Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!cwjcc!hal!nic.MR.NET!xanth!hoptoad!tim
From: tim@hoptoad.uucp (Tim Maroney)
Newsgroups: comp.sys.mac
Subject: Re: nVIR virus found in "Kill Virus"
Message-ID: <5970@hoptoad.uucp>
Date: 29 Nov 88 20:33:15 GMT
References:  <199@s1.sys.uea.ac.uk> <3ff51312.129dc@blue.engin.umich.edu>
Reply-To: tim@hoptoad.UUCP (Tim Maroney)
Organization: Eclectic Software, San Francisco
Lines: 18

In article <3ff51312.129dc@blue.engin.umich.edu> billkatt@caen.engin.umich.edu
(Steve Bollinger) writes:
>nVIR works by patching the CODE resource ID=0 to jump to itself.  INITs don't
>contain CODE resources, although they do contain INIT resources which consist
>of code, but that isn't the same thing.  Therefore, there is no way for nVIR to
>patch anything in order to be executed.  It is a common misconception that
>you can just place a resource in a file and it will be executed automatically.

That's exactly how a hypothetical INIT virus would work.  The INIT 31
mechanism will execute all INIT resources with legal ids in an INIT,
RDEV, or cdev file.  It's much easier to write an INIT virus than an
application virus, since all you have to do is put the resource into
the file.  No jump table patching is required.
-- 
Tim Maroney, Consultant, Eclectic Software, sun!hoptoad!tim
"When the writer becomes the center of his attention, he becomes a nudnik.
 And a nudnik who believes he's profound is even worse than just a plain
 nudnik." -- Isaac Bashevis Singer