From: Aryeh Goretsky (goretsky_at_adelphia.net)
Date: Wed Oct 16 2002 - 05:21:39 EDT
Hello,
While capable of infecting a system, I would think it unlikely a boot
sector or master boot record virus would spread very far under OS/2.
Here's why:
Boot sector and master boot record viruses work by replacing the
executable code in the boot sector or MBR with themselves.
Normally this code loads the rest of the operating system, or display
an error message when the core operating system files aren't found.
If you've ever seen an error message such as "Non-System Disk or Disk
Error. Replace and Strike Any Key When Ready." then you've seen what
happens when the executable code in the boot sector cannot load the
rest of the operating system.
Anyways, a virus either moves the original boot code to a different
location on the disk and places itself in that location so it can
be executed first, install itself in memory much like a TSR or
device driver, and then pass control back to the original boot code
so it can load the rest of the operating system (or error out if there
is no OS on the disk).
In order for the virus to remain resident in memory and hooked into
the disk I/O to transfer itself, the computer's CPU has to be running
in real mode, which is where all programs can directly access the
computer's hardware (and a virus can modify the interrupt vector table
to allow it to monitor and infect through disk I/O requests).
Problem is, modern day operating systems like OS/2 (and Windows 95
and later, and *NIX run in 32-bit protected mode and switch to that
during the boot process, effectively disabling viruses' interface to
the hardware.
But if a boot sector or MBR virus is present, one of four things will
still happen:
1. The computer will boot up and function as normal (e.g., the virus
did not interfere with normal operation of the system).
2a. The computer will boot up as normal, display an error message
indicating a problem with accessing the disk in protected mode,
and function as normal (e.g., the virus minorly impacted system
performance).
2b. The computer will boot up as normal, display an error message
indicating a problem with access the disk in protected mode,
and stop (e.g., the virus has prevented the OS from loading).
3. The computer will no longer boot up as normal, as the virus has
altered or destroyed portions of the boot code needed to load
the operating system.
In all cases the virus is unable to spread, but in the latter case,
it is more annoying because the computer will no longer boot up
properly.
One thing to keep in mind is this discussion refers to a type of
computer virus which is rarely seen these days. The replacement
of floppy diskettes with email attachments as a way of transferring
data and the introduction of computer system ROM BIOSes which allow
the order of boot devices to be changed has adversely impacted the
potential for boot sector and MBR virus growth.
Regards,
Aryeh Goretsky
At 12:16 PM 10/14/2002 -0400, you wrote:
>In-Reply-To: <5.1.1.5.2.20021013172032.00bb0dc0_at_pop.abs.adelphia.net>
>Date: Sun, 13 Oct 2002 20:47:28 -0400
>From: "Julian Thomas" <jt_at_jt-mj.net>
>To: THINKPAD_at_cs.utk.edu
>Subject: Re: [OT] Viruses under OS/2 (was: Re: buying a thinkpad without
>microsoft)
>Message-Id: <200210140046.g9E0k8M01608_at_emerald.fltg.net>
>
>In <5.1.1.5.2.20021013172032.00bb0dc0_at_pop.abs.adelphia.net>, on 10/13/02
> at 05:32 PM, Aryeh Goretsky <goretsky_at_adelphia.net> typed:
>
> >Most boot sector and master boot record viruses are capable of infecting
> >a system running OS/2 regardless of the file system (FAT, HPFS, and so
> >forth).
>
>Yes, but how are these viri going to get activated under OS2?
>
>--
> Julian Thomas: jt_at_jt-mj.net http://jt-mj.net
> In the beautiful Finger Lakes Wine Country of New York State!
> Boardmember of POSSI.org - Phoenix OS/2 Society, Inc
>http://www.possi.org
> -- --
> Windows: From the people who brought you EDLIN!
This archive was generated by hypermail 2.1.3 : Thu Jan 23 2003 - 09:59:30 EST