Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: p1@arkham.wimsey.bc.ca (Rob Slade)
Newsgroups: comp.virus
Subject: A question regarding commercial dial-up services
Message-ID: <0006.9106031950.AA02037@ubu.cert.sei.cmu.edu>
Date: 1 Jun 91 00:05:16 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 46
Approved: krvw@sei.cmu.edu

lev@suned1.Nswses.Navy.Mil (Lloyd E Vancil) writes:

> Given: A BBS service distributes a program that you must run in your
> machine to use the service. ( ;-) guess who! )  This service becomes
>
> Investigation reveals whole blocks of ram have been dumped to the
> file.  Typical finds include, dos environment information, disk
> directories, pieces of files that were deleted by dos (but not removed
> from the disk surface).
>
>   Would it be possible;
> 	1. for a memory resident virus to be scooped up by this service..
> 	   and return to reinfect the machine at a later date?  Presumably
>            by the service's reusing of the file fragment that contains the
>            "screen primitive" and the "scooped" virus code.
>
> 	2. for a virus to be written to take advantage of this transmission
> 	   method?
>
> (I'm not sure that the "service" retains a complete copy of it's
>  users "staging file"; after all they claim nearly 1 million

Given a virus infected file which had been deleted "normally" (i.e. in
MS-DOS the file is still there but the directory listing is removed)
it is possible for the infective/viral code to appear in this
purported file.  (Shall we call it, say, STAGE.DAT?)

My understanding is that the information contained in our theoretical
file is data, and that it is "viewed" rather than being "run".  If,
however, the system used a "resource" type system (such as the Mac
does), it may be possible for portions of the file to be "run", and
then the danger of reinfection is possible.

Given the very large size of our theoretical file, one can note that
very little, if any, of it could be transmitted during the time the
"send data" LED is on.  The risk of the information being transmitted
to the central service and redistributed is therefore extremely
remote.  It would take a prodigious effort to infect users this way,
but it is not outside the bounds of possibility.

=============
Vancouver          p1@arkham.wimsey.bc.ca   | "If you do buy a
Institute for      Robert_Slade@mtsg.sfu.ca |  computer, don't
Research into      (SUZY) INtegrity         |  turn it on."
User               Canada V7K 2G6           | Richards' 2nd Law
Security                                    | of Data Security