Can Someone Help?
~*Vicky*~
I installed a new 8.4Gb drive in my computer about 4 days ago and, when
running my system shortly thereafter, I received a strange message
during boot up a few times. It said "6kb's of RAM are missing, do you
want to [I} Igorne it, [A] Accept it, or [T] Terminate it?" So, after
trying to [T] terminate it more than once, it continued with this every
time I'd restart the computer. So, I finally [A} Accepted it, thinking
it wasn't a big deal.
Then, the very next time I restarted my computer, I had a strange
window and alarm pop up during boot up. It says "A STEALTH VIRUS has
been detected!!! Insert Rescue Disk"
Naturally, I'm beside myself right now, not having ANY clue what this
is all about, other than I have a virus apparently in my bootup system.
I don't know what a "rescue disk" is, either, as I don't believe I have
one. Does anyone know how or why this is happening? I ran my
anti-virus program, but it didn't detect anything in my drives, files,
exe. files, so I'm really confused now.
Any and all comments would be GREATLY appreciated, as I'm very worried
at this point.
Thanks, in advance, for your help.
Vicky
~Redwood Productions~
http://www.littleleaf.com
--
Free audio & video emails, greeting cards and forums
Talkway - http://www.talkway.com - Talk more ways (sm)
Mark Kent
from a clean diskette to avoid the virus going memory resident when the PC
boots. The virus will suck up conventional memory (giving you that error) and
can remain hidden from AV products, or screw up their scanning ability. If you
do not have access to a command line scanner, many AV products come with an
emergency disk that can be used to boot and scan the PC
Mark
"Life is a trip of tomorrow."
Nick FitzGerald
> I'm hoping someone can help me...
That's what some of us excel at.
> I installed a new 8.4Gb drive in my computer about 4 days ago and, when
"New" as in "bought from the shop in a sealed bag"?
> running my system shortly thereafter, I received a strange message
> during boot up a few times. It said "6kb's of RAM are missing, do you
> want to [I} Igorne it, [A] Accept it, or [T] Terminate it?" So, after
> trying to [T] terminate it more than once, it continued with this every
> time I'd restart the computer. So, I finally [A} Accepted it, thinking
> it wasn't a big deal.
Exactly *where* in the boot sequence did this appear?
Had the "Starting Windows..." message already been
displayed?
> Then, the very next time I restarted my computer, I had a strange
> window and alarm pop up during boot up. It says "A STEALTH VIRUS has
> been detected!!! Insert Rescue Disk"
>
> Naturally, I'm beside myself right now, not having ANY clue what this
> is all about, other than I have a virus apparently in my bootup system.
Relax -- you most likely do *not* have a virus...
> I don't know what a "rescue disk" is, either, as I don't believe I have
> one. Does anyone know how or why this is happening? I ran my
My educated guess is that your new drive has/requires
a "drive overlay". This is a piece of software that
"extends" your BIOS' capabilities so your machine can
properly deal with very large drives. "Recent" BIOSes
handle such large drives without the assistance of a
drive overlay driver, but "older" ones cannot address
all of the space on these large disks.
When you received the drive, was there an installation
diskette with it? Did you run the software on that
disk? If both "Yes" then what you did was install the
overlay driver. Because this driver has to load
*before* the operating system does, it installs a
special loader in the MBR of the primary hard drive.
That loads the rest of the driver into memory from
other (normally unused) sectors on the boot track (the
rest of the sectors from the MBR to the end of the
first track on the drive).
If you did not receive such a diskette with the drive,
or did not run the installer on it, did you install
the new drive as the primary? If so, the drive may
have shipped with the overlay driver pre-installed (I
have heard that this is done by some drive makers, but
never seen it myself).
Such an overlay driver would account for the "RAM
missing" warning, as it has to "steal" some memory to
ensure that it is not overwritten by the operating
system or programs that it loads. But *what* raised
the "RAM missing" warning in the first place?
The answer to this I'm not so sure about, but I
suspect a "virus protection" option in your BIOS. Not
only has it noticed the "suspicious" syealing of
memory, but once you told it this was OK, it then
allowed the boot to continue and noticed other things
about the drive overlay's behaviour that it dose not
like, raising a warning about a stealth virus (drive
overlays certainly do some things similar to what some
stealth viruses do...).
> anti-virus program, but it didn't detect anything in my drives, files,
> exe. files, so I'm really confused now.
Your AV program is probably correct.
> Any and all comments would be GREATLY appreciated, as I'm very worried
> at this point.
I hope this helps. If correct, the only way to "fix"
this would be to either disable the BIOS virus check
feature or remove the drive overlay of your BIOS can
handle the drive without it. The latter seems an
unlikely option to me, as most (all I've seen) of the
overlay installers run some tests to determine
whether the BIOS on the machine can correctly support
the larger drives and don't install if they are not
needed.
> Thanks, in advance, for your help.
You're welcome. For more detailed assistance, please
Email me.
[Posted and Emailed]
--
Nick FitzGerald
DigitAl56K
Sounds like your new hard disk was perhaps not blank when you got it!
Download F-Prot for DOS from www.complex.is and AVDisk from my site,
unzip both on a clean computer into the same folder and run AVDisk to
make a set of rescue disks. Write protect them and then boot off them
in the infected machine.
-==-==-==-==-==-==-==-==-==-==-==-==-==-==-
Visit the DigitAl56K Website
http://www.digital56k.free-online.co.uk
Get AVDisk v4 for F-Prot (Software section)
-==-==-==-==-==-==-==-==-==-==-==-==-==-==-
Zvi Netiv
> I'm hoping someone can help me...
