Xref: utzoo comp.sys.amiga:27206 comp.sys.amiga.tech:2982
Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!unmvax!pprg.unm.edu!hc!lll-winken!lll-lcc!pyramid!cbmvax!grr
From: grr@cbmvax.UUCP (George Robbins)
Newsgroups: comp.sys.amiga,comp.sys.amiga.tech
Subject: Re: New Year's Virus Report
Message-ID: <5602@cbmvax.UUCP>
Date: 1 Jan 89 07:30:17 GMT
References: <5601@cbmvax.UUCP>
Reply-To: grr@cbmvax.UUCP (George Robbins)
Organization: Commodore Technology, West Chester, PA
Lines: 34

More info from Steve Tibbett and co. and on the New Year's virus this evening:

From BIX:

==========
One more item on the IRQ virus.  If it can't attack your Startup-Sequence
it will home in on C:DIR just to be sure that it gets executed.
This is a benign intruder that can mutate to something real nasty in the
hands of a sicko.  We have the start of a real problem here.
Djj

[ which is to say it will modify the dir command if it can't mess
     with the startup-sequence... ]

==========
No, (I'm a bit rusty on this hunk stuff) I believe it sticks another code
hunk at the beginning of your program, about 1.1K, and when it's done
it's job, it calls your original program.

Note that if the first file in your startup sequence is over 100K
long, it won't infect it.  (big help, that... 8-)

I'm thinking of having an option in VirusX (or probably a separate
standalone utility) that would block any CMD_WRITE operation to a
disk device (and something that would just block Write() attempts),
and give the user a requester showing who asked for the Write, and
a Yes/No option.  Not much good for general use, but it would
help when checking out unknown programs.

 ...Steve
-- 
George Robbins - now working for,	uucp: {uunet|pyramid|rutgers}!cbmvax!grr
but no way officially representing	arpa: cbmvax!grr@uunet.uu.net
Commodore, Engineering Department	fone: 215-431-9255 (only by moonlite)