34 CHKDSK reports 639K (or less) total memory on my DOS system; am I infected? (Computer virus)
Description
This article is from the Computer Viruses FAQ, by Nick FitzGerald n.fitzgerald@csc.canterbury.ac.nz with numerous contributions by others.
34 CHKDSK reports 639K (or less) total memory on my DOS system; am I infected? (Computer virus)
If CHKDSK displays 639KB (654,336 bytes) for the total memory instead of
640K (655,360 bytes)--so that you are missing only 1KB-- it is possibly
due to reasons other than a virus, but there are a few common viruses
that take only 1KB from total memory (Monkey and AntiEXE). Non-virus
reasons for a deficiency of 1KB include:
1. A PS/2 computer. IBM PS/2 computers reserve 1KB of
conventional RAM for an Extended BIOS Data Area, i.e. for
additional data storage required by its BIOS.
2. A computer with a BIOS, which is set to use the upper 1KB of
memory for its internal variables. (Most BIOSes with this
option can be instructed to use lower memory instead.)
3. Some SCSI controllers.
4. The DiskSecure antivirus program.
5. Mouse buffers for older Compaqs.
If you are missing 2KB or more from the 640KB, 512KB, or whatever the
conventional memory normally is for your PC, the chances are greater
that you have a boot-record virus (e.g. Stoned, Form or Michelangelo),
although, even in this case there may be legitimate reasons for the
missing memory:
1. Many access control programs for preventing booting from a
floppy.
2. H/P Vectra computers.
3. Some special BIOS'es which use memory for a built-in calendar
and/or calculator.
However, these are only rough guides. In order to be more certain
whether the missing memory is due to a virus, you should:
1. run several virus detectors;
2. look for a change in total memory every now and then;
3. compare the total memory size with that obtained when cold
booting from a "clean" system diskette. The latter should
show the normal amount of total memory for your configuration
(although several BIOSes now steal 1KB of conventional memory
when booted from floppy but none when booting from a hard
drive).
Note: In all cases, CHKDSK should be run without software such as MS-
Windows or DesqView loaded, since these operating environments seem to
be able to open DOS boxes only on 1KB boundaries (some seem to be even
coarser); thus CHKDSK run from a DOS box may report unrepresentative
values.
Note also that some machines have only 512KB or 256KB instead of 640KB
of conventional memory.
Continue to:
My Books