> I installed a new 8.4Gb drive in my computer about 4 days ago and, when
> running my system shortly thereafter, I received a strange message
> during boot up a few times. It said "6kb's of RAM are missing, do you
> want to [I} Igorne it, [A] Accept it, or [T] Terminate it?" So, after
> trying to [T] terminate it more than once, it continued with this every
> time I'd restart the computer. So, I finally [A} Accepted it, thinking
> it wasn't a big deal.
> Then, the very next time I restarted my computer, I had a strange
> window and alarm pop up during boot up. It says "A STEALTH VIRUS has
> been detected!!! Insert Rescue Disk"
These messages remind a few years old version of IV, although the
wording was different.
Installing an 8.4 gig drive, 6 kbytes of memory stealing and the
detection of stealthing at startup may suggest the use of a BIOS
extender, most probably EZ-Drive.
> Naturally, I'm beside myself right now, not having ANY clue what this
> is all about, other than I have a virus apparently in my bootup system.
> I don't know what a "rescue disk" is, either, as I don't believe I have
> one. Does anyone know how or why this is happening? I ran my
> anti-virus program, but it didn't detect anything in my drives, files,
> exe. files, so I'm really confused now.
> Any and all comments would be GREATLY appreciated, as I'm very worried
> at this point.
Download the current version of IV and install. It will tell you if
the drive uses a BIOS extender or if it's a genuine infection.
In case you use EZ-Drive then IV is also the only utility that will
prepare a good rescue diskette with the correct backups, in case the
drive gets really infected.
> Thanks, in advance, for your help.
Regards, Zvi
---------------------------------------------------------------------
NetZ Computing Ltd. Israel Developer & Producer of InVircible & ResQ
Download, Support: http://www.invircible.com Sup...@invircible.com
Mirror: www2.invircible.com Personal e-mail: z...@invircible.com
Voice +972 3 938 6868 +972 52 494 017 (mobile) Fax +972 3 938 6869
---------------------------------------------------------------------
Zvi Netiv
Hi again,
Following my former post, and your e-mail reply:
> > I'm hoping someone can help me...
> > I installed a new 8.4Gb drive in my computer about 4 days ago and, when
> > running my system shortly thereafter, I received a strange message
> > during boot up a few times. It said "6kb's of RAM are missing, do you
> > want to [I} Igorne it, [A] Accept it, or [T] Terminate it?" So, after
> > trying to [T] terminate it more than once, it continued with this every
> > time I'd restart the computer. So, I finally [A} Accepted it, thinking
> > it wasn't a big deal.
In case 'Ken Blake' reads this thread: Note the 6 kbytes of memory
stealing by EZ-Drive (relating to the 'Boot Sector Virus' thread
started on 11/4/99).
> > Then, the very next time I restarted my computer, I had a strange
> > window and alarm pop up during boot up. It says "A STEALTH VIRUS has
> > been detected!!! Insert Rescue Disk"
Discontinue the uses of whatever software that issues these messages.
> These messages remind a few years old version of IV, although the wording was different.
> Installing an 8.4 gig drive, 6 kbytes of memory stealing and the detection
> of stealthing at startup may suggest the use of a BIOS extender, most
> probably EZ-Drive.
Your e-mail confirms that your drive does indeed use EZ-Drive. Both
the "memory stealing" and the stealthing at startup are then perfectly
in order.
What I do not understand from your e-mail is why did you have to
install the EZ driver? If your motherboard is a Pentium, or even an
486 from 1995 or later, then it should support LBA (logical block
access) for IDE drives and you shouldn't have installed the EZ
software.
> > Naturally, I'm beside myself right now, not having ANY clue what this
> > is all about, other than I have a virus apparently in my bootup system.
> > I don't know what a "rescue disk" is, either, as I don't believe I have
> > one. Does anyone know how or why this is happening? I ran my
> > anti-virus program, but it didn't detect anything in my drives, files,
> > exe. files, so I'm really confused now.
> > Any and all comments would be GREATLY appreciated, as I'm very worried
> > at this point.
> Download the current version of IV and install. It will tell you if the
> drive uses a BIOS extender or if it's a genuine infection.
To your question, the current version of IV is available from any of
the sites in my signature. Just follow the link "get your copy" on
any of our sites.
Additional reasons to download IV are the rescue diskette, and you may
also need its RESQDISK program to remove EZ-Drive in case your board
supports LBA.
> In case you use EZ-Drive then IV is also the only utility that will prepare
> a good rescue diskette with the correct backups, in case the drive gets
> really infected.
> > Thanks, in advance, for your help.
Seems that it already helped. :)
Zvi Netiv
[snip]
> My educated guess is that your new drive has/requires
> a "drive overlay".
[snip]
> Such an overlay driver would account for the "RAM
> missing" warning, as it has to "steal" some memory to
> ensure that it is not overwritten by the operating
> system or programs that it loads. But *what* raised
> the "RAM missing" warning in the first place?
> The answer to this I'm not so sure about, but I
> suspect a "virus protection" option in your BIOS.
There is no virus protection option of this sort in no matter what
BIOS.
> Not only has it noticed the "suspicious" syealing of
> memory, but once you told it this was OK, it then
> allowed the boot to continue and noticed other things
> about the drive overlay's behaviour that it dose not
> like, raising a warning about a stealth virus (drive
> overlays certainly do some things similar to what some
> stealth viruses do...).
BIOS extenders use stealth to protect the overlay and the special MBR
from being accidentally overwritten. There is very little in common
with viruses.
