Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: EIVERSO@cms.cc.wayne.edu Newsgroups: comp.virus Subject: Re: Hypercard Antiviral Script? (Mac) Message-ID: <0005.9106261903.AA01188@ubu.cert.sei.cmu.edu> Date: 25 Jun 91 19:21:10 GMT Sender: Virus Discussion List Lines: 36 Approved: krvw@sei.cmu.edu From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) [stuff deleted]... >and as long as LockMessages is set, and as long as one checks the >script of stack xxx before opening it, it's essentially impossible to >infect yourself by opening a stack - ASSUMING YOU CHECK THE SCRIPT OF >THE STACK FIRST. >The code to scan a stack is essentially the same as the SearchScript >code that y'all will find in your HOME stack, only you have to modify >it to accept a file name (answer file...everyone remember now?...) >anyway, after you do that, the search string is "set the script of". >HOWEVER, it is possible that someone has the viri sitting in an XCMD >or XFCN which they invoke, so you should also check the resources they >have attached to their stack...so you see, it becomes a pain to simply >scan the stack script because you also need to scan the resources to >be effective. Mike, I appreciate what you're about & am not trying to engage in one-upmanship but.... Don't forget that the script could be in any object not just the stack script or an XCMD. Maybe SearchScript checks all objects, I forget. You won't find the string if it's cocantenated--i.e.: on openCard put "set the scr" & "ipt of ..." into virusVariable --search would miss this --other malicious code goes here end openCard Thanks for the advice about being able to check for a "set" within a "send" I will really believe it after I test it, though. If you'd like, I could send you the exact script which I believe can bypass any HC "vaccine". Others need not ask, especially don't contact my ID directly. - --Eric