Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!ginosko!gem.mps.ohio-state.edu!apple!claris!wombat
From: wombat@claris.com (Scott Lindsey)
Newsgroups: comp.sys.apple
Subject: Re: Resource Forks? (viruses)
Message-ID: <WOMBAT.89Oct14202632@claris.com>
Date: 15 Oct 89 03:26:32 GMT
References: <8910142319.AA12114@trout.nosc.mil>
Sender: wombat@claris.com
Organization: Claris Corporation, Santa Clara, CA
Lines: 40
In-reply-to: jeffn@pro-houston.cts.com's message of 14 Oct 89 20:19:39 GMT

In article <8910142319.AA12114@trout.nosc.mil> jeffn@pro-houston.cts.com (Jeff Noxon) writes:

> Network Comment: to #1248 by dlyons@apple.com

> I had the understanding that various MAC viruses would add a code resource and
> then PATCH the program to cause the resource to be executed.  Since most S16
> programs in assembly begin with the same code, it can be replaced and executed
> elsewhere.

It's not so easy.  For starters, on the Mac, all code is stored in resources,
so you can modify code in memory, then write the resource out (or even flag
it as modified and let the resoure manager write it out at shutdown).  On the
GS, *very*little* code is stored resources.  So, you'd have to go out to disk
yourself to modify code.  Secondly the architecture of the Macintosh and the
68000 CPU causes ALL code to be absolutely relocatable.  There is no OMF.  
That's why the Macintosh has no loader apart from the Resource Manager.
Monkeying around with OMF is quite a different proposition than modifying
absolute code.  Finally, it's not very valid to say that "most S16 programs
in assembly begin with the same code."  Here's the first 4 instructions of a
random sampling of S16 applications I had around:

APW Shell  AWGS      PWorks Gold  DPaintII  Installer  MSGS      HodgePodge
_________  ____      ___________  ________  _________  ____      __________
PHB        PHK       BRL +1EB8    PHD       BRL +51    PHK       PHK
PHK        PLB       PHB          TSC       EOR 6F,s   PLB       PLB
PLB        TDC       PHK          SEC       BVS +7B    TDC       TDC
STA 0A38   STA 2318  PLB          SBC #FB   ADC (69)   STA F8C9  STA 26DC

Definitely some similarities, but nothing a virus could bank on, let alone
use to its advantage.

So, as Dave said, it's simple to add a code resource to an application.
Getting it executed without the application's assistance is something else.



Scott Lindsey     |"Cold and misty morning. I heard a warning borne in the air
Claris Corp.      |    About an age of power when no one had an hour to spare"
ames!claris!wombat| DISCLAIMER: These are not the opinions of Claris, Apple,
wombat@claris.com |    StyleWare, the author, or anyone else living or Dead.