Path: utzoo!dptcdc!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!erd From: erd@tut.cis.ohio-state.edu (Ethan R Dicks) Newsgroups: comp.sys.amiga Subject: Re: Locks and Viruses. Another 1.4 wish? Message-ID: <43927@tut.cis.ohio-state.edu> Date: 18 Apr 89 04:43:18 GMT References: <17304@cup.portal.com> Reply-To: Ethan R Dicks Distribution: na Organization: Ohio State University Computer and Information Science Lines: 48 In article <17304@cup.portal.com> whirt@cup.portal.com (William Bill Hirt) writes: > >Having read in a previous post from CATS (Bryce?), that the IRQ virus >uses the trackdisk.device directly to get around any protection bits >stored with a file, it has left me wondering about the safety of using >the AmigaDOS LOCK command. [ stuff deleted for brevity ...] >to the trouble of re-formatting and re-partitioning an 80 megabyte drive. >(Please note that I plan on making my DH0: partition microscopic in size, >and transfer control immediately to the FFS partition(s), thereby (hope- >fully) leaving minimal room for viri to incubate...) As I recall the discussion, YES, Lock is effective against the IRQ virus. It would probably be best to use the password feature of Lock to prevent any future device from overriding or releasing the Lock. As for a microscopic DH0: partition... that is not the right approach to take with this virus. You always did want a small DH0: partition, only containing the barest essentials needed to mount a FFS partition and transfer control to it. Having a small DH0:, even if Locked will not affect the behavior of the virus. Remember, the IRQ opens the file ":s/startup-sequence" not "s:startup-sequence" which allows it to affect *ANY* file structured device which AmigaDOS knows about. Exec level devices like trackdisk.device and hddisk.device do not enter into this scheme, only DOS level devices like DH0: and DF0: do. This is why Lock is effective. Also remember that the IRQ will infect ":c/Dir" not "c:Dir" allowing it to infect the :c directory on your *current* device, whatever that is (including RAM: and RAD:) Having your C: on a Locked partition is wise. Assuming that a Locked DH0: will protect you is NOT! Quick summary: the IRQ opens :s/startup-sequence to find the name of the first file to infect. If the virus cannot infect the file whose name appears on the first line of :s/startup-sequence, it tries to infect :c/Dir. *** The IRQ infects files on your *CURRENT* device, not on an absolute path *** Hope this makes it clear, -ethan -- Ethan R. Dicks | ###### This signifies that the poster is a member in Software Results Corp| ## good sitting of Inertia House: Bodies at rest. 940 Freeway Drive N. | ## Columbus OH 43229 | ###### "You get it, you're closer."