Path: utzoo!utgpu!watmath!clyde!att!rutgers!rochester!pt.cs.cmu.edu!*!postman+ From: ll12+@andrew.cmu.edu (Laura Ann Lemay) Newsgroups: comp.sys.mac Subject: Re: nVIR virus found in "Kill Virus" Message-ID:Date: 30 Nov 88 11:37:05 GMT Organization: Carnegie Mellon Lines: 28 Tim Maroney says: >In article <3ff51312.129dc@blue.engin.umich.edu> billkatt@caen.engin.umich.edu >(Steve Bollinger) writes: >>nVIR works by patching the CODE resource ID=0 to jump to itself. INITs don't >>contain CODE resources, although they do contain INIT resources which consist >>of code, but that isn't the same thing. Therefore, there is no way for nVIR to>patch anything in order to be executed. It is a common misconception that >>you can just place a resource in a file and it will be executed automatically.> >That's exactly how a hypothetical INIT virus would work. The INIT 31 >mechanism will execute all INIT resources with legal ids in an INIT, >RDEV, or cdev file. It's much easier to write an INIT virus than an >application virus, since all you have to do is put the resource into >the file. No jump table patching is required. Yes yes yes. But the point Steve (as well as myself) is making is that *nVIR* resources cannot be run without the jump table patching, which INITs don't have. A hypothetical virus was not what we were talking about. And discussion of how to write a "hypothetical virus" might well be better conducted through Email, rather than posting....who knows what evil hackers might be out there looking for ideas. :-) -Laura Lemay ll12+@andrew.cmu.edu (nice mail only, I'm a sensitive soul) :-)