been written to and closed. BACKUP and RESTORE
uses this bit to determine if a file has been changed since the last BACKUP.
12-21 Reserved (OS/2 uses some of these bytes)
22-23 File Creation or Last Changed Time
The time is encoded into 16 bits:
Bits Meaning
0-4 Seconds (in 2 second increments)
5-10 Minutes (0-59)
11-15 Hours (0-23)
24-25 File Creation or Last Changed Date
The date is encoded into 16 bits:
Bits Meaning
0-4 Day (1-31)
5-8 Month (1-12)
9-15 Year + 1980 (0-119: 1980-2099)
26-27 First Cluster of the File. One uses this number to index through the File
Allocation Table to determine the chain of the full file. (Standard Intel 16 bit value).
28-31 File Size (standard Intel 32 bit value)
Byte Description 0-2 CodeThe boot up process passes execution to the sector which is read in. Thus, this code must be able to do something intelligible.
Prior to DOS 4 or 5, the following definition was documented but was not being checked by DOS. Sometime around DOS 4 or 5, DOS started requiring this:
Byte Value Description
0 EB Short jump opcode
1 any Distance of short jump
2 90 NOP
or
0-2 E9 xx xx Jump instruction
3-10 OEM Name Anyone can write anything they want here.
11-12 Bytes per sector
13 Sectors per cluster (must be a power of 2; maximum = 128; real maximum = 64)
14-15 Reserved sectors at beginning
16 Number of File Allocation Tables
17-18 Maximum number of Root Directory Entries
19-20 Total sectors on media
21 Media Descriptor
Bit Description
0 1 = 2 sided 0 = not 2 sided
1 1 = 8 sector 0 = not 8 sector
2 1 = removable 0 = not removable
3-7 reserved = 1
Value Description
F8h Fixed disk
F9h 5.25", double sided, 15 sectors/track
FCh 5.25", single sided, 9 sectors/track
FDh 5.25", double sided, 9 sectors/track
FEh 5.25", single sided, 8 sectors/track
FFh 5.25", double sided, 8 sectors/track
FEh 8", single sided, 26 sectors/track
FDh 8", double sided, 26 sectors/track
FEh 8", double sided, 8 sectors/track
Note: There are more notes on 8" diskettes,
but I don't think they're that pertinent.
22-23 Number of sectors used by a File Allocation Table
24-25 Sectors per track
26-27 Heads
28-31 Hidden sectors
32-35 Huge sectors
36 Physical drive number
37 Reserved
38 Boot signature
39-42 Serial number
43-53 Volume label
54-61 Filesystem type
Value Description
"FAT12 " 12 bit FAT (8 byte string, last 3 are spaces)
"FAT16 " 16 bit FAT (8 byte string, last 3 are spaces)
62- Start of code Usually where the code at 0 jumps to.
IBM POST Audio Error Codes:
1 short beep All OK or Display error 2 short beeps POST error - Error code on CRT, or Display error No beep Power, motherboard Continuous beep Power, motherboard Repeating short beeps Power, motherboard, stuck keyboard key 1 long, 1 short beep motherboard, clock speed too fast 1 long, 2 short beeps Display adapter (MDA, CGA) 1 long, 3 short beeps Enhanced Graphics Adapter (EGA) video RAM 3 long beeps 3270 keyboard cardAMI BIOS Audio POST Codes:
1 short beep DRAM refresh failure 2 short beeps Parity circuit failure 3 short beeps Base 64K RAM failure 4 short beeps System timer failure 5 short beeps Processor failure 6 short beeps Keyboard controller Gate A20 error 7 short beeps Virtual mode exception error 8 short beeps Display memory Read/Write test failure 9 short beeps ROM BIOS checksum failure 10 short beeps CMOS Shutdown Read/Write error 11 short beeps Cache Memory error 1 long, 3 short beeps Conventional/extended memory failure 1 long, 8 short beeps Display/retrace test failed