> > anti-virus program, but it didn't detect anything in my drives, files,
> > exe. files, so I'm really confused now.
> Your AV program is probably correct.
> > Any and all comments would be GREATLY appreciated, as I'm very worried
> > at this point.
> I hope this helps. If correct, the only way to "fix"
> this would be to either disable the BIOS virus check
> feature or remove the drive overlay of your BIOS can
> handle the drive without it.
As said above, there is no BIOS option involved. The memory stealing
message is generated by software, not the BIOS.
BTW, how do you suggest to remove the EZ-Drive overlay in case it
isn't needed, without needing to reinstall all software on the drive?
RESQDISK does it with a couple of keystrokes. What's your preferred
method?
> The latter seems an
> unlikely option to me, as most (all I've seen) of the
> overlay installers run some tests to determine
> whether the BIOS on the machine can correctly support
> the larger drives and don't install if they are not
> needed.
Unfortunately not true. Both EZ-Drive or Disk Manager can be fooled
and will install without a hitch by setting the drive mode to NORMAL
in the CMOS.
Nick FitzGerald
<<snip>>
> > The answer to this I'm not so sure about, but I
> > suspect a "virus protection" option in your BIOS.
>
> There is no virus protection option of this sort in no matter what
> BIOS.
And you know this 100% for sure because you have
disassembled every byte of every revision of every
BIOS ever shipped on every PC, ever, right?
Zvi -- instead of trying to score points off me, read
what I said. To save you the strain of scrolling back
a few lines, I'll repeat it again:
The answer to this I'm not so sure about, but I
suspect...
Now, unlike you, I did not make an allegation I cannot
be 100% sure of. How do you know what the ChipAway
folks, or other, might have built into an "odd" BIOS
virus protection mechanism by way of heuristic
analysis?
In truth, I suspected that Vicky had old/poor generic
virus detection software on the machine in question.
As she gave no indication of this by name or explicit
suggestion however, I let it sit in case that was not
the case, as then you would have harped on about me
"bad-mouthing" you/your product. As the champion
"bad-mouther" around here though, you had to step
forward to renew your claim on the crown with this
post of yours.
> > Not only has it noticed the "suspicious" syealing of
> > memory, but once you told it this was OK, it then
> > allowed the boot to continue and noticed other things
> > about the drive overlay's behaviour that it dose not
> > like, raising a warning about a stealth virus (drive
> > overlays certainly do some things similar to what some
> > stealth viruses do...).
>
> BIOS extenders use stealth to protect the overlay and the special MBR
> from being accidentally overwritten. There is very little in common
> with viruses.
Semantic twaddle.
Drive overlay drivers do almost exactly what most
stealthy boot infectors do. They prevent access to
certain sectors on the drive, or only allow read
access, etc.
The "proof" of this is that your own great product
detected the overlay as a stealth virus. Now Zvi,
please explain -- was that "old" version of your
product so badly designed that it detected a stealth
virus not only where there was not one, *but* where
there was code that exhibits behaviour with "very
little in common with viruses"?
You can't have it both ways Zvi -- either I'm right
about drive overlays having similar features to
stealth viruses or I'm wrong (as you claim) and
therefore your (old) product is badly designed.
Which is it? Or were you hand-waving to spread more
confusion so people would not notice the real
problem -- an old version of IV caused a user some
distress?
> As said above, there is no BIOS option involved. The memory stealing
> message is generated by software, not the BIOS.
As I said, there *may* have been a BIOS option. I
was too polite to comment on the quality of the other
software that was possibly involved.
> > The latter seems an
> > unlikely option to me, as most (all I've seen) of the
> > overlay installers run some tests to determine
> > whether the BIOS on the machine can correctly support
> > the larger drives and don't install if they are not
> > needed.
>
> Unfortunately not true. Both EZ-Drive or Disk Manager can be fooled
> and will install without a hitch by setting the drive mode to NORMAL
> in the CMOS.
OK -- so I was a tad simplistic in my wording. I
meant "...run some tests to determine whether the BIOS
configuration can correctly support the larger drives
and don't install if they are not needed". These
installers "assume" the BIOS config is "optimal" for
the user's desired OS configuration.
--
Nick FitzGerald
Brian Rechterman
program on you computer. I would try scaning your computer for a virus.
STEALTH VIRUS are usual pretty mean virus. If you don't have norton anti
virus. I would go out and by it.
~*Vicky*~ wrote:
> I'm hoping someone can help me...
>
> I installed a new 8.4Gb drive in my computer about 4 days ago and, when
> running my system shortly thereafter, I received a strange message
> during boot up a few times. It said "6kb's of RAM are missing, do you
> want to [I} Igorne it, [A] Accept it, or [T] Terminate it?" So, after
> trying to [T] terminate it more than once, it continued with this every
> time I'd restart the computer. So, I finally [A} Accepted it, thinking
> it wasn't a big deal.
>
> Then, the very next time I restarted my computer, I had a strange
> window and alarm pop up during boot up. It says "A STEALTH VIRUS has
> been detected!!! Insert Rescue Disk"
>
> Naturally, I'm beside myself right now, not having ANY clue what this
> is all about, other than I have a virus apparently in my bootup system.
> I don't know what a "rescue disk" is, either, as I don't believe I have
> one. Does anyone know how or why this is happening? I ran my
> anti-virus program, but it didn't detect anything in my drives, files,
> exe. files, so I'm really confused now.
>
> Any and all comments would be GREATLY appreciated, as I'm very worried
> at this point.
>
> Thanks, in advance, for your help.
