Path: utzoo!attcan!uunet!cbmvax!rutgers!mcnc!thorin!unc!bell From: bell@unc.cs.unc.edu (Andrew Bell) Newsgroups: comp.sys.amiga Subject: Re: The ultimate fix!!! Message-ID: <4374@thorin.cs.unc.edu> Date: 26 Sep 88 14:47:19 GMT References: <681@zehntel.UUCP> <3084@hermes.ai.mit.edu> <4197@thorin.cs.unc <9381@cup.portal.com> Sender: news@thorin.cs.unc.edu Reply-To: bell@unc.UUCP (Andrew Bell) Organization: University Of North Carolina, Chapel Hill Lines: 39 In article <9381@cup.portal.com> dan-hankins@cup.portal.com writes: >In article <4320@thorin.cs.unc.edu> bell@unc.cs.unc.edu (Andrew Bell) writes: > >>It can recognize it, but how much code will it take to change it? If there >>are *multiple* bbcs around, the virus will have to account for many of them >... > >Okay, let's assume you've made it impractical for a virus writer to put his >virus in the boot block. This is no deterrent. Any executable file is a >potential virus carrier. One such IBM PC virus, called the Jerusalem Virus >or JV after the location of its discovery, did just this. [Then he talks about how this Trojan Horse works] >Dan Hankins 'Taint a virus, that's a Trojan Horse. And VirusX etc. can't do anything about that sort of thing either, unless I'm entirely mistaken. I'd be surprised if anything could; novices tend not to write-protect disks, and more experienced folks can't write-protect their hard disk. Putting the system on the hard disk means that the program can discreetly add its code to programs on the hard disk, without the strange accessing being a giveaway. You really want your system code on a write-protectable medium if you want hardware virus/Trojan Horse protection, and even that only keeps your system uncorrupted. (Actually, you might call such the Jerusalem Virus a virus, as they obviously did, but it is transmitted via Trojan Horse techniques.) The only possible way I can think of to defend against these sorts of malicious software is to monitor the various system pointers, and have it pointed out when a device driver has been modified. If the various anti- virus programs do that then I apologize for my misstatement at the top; if they don't they might consider doing it. -Andrew Bell The Schizophrenic Grad Student bell@cs.unc.edu acb@cs.duke.edu