ewhac@well.UUCP (Leo L. Schwab) (01/02/89)
[ The PClone hit. -- more -- Your armor turns grey. ]
Given the new Amiga virus that is now spreading, I have this very
funny feeling about the RGB demo posted in comp.binaries.amiga. I have not
downloaded it, I have not inspected it, I have neard no tales of ill fate
befalling anyone because of it.
However, I would recommend caution. The thing is so large that it
will be impossible for anyone to verify its integrity. Demos are an
excellent way to distribute nefarious code. Speaking only for myself, I
would be careful of it, and all further imported demos.
One way I thought of to detect the virus, off the top of my head, is
to have the some command in your Startup-Sequence check the size of the
first command. If it's different from what it should be, you throw up an
attention-getting warning. Naturally, for individuals who rarely boot their
machine, this may not be an effective procedure, but it's certainly one to
consider.
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Leo L. Schwab -- The Guy in The Cape INET: well!ewhac@ucbvax.Berkeley.EDU
\_ -_ Recumbent Bikes: UUCP: pacbell > !{well,unicom}!ewhac
O----^o The Only Way To Fly. hplabs / (pronounced "AE-wack")
"Work FOR? I don't work FOR anybody! I'm just having fun." -- The Doctorlaba-3ar@e260-4b.berkeley.edu (Case Larsen) (01/02/89)
In article <10193@well.UUCP> ewhac@well.UUCP (Leo 'Bols Ewhac' Schwab) writes: > One way I thought of to detect the virus, off the top of my head, is >to have the some command in your Startup-Sequence check the size of the ^^^^^^^^^^^^^^^^^^^^^ >first command. If it's different from what it should be, you throw up an ^^^^^^^^^^^^^ Suppose the virus doesn't change the first command of your startup-sequence, but instead changes your *startup-sequence*. It seems to me, one way to prevent this is to: 1. Keep a database of checksums for all files on the disk. 2. Before you shut down, compute checksums for each file on the disk and report to the user in the following cases: a. No checksum entry exists for the file. (This catches files that have been added by a virus.) b. Checksum entries don't match. (This catches files that have been modified by a virus.) Unfortunately, you have to make sure that the program that compares the checksums hasn't been bitten by the virus. >_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ >Leo L. Schwab -- The Guy in The Cape INET: well!ewhac@ucbvax.Berkeley.EDU > \_ -_ Recumbent Bikes: UUCP: pacbell > !{well,unicom}!ewhac >O----^o The Only Way To Fly. hplabs / (pronounced "AE-wack") >"Work FOR? I don't work FOR anybody! I'm just having fun." -- The Doctor ----- Case Larsen clarsen@garnet.berkley.edu (internet) (Best) ..!{ames|hplabs|decvax}!ucbvax.berkeley.edu!garnet!clarsen (UUCP)
C475141@umcvmb.missouri.edu (Brian E Whitman) (01/04/89)
Well I have been sitting here reading all your ways of catching the virus, and like everyone else I have my own thinking. First I am not familiar with the program or exactly what it is, but if my understanding is correct it is an animation demo. Also it has a size of 1.5M. First consider what we download this beast on. In my case two floppies, some to their hard drive. Now, what I would do is, (and always do when using a piece of software that I am unfamiliar with) throw the R/W tab on the diskette. If the program gives me a prompt saying the diskette is R/W protected, then I make sure I have a backup copy of it and reverse the R/W tab. Nice you say but what if I have a hard disk and that is where it is? I think (not for sure) that there is a new command in 1.3 called LOCK that will Write protect your hard disk. How good or bad does this sound? Brian E Whitman
wen@husc4.HARVARD.EDU (A. Wen) (01/05/89)
In article <6220@louie.udel.EDU> C475141@umcvmb.missouri.edu (Brian E Whitman) writes: >Well I have been sitting here reading all your ways of catching the >virus, and like everyone else I have my own thinking. First I am not >familiar with the program or exactly what it is, but if my understanding >is correct it is an animation demo. Also it has a size of 1.5M. Not exactly. The enormous European animation demo isn't related to the IRQ virus, except that I've heard it referred to as the "Euro-virus." A. Wen wen@husc4.HARVARD.EDU wen@husc4.BITNET {seismo!harvard!husc4}