>
Nick FitzGerald
> In case 'Ken Blake' reads this thread: Note the 6 kbytes of memory
> stealing by EZ-Drive (relating to the 'Boot Sector Virus' thread
> started on 11/4/99).
If I remeber that thread correctly, either you have to
prove that *no* drive overlays ever use 8KB or Ken has
to show us one that does. That is, this instance is
irrelevant to that point of "debate"...
> > > Then, the very next time I restarted my computer, I had a strange
> > > window and alarm pop up during boot up. It says "A STEALTH VIRUS has
> > > been detected!!! Insert Rescue Disk"
>
> Discontinue the uses of whatever software that issues these messages.
>
> > These messages remind a few years old version of IV, although the
wording was different.
It may well do, but that was not what Vicky had. From
ongoing Email with her, it appears she had an early
version of In Defense installed -- she would probably
have been better off with that old version of IV Zvi
was alluding to!
> Your e-mail confirms that your drive does indeed use EZ-Drive. Both
> the "memory stealing" and the stealthing at startup are then perfectly
> in order.
So we agree on that now? Your response to my post
suggests that drive overlays have "very little in
common with viruses".
> What I do not understand from your e-mail is why did you have to
> install the EZ driver? If your motherboard is a Pentium, or even an
> 486 from 1995 or later, then it should support LBA (logical block
> access) for IDE drives and you shouldn't have installed the EZ
> software.
I'll let you into a secret mister data recovery
expert -- and this is from a long-standing PC tech
support expert -- it is a fallacy that all Pentium
motherboard/BIOS combinations support LBA. Some of
the very early Pentium BIOSes were simply "slightly
souped up" 486 BIOSes, *and* at the time these were
produced most 486 BIOSes did not support the latest
cool thing in hard drive technology -- LBA. Many a
time I've had a quiet little chuckle to myself
seeing you and other experts roll out the old
"Pentium BIOSes support LBA", so maybe you will now
stop repeating it?
Nearly all operating Pentium machines today support
LBA, but not all do. And do you know who made most
of those that don't? The "big name" PC builders,
because their design lead times are so long and Intel
delayed shipping Pentia, they were first to (finally)
shipped Pentium boxes but with a serious hard drive
upgrade "incompatibility" designed in because they
had been overtaken by drive capacity. Companies like
Compaq, HP and Digital spring to mind as likely
having machines so affected, but then most people who
buy such machines have them serviced by the maker (or
its designated servicing people) and they toe the
company line that "machine X supports 250MB, 380MB
and 512MB drives only".
--
Nick FitzGerald
Raid Slam
(Zvi Netiv) wrote:
> In case 'Ken Blake' reads this thread: Note the 6 kbytes of memory
> stealing by EZ-Drive (relating to the 'Boot Sector Virus' thread
> started on 11/4/99).
It's not stealing memory.
> Discontinue the uses of whatever software that issues these
> messages.
That would either be (a) invircible (wise choice-discontinue it's use)
or (b) trend's chipaway boot virus protection; which doesn't make
sense, as thats on pentium socket 7 mainboards, which would have no
trouble supporting that 8.4gig drive.
> What I do not understand from your e-mail is why did you have to
> install the EZ driver? If your motherboard is a Pentium, or even
> an 486 from 1995 or later, then it should support LBA (logical block
> access) for IDE drives and you shouldn't have installed the EZ
> software.
Umm, I haven't seen many 486 boards from 1995+ that support LBA. Most
of them do not support an 8.4gig hard disk. Including some pentium
class boards (due to defects in the BIOS).
> Download the current version of IV and install. It will tell
> you if the drive uses a BIOS extender or if it's a genuine infection.
She needn't download your product to know if its an extender. EZBios
tells you on startup what it is, what version it is, and to press CTRL
then select A if you'd like to boot from a floppy. Further, A real
antivirus product such as f-prot or avp would be better suited to
determine if an infection is indeed present, and the best course of
action for removing the infection, without removing your data. Your
product relies on outdated technology Zvi, when will you learn?
> any of our sites.
> Additional reasons to download IV are the rescue diskette, and you
> may also need its RESQDISK program to remove EZ-Drive in case your
> board supports LBA.
Incorrect and highly misleading. Resqdisk is not required to remove
Ezbios safely; Ezbios itself supports a safe removal procedure, should
your system be able to support the drive on it's own. Also, ezbios
allows you to disable it before removing, to test your system's ability
to support the drive. If it supports it ok, then proceed with removing
ezbios. It's quick, and simple.
> In case you use EZ-Drive then IV is also the only utility that
> will prepare a good rescue diskette with the correct backups, in case
> the drive gets really infected.
Incorrect and highly misleading too. IV is not the only utility that
will make good rescue disks for ezbios machines. We use a utility I
wrote at work here that does just fine. If the drive gets "really
infected" invircible won't be able to help you at all. You'd need a
real antivirus product then.
I can see that I will need to put the invircible article online as a
direct link. It seems Zvi is still interested in pulling the wool over
peoples eyes.
Regards,
Raid [SLAM]
http://www.coderz.net/Raid
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
Raid Slam
(Zvi Netiv) wrote:
> There is no virus protection option of this sort in no matter what
> BIOS.
Wrong. Trend has a "CHipaway boot virus protection" option in most
award And some Ami bioses that have been shipped in the last 2 years.
And when triggered, it does behave similiar to the prompts the poster
said was coming up.
> BIOS extenders use stealth to protect the overlay and the special
> MBR from being accidentally overwritten. There is very little in
> common with viruses.
