Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!uwm.edu!ux1.cso.uiuc.edu!tank!eecae!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: stanton!john@uunet.UU.NET (John Goodman) Newsgroups: comp.virus Subject: Non-executable viruses Message-ID: <0008.8911271233.AA05551@ge.sei.cmu.edu> Date: 22 Nov 89 09:52:21 GMT Sender: Virus Discussion List Lines: 55 Approved: krvw@sei.cmu.edu I am puzzled by something. Last summer I recall seeing an article about a virus that infected spreadsheets. That's right, spreadsheets, not spreadsheet programs. (Sorry, I don't recall either the author's name or the name of the article. I was given a copy, so I am unsure where or even if it was printed for wide distribution.) The described virus's method of action was an auto-executing macro that was hidden somewhere in a large spreadsheet where it was unlikely to be noticed, yet whenever the spreadsheet was loaded it would "do its thing." Since, this author asserted, modern spreadsheet programs often have very powerful macro languages including access to DOS functions and running DOS programs and an auto-execute feature, it is possible to write a comparably powerful virus in this fashion. Naturally, such a virus would not be found by looking only at .EXE and COM files (plus the boot sector). It could only be found by looking inside the worksheets and knowing something of the nature of their storage of that kind of macro (a knowledge that would vary by the brand and release of the various spreadsheet program on the market). What puzzles me is that this author said he had withheld saying anything about his ideas along this line until he had actually seen a live sample of such a virus. Then he did experiments in his lab to confirm his notion of what was going on, then wrote it all up in the paper I saw. I have seen nothing here about this problem, nor do the VIRUSCAN programs look for any such viruses. Has anyone here seen such a virus? Are there any programs that do check for such? Is there anyone concerned about this (potential or actual ??) problem? I also note that a similar virus problem could manifest with bogus code being included in any source file that would be "run" through an interpreter on any computer system (which includes a lot of games in interpreted BASIC, often distributed in a fashion that makes it at least very difficult to list their contents), so we are not really only talking here about spreadsheets and PCs. I am not sounding an alert, as I have not seen any such virus myself. I am instead voicing a concern and asking for references to any programs that might help one protect one's computer(s) (PC systems in particular) against that sort of threat. - ----------------------------------------------------------------------------- John M. Goodman, Ph.D. GOOD CODE WORKS P. O. Box 746, Westminster, CA 92684-0746 (714) 895-3195 (voice) uucp: ...!lll-winken.llnl.gov!spsd!stanton!john - ----------------------------------------------------------------------------- Brought to you by Super Global Mega Corp .com