Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!usc!elroy.jpl.nasa.gov!jarthur!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: zben@umd5.umd.edu (Ben Cranston) Newsgroups: comp.virus Subject: Re: WDEF details (Mac) Message-ID: <0014.9002231213.AA10580@ge.sei.cmu.edu> Date: 22 Feb 90 20:48:14 GMT Sender: Virus Discussion List Lines: 37 Approved: krvw@sei.cmu.edu DUCKENFP@carleton.edu(Paul Duckenfield (Consultant, User Services)) writes: > WDef is a system resource which (basically) tells the Mac how > to draw its windows. There are several programs in the FREE/SHAREware > market which change how the window appear on your Macs screen. They > make it look like a NeXT or MS Windows or some other form other than > the "standard Apple"-look. They take advantage of the WDef resource in > the SYSTEM file. > Incidentily, I have heard reports that it is possible > (although not easy) for someone to rename the WDef virus's resource to > CDef. Potentially this will create another virus, exactly the same as > the first except for the name, which can propogate quickly as well. > Anyone know anything about this? In the same way WDEF resources define the behaviour of windows, CDEF resources define the behaviour of "controls" (pushbuttons, scroll bars, etc). While it would not be possible to just retype the WDEF as a CDEF, it would certainly be possible to write a virus that would live in a CDEF resource (or for that matter any other executable resource type). IMHO the real problem is that Finder opens these resource files and leaves them in the search chain, relying on them not to contain any resources that might mask the real resources in the Finder and System files. If Finder were to ensure that these files are in the search chain only when the Desktop resources are being fetched, these viruses would not be possible. - -- Sig DS.L ('ZBen') ; Ben Cranston * Network Infrastructures Group, Computer Science Center * University of Maryland at College Park * of Ulm