Path: utzoo!utgpu!watmath!clyde!att!osu-cis!killer!netsys!lll-winken!snll-arpagw!paolucci
From: paolucci@snll-arpagw.UUCP (Sam Paolucci)
Newsgroups: comp.sys.amiga
Subject: Re: IRQ virus
Message-ID: <28@snll-arpagw.UUCP>
Date: 9 Jan 89 01:28:48 GMT
References: <27@snll-arpagw.UUCP> <3243@sugar.uu.net>
Reply-To: paolucci@snll-arpagw.UUCP (Sam Paolucci)
Organization: Sandia National Labs, Livermore, CA
Lines: 26

In article <3243@sugar.uu.net> peter@sugar.uu.net (Peter da Silva) writes:
->In article <27@snll-arpagw.UUCP>, paolucci@snll-arpagw.UUCP (Sam Paolucci) writes:
->> Then when the program is started up
->> the first thing it does is compute its checksum and it checks the
->> result with the one stored in the code.  If the two match then it
->> runs, otherwise it doesn't and a message to that effect could be
->> printed out.
->
->I don't think that would even catch the IRQ virus, because it sticks all the
->program's code in a data hunk... which when loaded should end up with the
->right checksum. If it actually went to disk to re-read itself, then the virus
->could fake a copy of the original in RAM.

Ideally the checksum should be done by the startup code, and all the hunks
should be included in the check.

->-- 
->Peter "Have you hugged your wolf today" da Silva  `-_-'  Hackercorp.
->...texbell!sugar!peter, or peter@sugar.uu.net      'U`


-- 
					-+= SAM =+-
"the best things in life are free"

				ARPA: paolucci@snll-arpagw.llnl.gov