Path: utzoo!utgpu!watmath!clyde!att!rutgers!rochester!pt.cs.cmu.edu!*!postman+
From: ll12+@andrew.cmu.edu (Laura Ann Lemay)
Newsgroups: comp.sys.mac
Subject: Re: nVIR virus found in "Kill Virus"
Message-ID: 
Date: 30 Nov 88 11:37:05 GMT
Organization: Carnegie Mellon
Lines: 28


Tim Maroney says:

>In article <3ff51312.129dc@blue.engin.umich.edu> billkatt@caen.engin.umich.edu
>(Steve Bollinger) writes:
>>nVIR works by patching the CODE resource ID=0 to jump to itself.  INITs don't
>>contain CODE resources, although they do contain INIT resources which consist
>>of code, but that isn't the same thing.  Therefore, there is no way for nVIR to>patch anything in order to be executed.  It is a common misconception that
>>you can just place a resource in a file and it will be executed automatically.>
>That's exactly how a hypothetical INIT virus would work.  The INIT 31
>mechanism will execute all INIT resources with legal ids in an INIT,
>RDEV, or cdev file.  It's much easier to write an INIT virus than an
>application virus, since all you have to do is put the resource into
>the file.  No jump table patching is required.

Yes yes yes.  But the point Steve (as well as myself) is making is that *nVIR*
resources cannot be run without the jump table patching, which INITs don't
have.  A hypothetical virus was not what we were talking about.

And discussion of how to write a "hypothetical virus" might well be better
conducted through Email, rather than posting....who knows what evil hackers
might be out there looking for ideas. :-)



-Laura Lemay

ll12+@andrew.cmu.edu   (nice mail only, I'm a sensitive soul)  :-)