TMPLee@DOCKMASTER.NCSC.MIL (07/21/89)
I think it was Dave Lyons who said something like IIGS people had better things to do with their time than write viruses; would that were true, but it only takes one. My real reason for writing: I know very little about Macs (but will learn soon -- my oldest is about to go off to U. Wisc and is insisting on buying a new computer; they only sell Macs and PS/2's -- no question which it will be, just how much money I think I can spare), but my understanding is that their apparent extreme vulnerability to viruses is that resource forks can contain code and that it is very easy to add forks to an application or file that get automatically executed. Now, my understanding may be wrong, so let me ask the question in a more direct manner: can I have a resource fork associated with what I think is a data file that actually contains code and is executed without my knowing it? the INIT's in the system folder don't bother me, since I get those from Apple. Is it the case, for instance, that I could, say, have a resource fork associated with a WordPerfect document (file type $A0) that automatically gets executed as code every time the file gets opened? I sure hope not, but somehow I wonder. At present the only code I ever run is code of known provenence -- with resource forks will that continue to be true? (The few times I've used something off a bulletin board I shut the system down and turned off the hard drive, copying the NON-CODE output to a floppy before powering down and re-booting. Icons are only data, not code, so no worry.) What scares me is the notion that someone will ship around purportedly useful text or graphics but have associated with it code in a resource fork that contains a virus. Can that be done or not?
dcw@athena.mit.edu (David C. Whitney) (07/22/89)
In article <890721163707.944460@DOCKMASTER.ARPA> TMPLee@DOCKMASTER.NCSC.MIL writes: >but my >understanding is that their apparent extreme vulnerability to viruses is >that resource forks can contain code and that it is very easy to add >forks to an application or file that get automatically executed. > >Now, my understanding may be wrong, so let me ask the question in a more >direct manner: can I have a resource fork associated with what I think >is a data file that actually contains code and is executed without my >knowing it? the INIT's in the system folder don't bother me, since I >get those from Apple. Is it the case, for instance, that I could, say, >have a resource fork associated with a WordPerfect document (file type >$A0) that automatically gets executed as code every time the file gets >opened? I sure hope not, but somehow I wonder. At present the only >code I ever run is code of known provenence -- with resource forks will >that continue to be true? (The few times I've used something off a >bulletin board I shut the system down and turned off the hard drive, >copying the NON-CODE output to a floppy before powering down and >re-booting. Icons are only data, not code, so no worry.) What scares >me is the notion that someone will ship around purportedly useful text >or graphics but have associated with it code in a resource fork that >contains a virus. Can that be done or not? Resource forks do *one* thing to aid a spreading virus: insertion into a file become remarkably easy. To create a resource fork and insert a resource in any file requires only a couple of system calls. I must say, though, that you sound somewhat paranoid about catching viruses. You can't become infected until the virus code executes. This does NOT happen while you are downloading a file. It DOES happen when you run the program. Viruses do themselves no good by hiding in text or other data files. Unless the word processor feels compelled to execute your book, then even if the file becomes infected, it remains harmless. You *should* remain worried about INITs. They run automatically during bootup. If a virus hides in there, then there could be trouble. Since I don't know the details of how the loader will function (ie, will code be loaded from the data fork only, or will the loader look in the resource fork too?), I can't say if viruses will have an easier time getting into your INITs. The easiest protection is keep a backup and check file size/last mod date every now and then. If files are growing, or they get changed, then check 'em with a virus checker. Just remember that every file on your disk is harmless until you specifically execute it. Dave Whitney A junior (well, a senior) in Computer Science at MIT dcw@athena.mit.edu ...!bloom-beacon!athena.mit.edu!dcw dcw@goldilocks.mit.edu I wrote Z-Link & BinSCII. Send me bug reports. I use a //GS. Send me Tech Info. "This is MIT. Collect and 3rd party calls will not be accepted at this number."