Hi Sam and all,
On Thu, 20 Sep 2001 12:21:31 -0500, Samuel W. Heywood wrote:
> Besides BOOTC.COM I have three other programs that will reboot the
> computer. These other programs were not flagged as destructive.
> They are WARMBOOT.COM, COLDBOOT.COM, and BOOTW.COM. Running
> BOOTC.COM or COLDBOOT.COM I believe is equivalent to hitting the
> computer's reset button. Running WARMBOOT.COM or BOOTW.COM I
> believe is equivalent to pressing CTRL-ALT-DELETE. Only BOOTC.COM
> was flagged as a destructive program. The program does nothing bad
> as far as I know. I have used it many times. Any one of these
> programs could theoretically be used to immediately bring up a boot
> virus.
the difference between warm and cold boot (seen from the programmers
view) is how to invoke them. Warm boot is done by invoking bios
interrupt $19 after writing $1234 to address $0000:$0472. You can write
a little proggy to do this or simply hit Ctrl-Alt-Del. INT $19 then
jumps to the bios bootstrap loader which searches bootable drives for an
OS.
Cold boot is done after resetting CPU by pressing the reset button or
via some special register of the keyboard controller. There is the
possibiltity to specify action after reset (I did forget how to do this,
but there are some good books which will describe hardware stuff). This
is necessary 'cuz cpu reset is the only way for a 80286 to return from
protected mode to real mode. If a reboot is needed, bios first jumps to
POST routines and then invokes the bootstrap loader.
I don't know how exactly bootc.com works but I'm sure it performs direct
access to the hardware and this causes F-Prot's warnings. This does not
mean that bootc.com does some evil. Just the code is suspected by F-Prot
to do so 'cuz it's similiar to a way a virus might do some bad stuff.
Regards Joerg
-- Arachne V1.70, NON-COMMERCIAL copy, http://arachne.cz/
