chrisj@ut-emx.UUCP (Chris Johnson) (12/14/89)
In article <4221@sbcs.sunysb.edu> vallon@sboslab15.cs.sunysb.edu (Justin Vallon) writes: >In article <3277@hub.UUCP>, 6600pete@hub.UUCP writes: >> From article <1501@rodan.acs.syr.edu>, by wwtaroli@rodan.acs.syr.edu >(Bill Taroli): >> > if this WDEF does have code in it that's installing resources into >> > the Desktop then why are the virus detection programs (like GateKeeper) not >> > able to catch it? >> >> Because they don't watch the Desktop file. Sorry, but this is wrong. Gatekeeper watches all resource mgr. operations that can modify a resource file. *ANY* resource file, I might add. Gatekeeper protects the Desktop file the same way it protects every other file. >Wouldn't Vaccine catch AddResoruce('WDEF', 0) no matter where it happens? >I didn't know that Vaccine ignored references to the Desktop file. It >would seem that the authors of Vaccine were putting a great big hole in >their protection if they let references to the Desktop get through. > >I can see how Gatekeeper could be fooled because it does not distinguish >between calls of AddResoruce('MSWD', 0) and AR('WDEF', 0). Maybe GK should >check what's going in, and have protection for standard resources, and >executable resources. Sorry, this isn't true either. Gatekeeper does, and always has, checked for and protected all resources that can contain executable code. That's why Gatekeeper has been completely effective against all the viruses that have appeared since Gatekeeper was introduced way back on the 2nd of January. Completely effective, that is, until now. WDEF goes to considerable lengths to bypass all anti-virus systems. (Vaccine wouldn't have caught it anyway.) I won't go into any details here, but I will say that the techniques it used are exactly what causes it to crash all Mac IIcis (which is how it was originally discovered) and many IIcxs. So, it does bypass Gatekeeper, SAM, Virex, etc., but it paid a very high price in compatibility to do so, and that is precisely what has lead to its detec- tion and will yet bring about its (virtual) eradication. So all my work on Gatekeeper wasn't altogether lost against this virus. :-) On the subject of Gatekeeper and the eradication of the WDEF virus, I'm pleased to announce that a new component is being added to Gatekeeper: Gatekeeper Aid. Gatekeeper Aid is an additional INIT which can automatically detect WDEF, future clones, and possible brethren. Upon detection it automatically removes the virus and alerts the user. Gatekeeper Aid, combined with Gatekeeper, will leave you immune to all known viruses once again. (Gatekeeper Aid can be also be used alone, as a standalone WDEF hunter/killer.) Gatekeeper Aid has been in development since Wednesday of last week and has been in beta testing since Sunday. Testing is progressing well, and I antic- ipate releasing it later this week. Cheers, ----Chris (Johnson) ----Author of Gatekeeper ----chrisj@emx.utexas.edu
hallett@pet16.uucp (Jeff Hallett x5163 ) (12/14/89)
In article <22311@ut-emx.UUCP> chrisj@emx.UUCP (Chris Johnson) writes: >WDEF goes to considerable lengths to bypass all anti-virus systems. (Vaccine >wouldn't have caught it anyway.) I won't go into any details here, but I >will say that the techniques it used are exactly what causes it to crash all >Mac IIcis (which is how it was originally discovered) and many IIcxs. Just one question. Obviously, someone worked really hard to get this thing to propagate. Other than the IIci crashes and the feeling of being raped, does this virus do anything else? Since it is a WDEF, does it change some window definition on some date? Just curious. -- Jeffrey A. Hallett, PET Software Engineering GE Medical Systems, W641, PO Box 414, Milwaukee, WI 53201 (414) 548-5163 : EMAIL - hallett@gemed.ge.com Est natura hominum novitatis avida