Wrong. Stealth viruses use stealth to protect the sectors they live on
from being overwritten; the same identical trick that bios extenders
use. Further, bios extenders AND stealth viruses will redirect
read/write calls to other areas of the disk. Seems to be more then
"very little in common" to me. And your supposed to be the expert? hah!
> As said above, there is no BIOS option involved. The memory
> stealing message is generated by software, not the BIOS.
Depends.
> BTW, how do you suggest to remove the EZ-Drive overlay in case it
> isn't needed, without needing to reinstall all software on the
> drive?
Hit CTRL during system boot from hard disk, Select Remove EZBios
option, insert ezbios floppy. It'll ask if you'd like to disable first,
select yes. Reboot system, if drive runs ok, then follow above
procedure, select "remove" instead of enable this time.
No software reinstall required. Just what version of ezbios are you
dealing with Zvi? It's at version 9.xxx something now.
> RESQDISK does it with a couple of keystrokes. What's your
> preferred method?
My preferred method (you did ask) is to let ezbios remove itself. It
knows best how it lives on the hard disk. No user intervention or
guessing required.
> Unfortunately not true. Both EZ-Drive or Disk Manager can be
> fooled and will install without a hitch by setting the drive mode to
> NORMAL in the CMOS.
They aren't being fooled into anything. They specifically tell you to
setup your cmos like that on older machines, for the best compatability.
They are designed to fool the BIOS in older machines. Why do you have
to try and mislead people by posting such bullshit above Zvi?
Nick FitzGerald
<<dirty great snip>>
> having machines so affected, but then most people who
> buy such machines have them serviced by the maker (or
> its designated servicing people) and they toe the
> company line that "machine X supports 250MB, 380MB
> and 512MB drives only".
And I forgot -- some of the early LBA implementations
were buggy. How do you find out if that includes yours?
Install a "large" drive and start filling it up. At X%
full (where X depends on the nature of the LBA bug(s) in
your machine and the size/geometry of the drive) you will
suffer data corruption... Not a good way to endear
yourself to a user upgrading their PC! 8-)
--
Nick FitzGerald
Nick FitzGerald
> It sounds like you have a computer virus. ...
Nope -- it sounded as if she almost certainly did
not have a virus. Further messages, both here and
via direct Email convince me as close as I can be
convinced without actually seeing the machine that
no virus was involved in Vicky's "problem" at all.
> ... If you have a anti virus software
> program on you computer. I would try scaning your computer for a virus.
Can't you read? Vicky said she had done this. It
turned up nothing. Again, from further discussion
(Email this time), it turns out that the AV product
she had was an old version of In Defense. That did
not help her much either though, as it was the In
Defense startup protection module that raised the
false alarm that she had a stealth virus in the
first place, rather than detecting that she had
installed a drive overlay.
> STEALTH VIRUS are usual pretty mean virus.
Rubbish. Stealth, per se, has no implication for
the "meanness" of a virus. It just means the virus
tries to hide its presence from the normal methods
of checking the place(s) where its code is to be
found.
> ... If you don't have norton anti
> virus. I would go out and by it.
Each to their own...
...
Brian: I know you want to help, but face it -- there
are *real* computer virus experts in this forum. If
you want to help and your latest couple of posts are
anything to go by, you'd do best to sit back and read
for quite some time, work out who really knows what
they talking about, who are poseurs, etc then learn
from the experts.
Zvi Netiv
> Zvi Netiv <z...@invircible.com> wrote:
> > In case 'Ken Blake' reads this thread: Note the 6 kbytes of memory
> > stealing by EZ-Drive (relating to the 'Boot Sector Virus' thread
> > started on 11/4/99).
> If I remeber that thread correctly, either you have to
> prove that *no* drive overlays ever use 8KB or Ken has
> to show us one that does. That is, this instance is
> irrelevant to that point of "debate"...
I don't have to prove anything, nor does Ken. The reference was just
to the 6 kbytes that I mentioned in connection with EZ-Drive. That's
all, and please don't try stirring shit where there is none.
> > > > Then, the very next time I restarted my computer, I had a strange
> > > > window and alarm pop up during boot up. It says "A STEALTH VIRUS has
> > > > been detected!!! Insert Rescue Disk"
> > Discontinue the uses of whatever software that issues these messages.
> > > These messages remind a few years old version of IV, although the
> wording was different.
> It may well do, but that was not what Vicky had. From
> ongoing Email with her, it appears she had an early
> version of In Defense installed -- she would probably
> have been better off with that old version of IV Zvi
> was alluding to!
I didn't suggest that Vicky had an old version of IV, that's your mal
intended interpretation. All that I said is that it rang a bell and
it is also clear now why: In-Defense, which is what she probably used,
imitated these methods from IV, yet not exactly as even old versions
of IV recognized extended BIOS overlays. That's why I knew that it
could not be IV.
Zvi Netiv
> Zvi Netiv <z...@invircible.com> wrote:
[snip]
> Now, unlike you, I did not make an allegation I cannot
> be 100% sure of. How do you know what the ChipAway
> folks, or other, might have built into an "odd" BIOS
> virus protection mechanism by way of heuristic
> analysis?
> In truth, I suspected that Vicky had old/poor generic
> virus detection software on the machine in question.
> As she gave no indication of this by name or explicit
> suggestion however, I let it sit in case that was not
> the case, as then you would have harped on about me
> "bad-mouthing" you/your product. As the champion
> "bad-mouther" around here though, you had to step
> forward to renew your claim on the crown with this
> post of yours.
I'll let the readers decide who is bad mouthing here.
