Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!cwjcc!hal!nic.MR.NET!xanth!hoptoad!tim From: tim@hoptoad.uucp (Tim Maroney) Newsgroups: comp.sys.mac Subject: Re: nVIR virus found in "Kill Virus" Message-ID: <5970@hoptoad.uucp> Date: 29 Nov 88 20:33:15 GMT References:<199@s1.sys.uea.ac.uk> <3ff51312.129dc@blue.engin.umich.edu> Reply-To: tim@hoptoad.UUCP (Tim Maroney) Organization: Eclectic Software, San Francisco Lines: 18 In article <3ff51312.129dc@blue.engin.umich.edu> billkatt@caen.engin.umich.edu (Steve Bollinger) writes: >nVIR works by patching the CODE resource ID=0 to jump to itself. INITs don't >contain CODE resources, although they do contain INIT resources which consist >of code, but that isn't the same thing. Therefore, there is no way for nVIR to >patch anything in order to be executed. It is a common misconception that >you can just place a resource in a file and it will be executed automatically. That's exactly how a hypothetical INIT virus would work. The INIT 31 mechanism will execute all INIT resources with legal ids in an INIT, RDEV, or cdev file. It's much easier to write an INIT virus than an application virus, since all you have to do is put the resource into the file. No jump table patching is required. -- Tim Maroney, Consultant, Eclectic Software, sun!hoptoad!tim "When the writer becomes the center of his attention, he becomes a nudnik. And a nudnik who believes he's profound is even worse than just a plain nudnik." -- Isaac Bashevis Singer