Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!ames!amdcad!sun!pitstop!sundc!seismo!uunet!portal!cup.portal.com!dan-hankins From: dan-hankins@cup.portal.com Newsgroups: comp.sys.amiga Subject: Re: The ultimate fix!!! Message-ID: <9318@cup.portal.com> Date: 20 Sep 88 23:50:46 GMT References: <681@zehntel.UUCP> <3084@hermes.ai.mit.edu> <4197@thorin.cs.unc Organization: The Portal System (TM) Lines: 26 XPortal-User-Id: 1.1001.5361 In article "Re: The Ultimate fix!!!" of 9/19/88 15:45 bell@unc.cs.unc.edu (Andrew Bell) writes: >Have the boot block program check where it's running in memory. On a cold ... >Presumably a virus that copied the boot block code >elsewhere would have to do a good bit of work to set things up again so the >boot block code ran from the same point in memory. If the boot block code >did a complex checksum on all the stuff beneath it, it could be very hard to >fool the bbc into thinking it's running on a virus free environment. >If there are multiple bbc's out there, it would be hard for a virus to >determine which one is on a given disk and modify it so it doesn't check >its location. So when a new boot block comes out, the virus writer simply writes a new version of his virus that checks for the new code, the same way that Marauder comes out with a new Brain File that checks for more copy protections. The virus program doesn't have to have a copy of a boot block in order to recognize it; a four or eight byte CRC will do the job admirably. Besides, an infection that only hits one out of eight machines is still destructive. It will still spread. Dan Hankins