Path: utzoo!attcan!uunet!tektronix!tekig5!tekig4!bradn
From: bradn@tekig4.TEK.COM (Bradford Needham)
Newsgroups: comp.sys.mac.programmer
Subject: Re: Suggestion for virus prevention
Summary: applications should check their code resources for infection.
Keywords: CODE resource virus detection
Message-ID: <3614@tekig4.TEK.COM>
Date: 11 Jan 89 20:32:36 GMT
References: <1272@viscous.sco.COM>
Reply-To: bradn@tekig4.TEK.COM (Bradford Needham)
Followup-To: comp.sys.mac.programmer
Organization: Tektronix, Inc., Beaverton,  OR.
Lines: 25

In article <1272@viscous.sco.COM> jamesm@sco.COM (James M. Moore) writes:
>Would having programs... check their CODE resources
>...help prevent the spread of the current strain of viruses?  

Since all of the known viruses infect applications by adding and modifying
CODE resources, this check should detect any such infection of an application.

In fact, I recently added such code to my latest project (in Lightspeed C).
The code has a table of the program's expected CODE resources and their
sizes.  On startup, the program compares the size and Resource ID of
each available CODE resource against the numbers in the table.  Any
differences cause a dialog to appear, saying (basically) "This
application may be infected by a virus.  Here's the CODE resource that
looks funny."

To make a release of your program, you build it once, see what the CODE
resources look like, then update the table of expected CODE resources
and rebuild the program.

The source code fragment is pretty straightforward, but I can post it
if folks are interested.


Brad Needham
bradn@tekig4.TEK.COM