Frisk Software International - Technical note #2


                       Destroyed by Vienna ?

F-PROT may sometimes report that a program has been destroyed by Vienna,
when this is in fact not the case.

The program in question is typically 5 byte long, named REBOOT.COM and
if disassembled, it contains a single instruction, a "far JMP" into ROM,
for the purpose of rebooting the computer.

Some variants of Vienna may destroy .COM files by writing exactly the same
instruction to the beginning of those programs, which makes it impossible to
properly distinguish between a destroyed program and one which has the
purpose of rebooting the machine.

We decided, however, not to change the current behaviour of F-PROT, as we
consider this reboot method unsafe, and under some circumstances capable of
causing more damage than most viruses.  One possible problem is with disk
write caching software, which may for example intercept Ctrl-Alt-Del
properly, but may miss this jump into ROM...causing loss of data that had
not been written to a disk.

If you have a reboot program that F-PROT reports as destroyed by Vienna, we
recommend that you get rid of it, and use a "safe" reboot program instead.

