FUNGEN5.CVP 910828 Viral activation In attempting to protect against viral infection, and particularly when trying to disinfect systems, it is important to bear in mind the times that the virus is actively "infectious". The viral activation is not the same as the activation of the payload that a virus may carry. For example, the payload of the original "Stoned" virus was a message which appeared on the screen saying "Your PC is now Stoned!". This message only appears at boot time, and on only one eighth of the times the computer is rebooted. The virus, however, is infectious at all times, if it has infected the hard disk. There are basically three possibilities for the infectious period: now ("one-shot"), during program run ("while called") or from now on (resident). These periods may be modified by other circumstances. A resident virus may remain in memory, but only be actively infecting when a disk is accessed. A "while called" virus may only infect a new program when a directory is changed. "One-shot" viri only get one chance on each "run" of the infected program. The viral code will seek out and infect a target program. They then pass control to the original program, and perform no further functions. These are, of course, the simplest of the viral programs. Mainframe "mail" viri are generally of this type. The second class will activate when the infected program is called, and then pass partial control to the original program. The virus, however, will remain operational during the time that the infected program is running. If this can be accomplished, it is only a slight jump to write a fully memory resident virus. Resident viri are the most successful, and the most dangerous, of viral programs. A resident virus will become active when an infected program is run (or at boot time for boot sector infectors), and remain active until the computer is rebooted or turned off. (Some viral programs are even able to trap the rebooting sequence that is normally called when you press Ctrl- Alt-Del on an MS-DOS PC, and thus are able to survive a "warm boot.") The most successful of the file infectors, the Jerusalem virus, is resident, as are all boot sector infectors. (For fairly obvious reasons; the boot sector is never "called" in normal operation.) If a virus is active in memory, it is a waste of time trying to disinfect a file or disk. No sooner is the file "cleaned", than it becomes a suitable target for re-infection. You may try to disinfect a hard disk right down to performing a low level format: as soon as the disk is reformatted it may be infected all over again. This is why all directions for disinfection stress the necessity of "cold" booting from a disk that is known to be free of infection before attempting any cleanup. copyright Robert M. Slade, 1991 FUNGEN5.CVP 910828 =================== Vancouver ROBERTS@decus.ca | "Power users think Institute for Robert_Slade@sfu.ca | 'Your PC is now Research into rslade@cue.bc.ca | Stoned' is part of User p1@CyberStore.ca | the DOS copyright Security Canada V7K 2G6 | line." R. Murnane