Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!clyde.concordia.ca!uunet!tut.cis.ohio-state.edu!pacific.mps.ohio-state.edu!zaphod.mps.ohio-state.edu!sunybcs!sbcs!sboslab15!vallon
From: vallon@sboslab15.cs.sunysb.edu (Justin Vallon)
Newsgroups: comp.sys.mac
Subject: Re: I'm not sure I believe this. (was Re: New WDEF Virus)
Message-ID: <4221@sbcs.sunysb.edu>
Date: 11 Dec 89 23:57:07 GMT
References: <3277@hub.UUCP> <1501@rodan.acs.syr.edu>
Sender: news@sbcs.sunysb.edu
Reply-To: vallon@sboslab15.cs.sunysb.edu (Justin Vallon)
Lines: 26

In article <3277@hub.UUCP>, 6600pete@hub.UUCP writes:
> From article <1501@rodan.acs.syr.edu>, by wwtaroli@rodan.acs.syr.edu
(Bill Taroli):
> > if this WDEF does have code in it that's installing resources into
> > the Desktop then why are the virus detection programs (like GateKeeper) not
> > able to catch it?
> 
> Because they don't watch the Desktop file.

Wouldn't Vaccine catch AddResoruce('WDEF', 0) no matter where it happens?
I didn't know that Vaccine ignored references to the Desktop file.  It
would seem that the authors of Vaccine were putting a great big hole in
their protection if they let references to the Desktop get through.

I can see how Gatekeeper could be fooled because it does not distinguish
between calls of AddResoruce('MSWD', 0) and AR('WDEF', 0).  Maybe GK should
check what's going in, and have protection for standard resources, and
executable resources.

>-----------------------------------------------------------------------------
>Pete Gontier  | InterNet: 6600pete@ucsbuxa.ucsb.edu, BitNet: 6600pete@ucsbuxa
>Editor, Macker | Online Macintosh Programming Journal; mail for subscription
>Hire this kid  | Mac, DOS, C, Pascal, asm, excellent communication skills

-Justin
vallon@sbcs.sunysb.edu