Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!iuvax!ux1.cso.uiuc.edu!brutus.cs.uiuc.edu!samsung!shadooby!netnews.engin.umich.edu!news
From: mystone@mondo.engin.umich.edu (Dean Yu)
Newsgroups: comp.sys.mac
Subject: Re: I'm not sure I believe this. (was Re: New WDEF Virus)
Message-ID: <1989Dec12.103124.7074@caen.engin.umich.edu>
Date: 12 Dec 89 10:31:24 GMT
References: <3277@hub.UUCP> <1501@rodan.acs.syr.edu> <4221@sbcs.sunysb.edu>
Sender: news@caen.engin.umich.edu (USENET News System)
Reply-To: mystone@caen.engin.umich.edu
Organization: Computer Aided Engineering Network, University of Michigan
Lines: 40

In article <4221@sbcs.sunysb.edu> vallon@sboslab15.cs.sunysb.edu (Justin Vallon) writes:
>In article <3277@hub.UUCP>, 6600pete@hub.UUCP writes:
>> From article <1501@rodan.acs.syr.edu>, by wwtaroli@rodan.acs.syr.edu
>(Bill Taroli):
>> > if this WDEF does have code in it that's installing resources into
>> > the Desktop then why are the virus detection programs (like GateKeeper) not
>> > able to catch it?
>> 
>> Because they don't watch the Desktop file.
>

  Wrong.

>Wouldn't Vaccine catch AddResoruce('WDEF', 0) no matter where it happens?
>I didn't know that Vaccine ignored references to the Desktop file.  It
>would seem that the authors of Vaccine were putting a great big hole in
>their protection if they let references to the Desktop get through.
>
>I can see how Gatekeeper could be fooled because it does not distinguish
>between calls of AddResoruce('MSWD', 0) and AR('WDEF', 0).  Maybe GK should
>check what's going in, and have protection for standard resources, and
>executable resources.
>

  There's nothing wrong with Vaccine or GateKeeper.  I just got done perusing
the WDEF virus, and it does some pretty sneaky things to around the current
watch-dog style protection programs.  I'm not going to say what it does.  Just
trust me when I say that it's pretty clever.  And sick.
  For the record, Vaccine doesn't care where the WriteResource or AddResource
comes from, so there's no casing out of the DeskTop file.  As a matter of
fact, if anyone has ever had Vaccine on when you're updating your System
File, you'll know that it catches pretty much every single resource call.

_______________________________________________________________________________
Dean Yu                            | E-mail: mystone@caen.engin.umich.edu
Self-declared License Czar         | Real-mail: Dean Yu
University of Michigan             |            909 Church St
Computer Aided Engineering Network |            Apt C
     INCLUDE 'Disclaimers.a'       |            Ann Arbor, MI 48104
-------------------------------------------------------------------------------