Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!ncar!tank!nucsrl!jln From: jln@eecs.nwu.edu (John Norstad) Newsgroups: comp.sys.mac Subject: Re: SCORES ordeal + new(?) SCORES info Message-ID: <10330055@eecs.nwu.edu> Date: 11 Oct 88 18:19:02 GMT References: <6685@ut-emx.UUCP> Organization: Northwestern U, Evanston IL, USA Lines: 107 >According to the documentation that came with KillScores, it can cause >applications to crash or do strange things. I had several applications >that bombed mercilessly until I disinfected them, then they worked perfectly. >The formatter was no exception. Yes, Scores can cause applications to crash or do strange things. In my earlier reply I pointed out one case - code segment gaps of size 1. For example, some versions of Red Ryder and Stuffit have this property. If your formatter wouldn't run at all (crashed immediately on launch) I'd suspect this gap problem. Scores also uses memory, so applications that need lots of memory might not work properly on infected systems. >>I also don't understand why your "repaired" hard disk worked fine until >>you ran an infected application. Systems usually continue to work properly > ^^^^^^^ >Apparently "usually" is the correct word. Your case is the first I've heard of a system that won't function at all when infected. As I said before, I suspect a conflict between Scores and your disk driver. For example, they might both be trying to use the same unit table entry. What kind of drive are you using? >>In your case your floppy probably became full after the five viral resources >>were installed on your system file. Scores continued to try to infect >>the other four files, but nothing happened because the floppy was full. > >No, the floppy isn't full. Has about 45K left. Also, and correct me if I'm >wrong, but Scores doesn't simply "infect" the other four files (desktop, >notepad, scrapbook). It *creates* them. They will be present in an infected >System Folder even if they (spec. Scrapbook and Notepad) were previously >removed from the System. You're correct - the Desktop, Scores, Notepad, and Scrapbook files are all created if they don't already exist. I am quite mystified as to why Scores didn't create them in your case if your floppy wasn't full. >Perhaps it's a question of proof. How can one >*prove* that the virus caused a program with 400,000 bytes of code to crash, >short of hiring a team of programmers to spend 10 years going through the >code word-by-word and figuring it out? I have gone through Scores in great detail. I've examined every single line of code and figured out what it does. It contains roughly 2,500 machine language instructions. This took about two weeks of very hard work. Of course, I didn't have access to source code. I had to use a dissassembly listing and reverse-engineer the beast. Every significant fact I discovered by exmining the code was verified by testing on an infected system, using a debugger, ResEdit, and other programming tools. The only things that Scores does ON PURPOSE are spread itself and attack VULT and ERIC. Many people, however, have noticed undesirable behaviour on infected systems, including problems printing and problems with MacDraw and Excel. I suspect memory problems in these cases, although I'm not sure. I haven't been able to duplicate them on my systems. I've found a number of bugs and what look like oversights in Scores, but none of them seem to be really serious. Of course, it's very possible, indeed likely, that I've overlooked something. Scores is very complicated, and there are many ways in which it can interact in strange ways with other applications and system software. I'm still discovering new things about it. Your problem is definitely the worst one I've heard about. In the case of a specific program that bombs repeatedly on an infected system, it shouldn't be terribly difficult to discover why, provided source code is available for the program in question, and provided the investigators are experienced Mac programmers with a thorough knowledge of the virus in question. It might not be easy, but it should be doable in a reasonable amount of time. The fact that a virus does not contain any specific damaging attacks on other applications or system software does not make it harmless, as we've all discovered in the case of Scores. The mere fact that they occupy disk space and memory makes them dangerous. Scores only contains specific attacks against VULT and ERIC, which were never released to the general public, but it is still a monster that has caused great damage. I certainly hope that any future anti-virus legislation will not make deliberate attacks a requirement for successful prosecution. Any self-replicating code distributed without the knowledge and consent of the users should be illegal. >Keep in mind that we're talking about a virus that will actually >search out applications to infect, even if they aren't run. If you've ever >seen your infected disk drive start spinning for no reason, that's the Scores >virus on a "hunting trip." This is false. Scores only infects applications that are actually run. The infection occurs between 2 and 3 minutes after the application is launched. When you hear the disk whir at an odd time it is Scores infecting the current application. Scores does not go on any "hunting trips". >And yes, you're right. Scores is still very much alive and spreading. It can't hurt to once again very strongly recommend that Mac users obtain and install the Vaccine CDEV. It is effective against Scores. If you try to run an infected application on an uninfected, vaccinated system your machine will bomb, and your system will not be infected. When this happens you should use Virus Rx, Interferon, or some other virus detection tool to investigate the suspected application. John Norstad Academic Computing and Network Services Northwestern University Bitnet: jln@nuacc Internet: jln@nuacc.acns.nwu.edu