Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!ames!amdcad!sun!pitstop!sundc!seismo!uunet!portal!cup.portal.com!dan-hankins
From: dan-hankins@cup.portal.com
Newsgroups: comp.sys.amiga
Subject: Re: The ultimate fix!!!
Message-ID: <9318@cup.portal.com>
Date: 20 Sep 88 23:50:46 GMT
References: <681@zehntel.UUCP> <3084@hermes.ai.mit.edu> <4197@thorin.cs.unc
Organization: The Portal System (TM)
Lines: 26
XPortal-User-Id: 1.1001.5361


     In article "Re: The Ultimate fix!!!" of 9/19/88 15:45 bell@unc.cs.unc.edu
(Andrew Bell) writes:

>Have the boot block program check where it's running in memory.  On a cold
...
>Presumably a virus that copied the boot block code
>elsewhere would have to do a good bit of work to set things up again so the
>boot block code ran from the same point in memory.  If the boot block code
>did a complex checksum on all the stuff beneath it, it could be very hard to
>fool the bbc into thinking it's running on a virus free environment.
>If there are multiple bbc's out there,  it would be hard for a virus to
>determine which one is on a given disk and modify it so it doesn't check
>its location.

     So when a new boot block comes out, the virus writer simply writes a new
version of his virus that checks for the new code, the same way that Marauder
comes out with a new Brain File that checks for more copy protections.  The
virus program doesn't have to have a copy of a boot block in order to
recognize it; a four or eight byte CRC will do the job admirably.

     Besides, an infection that only hits one out of eight machines is still
destructive.  It will still spread.


Dan Hankins