Path: utzoo!mnetor!uunet!lll-winken!lll-lcc!ames!amdahl!dlb!dana!rap From: rap@dana.UUCP (Rob Peck) Newsgroups: comp.sys.amiga Subject: Re: THIS VIRUS IS A CRISIS! Message-ID: <275@dana.UUCP> Date: 5 Jan 88 19:42:24 GMT References: <9659@udenva.cair.du.edu> <483@auvax.UUCP> Organization: Dana Computer, Inc., Sunnyvale, CA Lines: 52 Summary: Just have to watch out for lotsa stuff In article <483@auvax.UUCP>, rwa@auvax.UUCP (Ross Alexander) writes: > > All you need is a virus scrubber. CATS ought to be able to build one > with their eyes shut. In the Un*x world, these sorts of things have > In the mean time, put your shirt back on and do a little constructive > reasoning. This thing can only be spread by receiving and booting an ?????? ^^^^ ?????????????????????????????????? > infected flop, right? So DON'T BOOT ANY FOREIGN FLOPS; copy them > onto known clean flops, the boot sector isn't copied in a > file-system-oriented copy (as opposed to a track-oriented copy). > Consider this the software equivalent of condoms ;-). As has been pointed out by others, though, the virus CAN be carried as a piggyback along with existing software, so YES, don't boot foreign flops, but maybe you might want to power down and reboot with your own clean floppy after running any software whose source might be suspect. (sigh - just realized I've contributed toward keeping the subject alive). But here are some more suggestions that I believe are valid, towards creating a virus eliminator - the system libraries are partially RAM resident when the system finally completes its boot up. After booting with a clean floppy, the system library list could be checked or checksummed perhaps to see if anything had left a patch behind, particularly in the cold capture or warm capture vectors. Sure, because of dynamic loading, the contents of the libraries might differ from boot to boot, but the places to which the vectors would point in ROM or Kickstart would still be the same. It seems that the things we have to worry about most are those that modify the system functions - since the kickstart and ROM memory areas cannot be written to, it is the RAM resident part that could be checked. Yes, it happens that some programs do not clean up after themselves properly, and even Intuition can cause memory fragmentation if you don't respond quickly to all messages it sends, but if a library checker program were to be created, it could be run as part of the startup-sequence perhaps (from that clean floppy, that is) and detect that there were some (perhaps unintentional) tracks left over from the previous program. Programs that write directly to physical memory as a means of hiding virus code could still do that, but if there is no link to the code through the system library entry points that we can check, it is just like any other dirty memory that a program used and then discarded. It'll get reused later on. Looking forward to a resolution of this topic - I would dislike having to take all of the steps necessary to protect myself - would hate to lose a bunch of work because of something I could have prevented. Maybe if this program does get created, I'd run it after any program that I myself did not compile, rather than power off. (sigh). Rob Peck ...ihnp4!hplabs!dana!rap