Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!samsung!usc!elroy.jpl.nasa.gov!jarthur!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: vronay%castor.usc.edu@usc.edu (Iceman) Newsgroups: comp.virus Subject: Re: WDEF details (Mac) Message-ID: <0015.9002231213.AA10580@ge.sei.cmu.edu> Date: 23 Feb 90 03:53:02 GMT Sender: Virus Discussion List Lines: 35 Approved: krvw@sei.cmu.edu Understanding how WDEF works can tell you bunches about the current state of viruses on the Mac. First, it is important to note that the mac is susceptible to computer viruses due to the large number of trap-dispatched routines built into the computer. These so-called "toolbox routines" provide the programmer with all of the code s/he needs to create the Macintosh look and feel. Now, since this code can change for different version of the Mac, the routines are accessed through a trap-dispatch mechanism. Basically, each routine has a number, and you call that number instead of the actual routine. The built-in trap dispatcher will then look up the location in memory of the trap and start executing. Some virus and most anti-virus programs work by rewriting these trap addresses, so that instead of calling the built-in ROM code, they call the call the virus/anti-virus code instead. This code will usually eventually call the ROM routine as well - perhaps after asking for permission to execute a suspiscious instruction. WDEF goes one step up in this. It first removes all of the patches on toolbox routines it wants to use. This effectively disables any anti-virus code that was there. Next, it figures out what machine you are running on and patches the traps back to what it thinks they should be for that machine. (BTW, this is why WDEF initially crashed the new machines - it didn't know the proper patches for them). It then copies itself, and set the traps back to what they were before it started, leaving the anti-viral software totally unaware that anything happenned. - -ice ================================ reply to: iceman@applelink.apple.com AppleLink: ICEMAN disclaimer: (not (apples-opinion-p (opinions 'ice))) => T ================================