Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: phaedrus@milton.u.washington.edu (Mark Phaedrus) Newsgroups: comp.virus Subject: Re: Hard Disk Protection (PC) and (Mac) Message-ID: <0005.9101151325.AA04099@ubu.cert.sei.cmu.edu> Date: 12 Jan 91 08:22:04 GMT Sender: Virus Discussion List Lines: 54 Approved: krvw@sei.cmu.edu padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) writes: [another user's request for something for the PC similar to Mac's SAM deleted] >Could be done with something hooking the timer but why ? MACs execute >code on the floppy when inserted but an IBM or clone does not (unless >you try to boot from it). Under MS-DOS, a program must be requested >for execution before it is loaded and that is when good anti-viral >programs do their thing. Not to pick nits here, but this contains a pretty common misconception about the Mac that should be cleared up (since it's important when considering Mac virus protection). Macs do not automatically "execute code on the floppy when inserted." If you have infected application files in a floppy disk and you insert it, nothing adverse will happen unless you actually try to launch the infected application The Mac viruses (notably WDEF) that infect immediately on disk insertion do this because of the way the Finder stores information on disk, and the way Mac file contents are accessed. Most file access on a Mac is resource-based; instead of a program asking for a specific range of bytes, it asks for, say, desk accessory #12. Depending on which access calls the program uses, it can either look for that resource in one specific file, or in all the currently-opened files, looking in the most recently-opened first (which the System itself usually does). That's how programs like Suitcase II that let you add new fonts and DAs on the fly work; they just hold the new files open, and the System automatically looks through them for resources as well. Every Mac disk has a "Desktop" file that keeps track of where applications are, what their icons look like, etc. When you're running the Finder, it keeps all these files open. The WDEF and similar viruses sneak in by infecting these Desktop files with a resource that's the same ID as one the System uses; when the System looks for this resource, it picks the one in the Desktop file over the one in the System file, since the Desktop file was opened more recently. If the resource is one that would normally be executed (like a WDEF, which tells the Mac how to draw windows), the System will execute the infected resource, which can then copy itself to other Desktop files or do anything else it wants to do. Once you understand how the virus enters and spreads, it's not nearly as threatening. Unless you're running the Finder (or some other program that uses Desktop information), it doesn't matter whether a disk is WDEF-infected or not, since that file is never opened. If you hold down Command-Option during a restart or while inserting a disk (which forces the Desktop to be rebuilt), the virus is eliminated without infecting the Mac, since the infected Desktop file is deleted and replaced by a clean copy. Finally, if you're using Desktop Manager (which I would heartily recommend), your hard disk can't be infected, since there's no Desktop file on it at all and since the files that replace it don't store resources.-- Internet: phaedrus@u.washington.edu (University of Washington, Seattle) The views expressed here are not those of this station or its management. "If you can keep your head while those about you are losing theirs, consider an exciting career as a guillotine operator!"