Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!clyde.concordia.ca!uunet!mcsun!ukc!sys.uea!jrk
From: jrk@sys.uea.ac.uk (Richard Kennaway)
Newsgroups: comp.sys.mac
Subject: Re: I'm not sure I believe this. (was Re: New WDEF Virus)
Message-ID: <1042@sys.uea.ac.uk>
Date: 12 Dec 89 17:03:10 GMT
References: <3277@hub.UUCP> <1501@rodan.acs.syr.edu> <4221@sbcs.sunysb.edu>
Reply-To: jrk@uea-sys.UUCP (Richard Kennaway)
Organization: University of East Anglia, Norwich
Lines: 32

In article <4221@sbcs.sunysb.edu> vallon@sboslab15.cs.sunysb.edu (Justin Vallon) writes:
>In article <3277@hub.UUCP>, 6600pete@hub.UUCP writes:
>> From article <1501@rodan.acs.syr.edu>, by wwtaroli@rodan.acs.syr.edu
>(Bill Taroli):
>> > if this WDEF does have code in it that's installing resources into
>> > the Desktop then why are the virus detection programs (like GateKeeper) not
>> > able to catch it?
>> 
>I can see how Gatekeeper could be fooled because it does not distinguish
>between calls of AddResoruce('MSWD', 0) and AR('WDEF', 0).  Maybe GK should
>check what's going in, and have protection for standard resources, and
>executable resources.

But that's exactly what it does (version 1.1.1).  It has a list of "sacred"
resource types (including WDEF), and any file trying to add, modify, or
delete any such resource requires "Resource" permission from GateKeeper to
do so.  For details, see GateKeeper's on-line documentation.

I just tried the experiment of creating a file whose type and creator were
'WDEF', signature resource of type 'WDEF', id 0, and appropriate BNDL, FREF,
and ICN#.  When Finder first saw this file, GateKeeper notified an attempt
to AddResource('WDEF',0) by Finder on the DeskTop file.  Works as
advertised.  Note that Finder does not require Resource permissions from
GateKeeper and should not be given them.

I havent seen the WDEF virus here, so cannot speculate on why GateKeeper
would not stop it, nor on whether the virus might be just a badly chosen
signature resource type.

--
Richard Kennaway          SYS, University of East Anglia, Norwich, U.K.
Internet:  jrk@sys.uea.ac.uk		uucp:  ...mcvax!ukc!uea-sys!jrk