Path: utzoo!attcan!uunet!cbmvax!rutgers!mcnc!thorin!unc!bell
From: bell@unc.cs.unc.edu (Andrew Bell)
Newsgroups: comp.sys.amiga
Subject: Re: The ultimate fix!!!
Message-ID: <4374@thorin.cs.unc.edu>
Date: 26 Sep 88 14:47:19 GMT
References: <681@zehntel.UUCP> <3084@hermes.ai.mit.edu> <4197@thorin.cs.unc <9381@cup.portal.com>
Sender: news@thorin.cs.unc.edu
Reply-To: bell@unc.UUCP (Andrew Bell)
Organization: University Of North Carolina, Chapel Hill
Lines: 39

In article <9381@cup.portal.com> dan-hankins@cup.portal.com writes:
>In article <4320@thorin.cs.unc.edu> bell@unc.cs.unc.edu (Andrew Bell) writes:
>
>>It can recognize it,  but how much code will it take to change it?  If there
>>are *multiple* bbcs around,  the virus will have to account for many of them
>...
>
>Okay, let's assume you've made it impractical for a virus writer to put his
>virus in the boot block.  This is no deterrent.  Any executable file is a
>potential virus carrier.  One such IBM PC virus, called the Jerusalem Virus
>or JV after the location of its discovery, did just this.

[Then he talks about how this Trojan Horse works] 

>Dan Hankins

'Taint a virus,  that's a Trojan Horse.  And VirusX etc. can't do anything
about that sort of thing either,  unless I'm entirely mistaken.  I'd be
surprised if anything could; novices tend not to write-protect disks, and
more experienced folks can't write-protect their hard disk.  Putting the
system on the hard disk means that the program can discreetly add its code
to programs on the hard disk,  without the strange accessing being a giveaway.
You really want your system code on a write-protectable medium if you want
hardware virus/Trojan Horse protection,  and even that only keeps your system
uncorrupted.
  
(Actually,  you might call such the Jerusalem Virus a virus, as they obviously
did,  but it is transmitted via Trojan Horse techniques.)

The only possible way I can think of to defend against these sorts of
malicious software is to monitor the various system pointers,  and have it
pointed out when a device driver has been modified.  If the various anti-
virus programs do that then I apologize for my misstatement at the top; if
they don't they might consider doing it.

    -Andrew Bell
The Schizophrenic Grad Student
bell@cs.unc.edu
acb@cs.duke.edu