Path: utzoo!attcan!uunet!lll-winken!ames!oliveb!3comvax!tymix!antares!jms From: jms@antares.UUCP (joe smith) Newsgroups: comp.sys.amiga Subject: Re: IRQ virus Message-ID: <340@antares.UUCP> Date: 13 Jan 89 08:03:22 GMT References: <27@snll-arpagw.UUCP> <13341@cup.portal.com> <29@snll-arpagw.UUCP> Reply-To: jms@antares.UUCP (joe smith) Organization: Tymnet QSATS, San Jose CA Lines: 32 In article <29@snll-arpagw.UUCP> paolucci@snll-arpagw.UUCP (Sam Paolucci) writes: >In article <13341@cup.portal.com> dan-hankins@cup.portal.com (Daniel B Hankins) writes: >->Re self-checking programs: Not effective. The virus prepends itself to >->the program. After the virus executes, *then* in loads the regular program >->and runs it. The regular program never knows the virus was there. The >->checksum matches. > >Not if the checksum code is part of the startup code. Sorry, Sam, it won't work. We are talking about two sets of startup code here. Let's say that a copy of DIR is infected. When you type "dir", AmigaDOS loads the infected program and runs the virus's startup code (the original dir hunks are stored in the virus's data hunk). After the virus has done its dirty work, it makes sure that the original dir hunks are stored in memory the same way that the AmigaDOS loader would have done with the uninfected copy of the program. The dir startup code now runs, calculates the checksum of the of the program as it exists in memory, and comes to the conclusion that everything is OK. The dir startup code cannot detect that damage has already been done. Therefore, putting the checksum code in the startup code is not the answer. Please note that I am interpreting your one line response as an indication that we are not talking about verifying checksums of programs as they reside on disk, and not talking about putting checksum algorithyms into the AmigaDOS loader. (Arguments against them have already been posted.) -- +----------------------------------------------------------------------------+ | TYMNET:JMS@F29 CA:"POPJ P," UUCP:{ames|pyramid}oliveb!tymix!antares!jms | | INTERNET:(Real Soon Now) Amiga Hacker PHONE:Joe Smith @ (408)922-6220 | +----------------------------------------------------------------------------+