> > > Not only has it noticed the "suspicious" syealing of
> > > memory, but once you told it this was OK, it then
> > > allowed the boot to continue and noticed other things
> > > about the drive overlay's behaviour that it dose not
> > > like, raising a warning about a stealth virus (drive
> > > overlays certainly do some things similar to what some
> > > stealth viruses do...).
> > BIOS extenders use stealth to protect the overlay and the special MBR
> > from being accidentally overwritten. There is very little in common
> > with viruses.
> Semantic twaddle.
> Drive overlay drivers do almost exactly what most
> stealthy boot infectors do. They prevent access to
> certain sectors on the drive, or only allow read
> access, etc.
> The "proof" of this is that your own great product
> detected the overlay as a stealth virus. Now Zvi,
> please explain -- was that "old" version of your
> product so badly designed that it detected a stealth
> virus not only where there was not one, *but* where
> there was code that exhibits behaviour with "very
> little in common with viruses"?
Nice try, Nick, but you jumped the gun. :-) You realize by now that
Vicky was using In-Defense, a poor imitation of InVircible.
> You can't have it both ways Zvi -- either I'm right
> about drive overlays having similar features to
> stealth viruses or I'm wrong (as you claim) and
> therefore your (old) product is badly designed.
You are wrong on both, as usual.
> Which is it? Or were you hand-waving to spread more
> confusion so people would not notice the real
> problem -- an old version of IV caused a user some
> distress?
In-Defense, Nick. It plagiarizes IV, in case you didn't notice.
Yytrium
> Nice try, Nick, but you jumped the gun. :-) You realize by now that
> Vicky was using In-Defense, a poor imitation of InVircible.
A bad imitation of a bad imitation. What has the world come to.
In conclusion: shut up Zvi. Go away,
-Yy
--
Yesterday it worked;
Today it is not working;
Linux is like that..
-
yytrium [at] satx [dot] rr [dot] com
John Bloodworth
Ah so if it's a poor imitation then it probably works seen as the original
does not
John Bloodworth
> <snip>
Nick FitzGerald
post of mine:
> I'll let the readers decide who is bad mouthing here.
You're most welcome -- I am confident that my estimation
of their intelligence is better than yours...
> Nice try, Nick, but you jumped the gun. :-) You realize by now that
> Vicky was using In-Defense, a poor imitation of InVircible.
So no old versions of IV would have ever made this
mistake? Odd that you were so defensive about the issue
of how much alike drive overlays and stealth viruses
are then.
Independent of the issue of what product Vicky used --
as the matter is -- do you still stand by your claim
that drive overlays have little in common with
(stealth) boot viruses?
> > You can't have it both ways Zvi -- either I'm right
> > about drive overlays having similar features to
> > stealth viruses or I'm wrong (as you claim) and
> > therefore your (old) product is badly designed.
>
> You are wrong on both, as usual.
And the grounds for your contention that overlays have
little in common with (stealth) viruses is??? You just
saying so is not enough -- afterall, you seem to have
been labouring under the incorrect belief *and* publicly
repeating it, that all Pentiums support LBA, so your
word is hardly credible evidence. I have explained the
basis of my claim -- you have not debated those claims
but just vouched that they are wrong. I do not find
you sufficiently credible to accept your word on this,
so please make a case for your position.
> In-Defense, Nick. It plagiarizes IV, in case you didn't notice.
I won't comment on the claim of plagiarism, as I did not
review it by disassembling it and noting the code
similarities (and differences) with your product.
Neither did I perform a comparative review of it and
your product, but my impressions of it relative to your
product were that it had the same fundamental flaws but
with less of the advantage of age of your product. It
was (and apparently still is) marketted with similarly
outrageous claims as were made for your product in its
early days.
--
Nick FitzGerald
Nick FitzGerald
> > If I remeber that thread correctly, either you have to
> > prove that *no* drive overlays ever use 8KB or Ken has
> > to show us one that does. That is, this instance is
> > irrelevant to that point of "debate"...
>
> I don't have to prove anything, nor does Ken. The reference was just
> to the 6 kbytes that I mentioned in connection with EZ-Drive. That's
> all, and please don't try stirring shit where there is none.
Maybe I mis-remeber then...
But I was fairly sure that you claimed no drive overlay
(or perhaps specifically, no EZ-Drive overlay) ever used
more than 6KB of RAM, whereas Ken claimed to have seen
one use 8KB. Hence the evidenciary logic I suggested
and thus I was correct that this one case of EZ-Drive
using 6KB was irrelevant to the point of that debate.
Someone care to dig it out of Deja?
> > It may well do, but that was not what Vicky had. From
> > ongoing Email with her, it appears she had an early
> > version of In Defense installed -- she would probably
> > have been better off with that old version of IV Zvi
> > was alluding to!
>
> I didn't suggest that Vicky had an old version of IV, that's your mal
> intended interpretation. All that I said is that it rang a bell and
No -- I said *you* alluded to an old version and Vicky
would probably have been better off with that. That was
an insult to the software she did have Zvi -- sorry if
you misunderstood. I did not say that you said she had
an old version of IV.
> it is also clear now why: In-Defense, which is what she probably used,
It is -- the penny dropped (for her) in one of her Emails
with me and she realized she had an old version of In
defense installed.
> imitated these methods from IV, yet not exactly as even old versions
> of IV recognized extended BIOS overlays. That's why I knew that it
> could not be IV.
What exactly is the relationship between IV and ID, Zvi?
--
Nick FitzGerald
Seanette Blaylock
<john.bl...@DataFellows.com> wrote:
[apparently responding to Zvi]
>> <snip>
>> Nice try, Nick, but you jumped the gun. :-) You realize by now that
>> Vicky was using In-Defense, a poor imitation of InVircible.
