Path: utzoo!attcan!uunet!wuarchive!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: kent@circus.camex.com (Kent Borg)
Newsgroups: comp.virus
Subject: Re: Viruses in Sound Effects (Mac)
Message-ID: <0011.9010011435.AA28524@ubu.cert.sei.cmu.edu>
Date: 30 Sep 90 21:19:27 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 64
Approved: krvw@sei.cmu.edu

pjc@sirius.melb.bull.oz.au (Paul Carapetis) writes:
>It is my belief that any file on the mac which is capable of
>displaying itself as an icon has executable code to do so.  If this is
>true, then ANY file is open to infection by a virus designed to take
>advantage of this.

Yes and no.

No.  A file requires no executable code to get its icon displayed on a
Mac screen.  If a file leaves the right data structures in its
"resource fork" the Mac system will read those "resources", and
display the correct icon for the file.

Yes.  This is an avenue for infection.  The resource fork is a very
general purpose part of the Macintosh architecture.  There are many
different kinds of resources, and programmers can make up there own.
Of these different resources, many are executable resources.  When the
Finder (the name of the Mac's "shell" program.) needs to display a
window, it asks for the correct window definition, or "WDEF",
resource.

The WDEF virus hides in the desktop file, the place Finder looks for
icons.  If the Finder is looking in the desktop file and also needs to
display a window, it will use the WDEF code to do it, and it will be
tricked by the "implied loader" WDEF in the infected desktop file.

The Mac is different from others computers in many ways, but I think
it is safe to say that no matter what, a virus needs to get *some*
executable code run to actively do anything.

That doesn't mean that the code has be somewhere we expected to find
it, and it doesn't mean that the virus must run to spread.  It might
find some extra space in a data structure which gets copied in the
normal course of events.  To become alive, it will have to be run at
some point, but it might spread while dormant.

Back to the question of a virus hiding in a Macintosh sound:

First, the virus might somehow be on the disk which holds the sound.
WDEF is perfectly happy to spread this way.

Second, Mac sounds don't have to be just raw digitized bits, they can
contain "instructions" of a sort.  I have not studied them very
carefully, so I don't know whether they are powerful enough to
support a virus.

To be powerfull enough, I think they must be equivalent a Turing
machine and they need access to the outside world.

Anyone know a lot about Format 1 "snd " and "snth" resources?


>| Paul Carapetis, Software Advisor (Unix, DOS)  |   Phone: 61 3 4200944   |
>| Melbourne Development Centre                  |   Fax:   61 3 4200445   |
>| Bull HN Information Systems Australia Pty Ltd |-------------------------|
>| ACSnet  : pjc@bull.oz                         | What's said here is my  |
>| Internet: pjc@melb.bull.oz.au                 | opinion (and its right!)|


- --
Kent Borg                            internet: kent@camex.com   AOL: kent borg
                                            H:(617) 776-6899  W:(617) 426-3577
"The prospect of their mass excites astrophysicists, who are always on the
 lookout for ways to make the universe heavier"   -- The Economist, 9-22-90