Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!purdue!decwrl!labrea!agate!e260-4b.berkeley.edu!laba-3ar
From: laba-3ar@e260-4b.berkeley.edu (Case Larsen)
Newsgroups: comp.sys.amiga
Subject: Re: On Viruses...
Message-ID: <18670@agate.BERKELEY.EDU>
Date: 2 Jan 89 09:29:36 GMT
References: <10193@well.UUCP>
Sender: usenet@agate.BERKELEY.EDU
Distribution: na
Lines: 30

In article <10193@well.UUCP> ewhac@well.UUCP (Leo 'Bols Ewhac' Schwab) writes:
>	One way I thought of to detect the virus, off the top of my head, is
>to have the some command in your Startup-Sequence check the size of the
                                                   ^^^^^^^^^^^^^^^^^^^^^
>first command.  If it's different from what it should be, you throw up an
 ^^^^^^^^^^^^^
Suppose the virus doesn't change the first command of your startup-sequence,
but instead changes your *startup-sequence*.  It seems to me, one way to
prevent this is to:

1. Keep a database of checksums for all files on the disk.
2. Before you shut down, compute checksums for each file on the disk and
   report to the user in the following cases:
   a. No checksum entry exists for the file. (This catches files that have
      been added by a virus.)
   b. Checksum entries don't match.  (This catches files that have been
      modified by a virus.)

Unfortunately, you have to make sure that the program that compares
the checksums hasn't been bitten by the virus.

>_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
>Leo L. Schwab -- The Guy in The Cape	INET: well!ewhac@ucbvax.Berkeley.EDU
> \_ -_		Recumbent Bikes:	UUCP: pacbell > !{well,unicom}!ewhac
>O----^o	      The Only Way To Fly.	      hplabs / (pronounced "AE-wack")
>"Work FOR?  I don't work FOR anybody!  I'm just having fun."  -- The Doctor
-----
Case Larsen
clarsen@garnet.berkley.edu (internet) (Best)
..!{ames|hplabs|decvax}!ucbvax.berkeley.edu!garnet!clarsen (UUCP)