Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Newsgroups: comp.virus Subject: Self-Modifying SETVER.EXE (PC) Message-ID: <0004.9106261903.AA01188@ubu.cert.sei.cmu.edu> Date: 25 Jun 91 19:11:00 GMT Sender: Virus Discussion List Lines: 42 Approved: krvw@sei.cmu.edu >From: Robert McClenon <76476.337@CompuServe.COM> > I just discovered after twenty minutes of unpleasantness that >SETVER.EXE, a feature of DOS 5.00, is implemented via SELF-MODIFYING >CODE. Actually, this is much better than earlier (beta) verions in which SETVER modified other things (even nastier). Since I did not bother to install SETVER, this is not a problem for me and have not yet run into an application/game/etc that requires its use. Though I have heard rumors of such programs. Further, one one teaches SETVER which (shouldn't be many) programs require DOS to report/act like a different version to work, SETVER should not be changing unless a new non-conforming program is added. Even so, the rate should not be a problem, & the user should know that something "legal" was done. For some time, my feeling has been that "intelligent" anti-viral software should be able to recognize when a program is allowed to write to itself (SETVER, LIST) or to a limited subset of other programs (WSCHANGE - WORDSTAR) & notify the user but not make a fuss about it. Now if SETVER tries to modify LIST, I would be concerned, but not when it modifies itself when I ask it to. To me, strict checksum coverage of 98% of my files is "good enough" (quantum economics) that not much safety would be lost if the other 2% were permitted LIMITED privilege with notification. Heck, the whole concept of "privilege" receives only lip service (and much obfustication) from DOS. IMHO, it would seem that MicroSoft had a choice: let SETVER modify system files (tried & rejected in beta), a separate data file (possible but must always be able to find it), or itself. Given all the variables, I think they probably made the most efficient (but not necessarily the most popular to anti-virus program writers) decision. Cooly, Padgett Might be some one else's opinion also but probably not my employer's.