Path: utzoo!attcan!uunet!wuarchive!mit-eddie!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: S096264@UMRVMA.BITNET (Kincy, Chuck P.) Newsgroups: comp.virus Subject: Re: Alleged PostScript virus. Message-ID: <0005.9010151404.AA09336@ubu.cert.sei.cmu.edu> Date: 12 Oct 90 14:44:56 GMT Sender: Virus Discussion List Lines: 42 Approved: krvw@sei.cmu.edu >From the last Virus-L: > Recently both MacWorld and MacUser magazines have had short articles > about a PostScript printer virus which apparently is a Trojan Horse > hidden within some public domain clip art. According to the articles, > the virus, when down-loaded into a PostScript printer, resets a chip > password and renders the printer unusable. Apparently the article refers to the PostScript "server" password, the password requires to make a permanent status change to the printer. I believe the password is a 2-byte unsigned integer. In order to change this password, a PostScript job must know the original server password. The default password is 0, but it can be changed with the "setpassword" command. (Not too sure about the actual command word...my PostScript is rusty...) A program that resets the server password would be really nasty, as it would prevent any future permanent status changes to the printer (such as defaultpapertray, defaultpapersize, etc.) However, a careful system administrator would set the password to something other than 0; this action would keep such a program from doing any harm. As far as I know, there is no way to figure out the server password (unless, of course, you know it). A program like this would do it: serverdict begin xxxxx exitserver % xxxxx is the old "server" password. statusdict begin yyyyy setpassword % yyyyy is the new password. % (I hope this is the right syntax!!) (ctl-d) Someone might want to get a PostScript "red" book to check me on this.... |Chuck Kincy "I do not think that there is any question | |University of Missouri about it--it can only be attributed to | |Rolla MO 65401 human error. This sort of thing has cropped| |S096264@umrvma.umr.edu up before, and it has always been due to | |314/341-8922 human error." -- HAL 9000. |