>does not
[snork] Ever hear of a C&C warning, John? :-)
--
Seanette Blaylock
Reply to sean...@spammers.drop.dead.impulse.net
[make obvious correction]
Zvi Netiv
> On Sun, 14 Nov 1999 14:37:57 GMT, z...@invircible.com (Zvi Netiv)
> wrote:
> >"Nick FitzGerald" <ni...@virus-l.demon.co.uk> wrote:
> >[snip]
> >> The answer to this I'm not so sure about, but I
> >> suspect a "virus protection" option in your BIOS.
> >There is no virus protection option of this sort in no matter what
> >BIOS.
> You really ought to know better.
> Have you ever heard of Award or AMI BIOS? They BOTH have this option
> and it can probably be found on other BIOS too.
Is this a fact? :) What version of either bioses has that option? To
refresh your memory, we are referring to memory stealing warning. In
case you missed it, Nick changed direction with his arguments after he
found out that what caused the warning was poorly designed software -
named In-Defense.
Do you insist on pursuing that silly line?
> It would certainly be useful if you knew what you were talking about
> when making such "authorative" statements.
Please accept my apologies for being correct and for letting you make
a fool of yourself.
> Costas Giannakenas MD, PhD
Robert Green
How well I know it ;-).
Anyone interested in this issue should check out Hale Landis' How It
Works series, which can be had at WWW.ATA-ATAPI.COM.
His paper on BIOS drive translation manages to be both informative and
understandable. One caveat: it hasn't been updated in a while, so has
little to say about the interrupt 13 LBA extensions.
Funny things can happen when you get a BSI infection on a drive with
LBA-enabled partitions (types 0cH, 0eH, and 0fH.) . If IO.SYS uses
the extended calls to read the MBR, viral stealthing won't work, and
viruses that overwrite the partition table data (ie, Monkey, Bravo,
etc), aren't able to produce a clear copy of the MBR. Result: can't
boot the HDD anymore.
Bob
Raid Slam
(Zvi Netiv) wrote:
> Is this a fact? :) What version of either bioses has that option?
Yes, it's a fact. Want model numbers of some of them? If you'd like, I
can get them. Just have to get up from my comfy chair, and grab a
mainboard or two. No problem really, just lemme know.
> To refresh your memory, we are referring to memory stealing warning.
> In case you missed it, Nick changed direction with his arguments
> after he found out that what caused the warning was poorly designed
> software - named In-Defense.
Nick didn't change any direction, Your the one who claimed BIOSes do
NOT have any sort of antivirus software. Nick merely corrected you by
saying that some do, and it's true; they do.
> Do you insist on pursuing that silly line?
Nothing silly about it, mr wormy.
> Please accept my apologies for being correct and for letting you
> make a fool of yourself.
I think you may have it ass backwards Zvi. Your the only fool here.
Regards,
Raid [SLAM]
Raid Slam
You'd think a self proclaimed data/virus expert as mr Zvi would know
this as well. But, he didn't, probably still doesn't. He's quiet dense.
Any opinion on this matter? As to why Zvi didn't know about the BIOS
and LBA situation? IE: Not all 486's have it, Most don't; the few that
do have serious problems. Early pentium boards (some are still in older
machines today) have either NO LBA support whatsoever, or such a poor
implementation of it, you'd be a daft bloated idiot to use it.
Personally, If somebody told me they were a data recovery specialist,
and didn't know about this LBA situation; I'd turn my business to
someone a bit more... shall we say, competent?
Zvi Netiv
> Zvi Netiv <z...@invircible.com> wrote, in response to a
> post of mine:
[snip]
> So no old versions of IV would have ever made this
> mistake? Odd that you were so defensive about the issue
> of how much alike drive overlays and stealth viruses
> are then.
> Independent of the issue of what product Vicky used --
> as the matter is -- do you still stand by your claim
> that drive overlays have little in common with
> (stealth) boot viruses?
You'll excuse me if I don't accept changing the subject.
> > > You can't have it both ways Zvi -- either I'm right
> > > about drive overlays having similar features to
> > > stealth viruses or I'm wrong (as you claim) and
> > > therefore your (old) product is badly designed.
> > You are wrong on both, as usual.
> And the grounds for your contention that overlays have
> little in common with (stealth) viruses is??? You just
> saying so is not enough -- afterall, you seem to have
> been labouring under the incorrect belief *and* publicly
> repeating it, that all Pentiums support LBA, so your
> word is hardly credible evidence. I have explained the
> basis of my claim -- you have not debated those claims
> but just vouched that they are wrong. I do not find
> you sufficiently credible to accept your word on this,
> so please make a case for your position.
You'll also excuse me for not wasting my time on your barrage.
> > In-Defense, Nick. It plagiarizes IV, in case you didn't notice.
> I won't comment on the claim of plagiarism, as I did not
> review it by disassembling it and noting the code
> similarities (and differences) with your product.
My claim is well based. See my other post in this thread, in reply to
your last question.
Zvi Netiv
> Zvi Netiv <z...@invircible.com> wrote in reply to me:
> > > If I remeber that thread correctly, either you have to
> > > prove that *no* drive overlays ever use 8KB or Ken has
> > > to show us one that does. That is, this instance is
> > > irrelevant to that point of "debate"...
> > I don't have to prove anything, nor does Ken. The reference was just
> > to the 6 kbytes that I mentioned in connection with EZ-Drive. That's
> > all, and please don't try stirring shit where there is none.
> Maybe I mis-remeber then...
You do.
