Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!wuarchive!gem.mps.ohio-state.edu!ginosko!uakari.primate.wisc.edu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: dmg@lid.mitre.org (David Gursky)
Newsgroups: comp.virus
Subject: Re: Centel Corp. and ViruScan
Message-ID: <0001.8909251241.AA29279@ge.sei.cmu.edu>
Date: 22 Sep 89 12:21:07 GMT
Sender: Virus Discussion List 
Lines: 58
Approved: krvw@sei.cmu.edu

In
(ewiles@iad-nxe.global-mis.dhl.com) writes...

The creator of VirusX for the Amiga certainly feels this way, [that "I
want you to get your information from me and no one else"], and for a
very good reason: It's the only way to make certain that the program
hasn't been tampered with to make it a virus spreader instead of a
stopper.

It just so happens that I agree with him.  What better way for some
sleazo to get a virus or trojan horse spread than to make it look like
it's a common, otherwise trusted, shareware virus killer program?

- -----

I have no qualms with any of this per se.  If the author of a package
wants to limit the sources from which his or her work is available,
fine!  But by doing so you forfeit the right to label your work as
shareware!

Shareware, by definition, is software that is shared with other users
for the purpose of preliminary evaluation.  If the user finds the
application useful, the user is honor- and legally-bound to pay the
requested fee for the software.

Shareware works because the distribution system is the users
themselves.  The author has only a minimal say in the distribution.
Certainly if the author wants to more strictly limit the dissemination
of his or her work, he or she is welcome to do so.  The proper manner
is a commercial distributor; anything that tries to mix commercial and
shareware, "isn't kosher".

As far as Ed's other argument goes (about using trusted shareware
virus killer programs as a carrier for a virus), I can't be the only
one who has failed to notice that despite that this is a common fear,
it has not happened recently or often (the last case I know of was a
"version" of Ross Greenberg's original FluShot, that was a Trojan
Horse that destroyed FATs or some-such; even then, this wasn't a virus
but a trojan).

Let me take this one step further.  Anti-virus applications (IMO) make
a poor carrier for a virus.  In order for a virus to succeed, it must
go undetected.  This means that prior to the activation of the virus'
logic-bomb or time-bomb, it cannot interfere with the normal operation
of the computer or the applications in use on the computer.  To do so
greatly improves the chances the virus will be discovered (to wit, the
Jerusalem virus).  If we work under the assumption that when a user
acquires an anti-virus application, they actually use it (in fact we
must work under this rule; otherwise the virus would not spread), the
virus necessarily undergoes an increased chance of detection because
an application is running that looks for viruses!

Standard disclaimers apply.

David Gursky
Member of the Technical Staff, W-143
Special Projects Department
The MITRE Corporation