Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!uwm.edu!rpi!image.soe.clarkson.edu!sunybcs!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) Newsgroups: comp.virus Subject: Re: LaserWriter virus? Message-ID: <0005.9007261924.AA27160@ubu.cert.sei.cmu.edu> Date: 26 Jul 90 04:52:18 GMT Sender: Virus Discussion List Lines: 63 Approved: krvw@sei.cmu.edu swsh@midway.uchicago.edu (Janet M. Swisher) writes: > I have heard in several places that this LaserWriter nasty is a Trojan > horse. If so, that would seem to restrict it to being a Mac problem. > However, nothing that I have seen mentions the name that this Trojan > goes under, so I don't know what to look out for. Could someone with > actual experience with the problem confirm/deny/specify? Well, since Postscript printers are intellegent, (they understand a very complex and rich general purpose programming language,) and every thing sent to them is in actuality a program, the problem knows no boundries. Now, for the problem, (luckily it isn't very widespread, if at all. The original discussion centered on the POSSIBLITY of a Postscript nasty.) The Adobe postscript printers are interpreter driven. Part of the interpreter is called the "server loop". It is written in Postscript (using built in primatives). When you send a job to the printer, it reads the input stream, parses it into tokens and dispatches each token to cause it to execute. It also "wraps" each job with a save/restore context. That is to say, it saves the current state of the VM, executes the job and then restores it. This allow s programs to run without interfering with each other. This also means that each program is discarded when it is through running. In order to downloadl something permantly (until power-off) into the machine, such as a header or preamble, you have to escape the save/restore context. The mechanism to do this, is the keyword exitserver. exitserver takes as one parameter, a password. This password is compared with a password stored int the eeprom, and if they match, the exit takes place, and whatever comes down the line until a ^D (EOF), will be stored in memory "under the server, outside of the save and restore". The server is then restarted and the code that was loaded sets there regardless of the save/restore wrapping by the server. The default password is 0. Many applications will attempt to download a preamble, or perhaps a font or 2 and put them "under the server". If the password is not what the application expects, it will fail to work (the preamble will get thrown away). Generaly, people don't mess with the password. Adobe provides a mechanism to set the password, IF you know the old one. It imposes a 1 second delay for each attempt at changing the password. On a network, people typicaly will set the password for each printer to some other one than the default. Then modify the application to issue the correct password. This prevents an unwanted application from downloading preambles. Since almost all of the postscript operators can be redifined, preambles give you a way to drasticaly alter the operation of the printer. For example, you can change the definition of showpage (the command that causes the page to be emmited) to do most anything, including printing things on the page, etc etc. For this reason, generaly on networks the password gets changed. Now, suppose someone comes along with a routine called writeeprom that writes an arbitryary byte to a location in theeeprom. They can now write to the locations that control the password, regardless of what it is and change it. If you forget the password, Apple at least, will reset it for $600.00!!!!! You have to send your board in. Needless to say, you can cost a place a pile of money real fast, not to mention lost time by messing the passwords up. ANY postscript program can change the password using the built in operator, and ANY postscript program can change the password using writeeprom. writeeprom is what My resetter uses to do it's work, and that is why I have restricted acess to it. Well, sorry for the longwinded post. Hope that this helps. If your applications suddenly quit working, check the password out. It may have changed. The suppliment for your printer will detail how it is dne. Cheers Woody Baker Rt.1 Box I Manor, Tx. 78653