> But I was fairly sure that you claimed no drive overlay
> (or perhaps specifically, no EZ-Drive overlay) ever used
> more than 6KB of RAM, whereas Ken claimed to have seen
> one use 8KB. Hence the evidenciary logic I suggested
> and thus I was correct that this one case of EZ-Drive
> using 6KB was irrelevant to the point of that debate.
You are a real master of idle talk.
> Someone care to dig it out of Deja?
I am sure that your virus writer friends will gladly render you that
service. Raid in head.
> > > It may well do, but that was not what Vicky had. From
> > > ongoing Email with her, it appears she had an early
> > > version of In Defense installed -- she would probably
> > > have been better off with that old version of IV Zvi
> > > was alluding to!
> > I didn't suggest that Vicky had an old version of IV, that's your mal
> > intended interpretation. All that I said is that it rang a bell and
> No -- I said *you* alluded to an old version and Vicky
> would probably have been better off with that. That was
> an insult to the software she did have Zvi -- sorry if
> you misunderstood. I did not say that you said she had
> an old version of IV.
No wonder that I misunderstood, given your deliberately obfuscating
language.
> > it is also clear now why: In-Defense, which is what she probably used,
> It is -- the penny dropped (for her) in one of her Emails
> with me and she realized she had an old version of In
> defense installed.
EZ-Drive was the standard BIOS extender when In-Defense made its debut
on the market (Ontrack's Disk Manager ruled before), about a couple of
years ago.
> > imitated these methods from IV, yet not exactly as even old versions
> > of IV recognized extended BIOS overlays. That's why I knew that it
> > could not be IV.
> What exactly is the relationship between IV and ID, Zvi?
Tegam represented us in France until terminated. Plagiarizing our
product was one of the reasons for terminating Tegam's
distributorship.
Yytrium
"The Virus Bulletin ran IVZ against its 852-virus test set of file infectors. IVZ detected a mere 53
of these, a detection rate of approximately 6.22%. Of the total set, 172 viruses were represented
in the January 1998 Wild List, and IVZ detected 29 of these, or 29%. Both results are extremely
poor."
Yytrium
Pros: None significant
Cons: Average user will find interface difficult and confusing, poor documentation,
and low virus detection rate
Value: A disjointed and ineffective collection of utilities that fails to live up to its sales
claims
Price ex GST: $180
Raid Slam
(Zvi Netiv) wrote:
> You do.
No, your just trying to weasel your way out of the shitpile you dug for
yourself. Again...
> I am sure that your virus writer friends will gladly render you
> that service. Raid in head.
Make no mistake Zvi, Nick and myself are anything but "friends".
I'm on your case because your a liar, and a thief, and a cheat. And you
already know this. I'm not going to let up on you either. I'm going to
smash you and your shit product into the ground, many times over. I've
got years. I'm not the type of person to use dejanews to dig up old
trash on people, unlike some people who are frequenters of this group.
so I'll thank you not to include or even innsinate such shit again, Zvi.
> No wonder that I misunderstood, given your deliberately obfuscating
> language.
I see. A simple misunderstanding now? :)
> EZ-Drive was the standard BIOS extender when In-Defense made its
> debut on the market (Ontrack's Disk Manager ruled before), about a
> couple of years ago.
EZDrive still ships with all WD drives. (Western Digital) Whereas
ontrack disk manager ships with most (but not all) Maxtor drives. I'm
impartial, I've seen both drive brands fuckup every now and then.
Happens with anything computer related. Both drives are usually quiet
reliable.
> Tegam represented us in France until terminated. Plagiarizing our
> product was one of the reasons for terminating Tegam's >
distributorship.
Actually, I heard they resigned. But, Apparently my source was wrong in
this case. I'll take your word for this, as I'm not really interested
in the details regarding this anyway.
Raid Slam
(Zvi Netiv) wrote:
> You'll excuse me if I don't accept changing the subject.
Erm. Sorry Zvi,
You started this subject matter with your comment "Drive overlays and
stealth viruses have nothing in common". It is not Nick who's changing
the subject, it is you who is attempting to change it, after realizing
you were outgunned, and didn't know as much as you let on. :)
> You'll also excuse me for not wasting my time on your barrage.
No barrage noticed Zvi. Another weasel attempt by you has been noted,
however. I wonder how many lurkers come here Zvi... Read us going back
and forth, and decide not to purchase or even try out your product as a
result? I tell you, it makes me feel better knowing your losing sales.
> My claim is well based. See my other post in this thread, in
> reply to your last question.
None of your claims to this date have had any basis in fact.
But that's not exactly news is it?
kurt wismer
> InVircible 7.01f
>
> Pros: None significant
>
> Cons: Average user will find interface difficult and confusing, poor documentation,
> and low virus detection rate
>
> Value: A disjointed and ineffective collection of utilities that fails to live up to its sales
> claims
>
> Price ex GST: $180
gst? are you a canuck?
--
"read my writing on the wall
no one's here to catch me when i fall
if ignorance is bliss
then knock the smile off my face"
waerlog
>
> gst? are you a canuck?
Isn't everyone?
Yytrium
Nick FitzGerald
> gst? are you a canuck?
I don't know about Ytrium, but he was quoting a
New Zealand review.
For better or worse, GST-style sales taxes were
"invented" in NZ, although from what little I've
seen of the "copycats", they are poor copies and
don't really deserve a name other than "sales
tax". The NZ GST concept involves minimizing
the government's share of the cost of compliance
by pushing most of it directly onto the trader,
rather than have the government take it out of
the tax take (whether NZ succeeded in this or not,
I'll leave up to an international tax expert).
--
Nick FitzGerald