Path: utzoo!mnetor!uunet!husc6!uwvax!umn-d-ub!umn-cs!ems!nis!stag!trb
From: trb@stag.UUCP ( Todd Burkey )
Newsgroups: comp.sys.amiga
Subject: Re: Virus Author comes forward!!!
Message-ID: <299@stag.UUCP>
Date: 3 Jan 88 17:12:57 GMT
References: <3007@cbmvax.UUCP> <3008@cbmvax.UUCP> <6028@cisunx.UUCP> <4862@well.UUCP> <597@inria.UUCP> <3064@cbmvax.UUCP> <297@stag.UUCP> <22368@ucbvax.BERKELEY.EDU>
Reply-To: trb@stag.UUCP ( Todd Burkey )
Organization: Mindtools ST Access Group, Plymouth, MN
Lines: 27
Keywords: virus, diskkiller

In article <22368@ucbvax.BERKELEY.EDU> bryce@hoser.berkeley.edu (Bryce Nesbitt) writes:
>In article <297@stag.UUCP> trb@stag.UUCP ( Todd Burkey ) writes:
>>
>>Wouldn't it be simple to check for a virus that lodges itself in
>>the OS and/or boot sectors by writing a simple CRC routine (two-level
>>to allow byte isolation).
>
>No it would not.  One of the capabilities of such a virus it to infect the
>sector read commands.  When you check to see if the boot-block is "normal"
>the smart virus could just return a "normal" block.
>
I was thinking that the check program would operate at a bit lower
level than that. It should go out and intercept the disk i/o routines
themselves. This would 'take away' the vectors from the virus if it
already had them. Maybe one check of such a program would be to just
examine where all the current potentially 'interesting' vectors are
being redirected to and inform the user if anything is being trapped.

Luckily this isn't a multi-user, distributed environment.  Anyone
remember the virus's that plagued the Sperry and CDC computers in the
middle-late 70's (here in MN on the educational systems anyway)? Most
of those were somewhat comical...except for the time I found that one
of the user's directories had had every file replaced with a copy of
startrek.

  -Todd Burkey
   trb@stag.UUCP