Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!elroy.jpl.nasa.gov!swrinde!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: bcarter@claven.idbsu.edu
Newsgroups: comp.virus
Subject: Re: Hypercard Antiviral Script? (Mac)
Message-ID: <0005.9106251509.AA25956@ubu.cert.sei.cmu.edu>
Date: 24 Jun 91 00:53:39 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 27
Approved: krvw@sei.cmu.edu

Greetings,

>The code to scan a stack is essentially the same as the SearchScript
>code that y'all will find in your HOME stack, only you have to modify
>it to accept a file name (answer file...everyone remember now?...)
>anyway, after you do that, the search string is "set the script of".
>HOWEVER, it is possible that someone has the viri sitting in an XCMD
>or XFCN which they invoke, so you should also check the resources they
>have attached to their stack...so you see, it becomes a pain to simply
>scan the stack script because you also need to scan the resources to
>be effective.

I doubt that a general scanner for HyperTalk viruses can be created
due to the fact that all one has to do is encode the text of the
script to be inserted, and make decoding part of the infection
process.  Using this method along with "do"s you would never see a
plain text "set the script of" until it was too late.  It wil probably
be necessary to do as utilities such as Virex do, and enter specific
characteristics of each virus for which to search.

This is a tough area, every time someone here comes up with a way of
blocking this sort of thing someone else comes up with a way around
it.
                                     <->
Bruce Carter, Courseware Development Coordinator      bcarter@claven.idbsu.edu
Boise State University, Boise, ID  83725              duscarte@idbsu.bitnet
(This message contains personal opinions only)        (208)385-1250@phone