vallon@sbmiclr.cs.sunysb.edu (Justin Vallon) (12/09/89)
In article <12044@phoenix.Princeton.EDU>, bskendig@phoenix.Princeton.EDU (Brian Kendig) writes: > In article <1886@accuvax.nwu.edu> jln@accuvax.nwu.edu (John Norstad) writes: > > [Description of the WDEF virus] > > Then how *does* it spread? A WDEF virus is a very interesting way to get into the system. If the WDEF does what I think it would do, it would probably number with resoruce ID 0. Since the Finder automatically opens all Desktop files (with an OpenResFile call), the resource fork of all open Desktop files will be searched when New/GetNewWindow calls GetResource('WDEF', 0). The WDEF could do its dirty work, and then load the real WDEF by using a UseResFile(systemResFile). However, if the Finder makes sure that it does UseResFile(Desktop) before all Desktop-related resource calls, and UseResFile(Finder) just after, then this virus is probably BS. Come to think of it, it would probably be a REQUIREMENT to perform UseResFile(Desktop), because the single-file resource routines must be used (ie: Get1Resource), or all of the resources in all of the open Desktop files would be mixed together. Since UseResFile(Desktop) is used, UseResFile(Finder) is probably also used to clean things up. (Just a guess, but it is good programming practice). No, I don't have a Mac in front of me (it's a Sun 3). Next time I get to one, I'll trap UseResFile & all other resource manager stuff and see how the finder operates. Maybe we can prove that it's a hoax, or maybe we can prove that it is possible. Personally, I believe it's a hoax... see below. Note: I thought about not giving this description, but if you understand it, then I'm not telling you anything that you don't already know. > I've learned not to get worried at the sight of what might be a bad > virus. (Just look at the DataCrime virus in the IBM PC that was > supposed to wipe hard drives clean on Columbus Day - nothing big ever > came of that, but people panicked anyway.) Right. Panic does not help anybody. Especially when people fear that Str# resources are viruses (start reading comp.virus for some humor). "Oh my god. My computer beeped. I also remember that it bombed about an hour ago. I MUST HAVE A VIRUS!" > Now this alleged WDEF virus comes along. First of all, how can it > possibly do any damage from the DeskTop file? The DeskTop is data > only - it is not run. The only way it could do damage is by > persuading the Finder to go on a rampage of some sort. This would be > analogous to a book that made everyone who read it immediately go out > and kill someone without realizing it - not highly likely. See above. > Secondly, so what if the WDEF *is* a virus? What program would look > for a WDEF in the DeskTop file? A WDEF is a Window DEFinition > resource (providing those funky NeXT-style window INITs, for example.) > The DeskTop is used primarily for icons and other miscellaneous Finder > information. The Finder gets its WDEF resources from the System. If > the Finder were to check every resource in the DeskTop file just to > make sure it didn't need any of them, it would run awfully slowly. > Therefore, it doesn't search for anything it doesn't need - and it > certainly doesn't need WDEF's from the DeskTop, and even if it did, it > certainly wouldn't switch from interpreting them as data for drawing > windows to data for messing with files. Yes a WDEF is a window definition, but the Desktop would be placed in the resource search path, and searched upon NewWindow. See above. > Thirdly, I'd like to remind everyone that there have been three > postings before this one about the virus. The first announced it. > The second followed impressively quickly, and introduced 'Eradicator!' > to fix it. The third was a post from someone at Stanford who *thinks* > he has the virus, and has also downloaded 'Eradicator!' to fix it. > > Now, call me a doubting Thomas, but I find it highly unusual that (a) > someone could whip up a patch that quickly after the virus was > discovered, (b) the virus could spread that quickly from the three > source locations (hmm...) to Stanford, and (c) that the virus appeared > at Stanford at around the same time that 'Eradicator!' was introduced > there. (The posted didn't say whether he downloaded 'Eradicator!' > after he suspected the virus, or if he just downloaded the program to > be safe and only later found traces of funny business.) Exactally. It might be relatively easy to write an Eradicator!-type program, but it's an INIT that traps MountVol (or whatever), checks the Desktop file, removes the "virus", and ejects if the operation fails. It doesn't see like a trivial program, but maybe I'm skeptical. > Also, if the virus only affects the DeskTop file and copies itself, > with no other effect on the use (as the original annoucement stated), > how did the Stanford folks notice it? Does everyone at Stanford have > a IIci? (I only rarely check the resources in my DeskTop file just for > the heck of it. ;-) Strange. Also, it's kind of unusual that no virus prevention mechanism could prevent the infection. Although, maybe they... and that's why... on a IIci...? > I'm not blaming anyone for anything. I'm just stating that the events > thus far surrounding the 'virus' have been somewhat questionable. > I will wait for more information before I set up my defenses against > the WDEF virus. "Wouldn't it be really neat if we told people we discovered a new virus, then wrote the Eradicator! which actually contained the real virus. Then tell them something about how it has to install itself before all other virus programs... something about extra protection." No accusations made, but a clever virus can get around much faster if people are told to download it. > << Brian >> > | Brian S. Kendig ^ Macintosh | /\ _||_ | bskendig | > | Computer Engineering |\ Thought | /__\ \ / | @phoenix.Princeton.EDU | > | Princeton University | \ Police | || \/ | @PUCC.BITNET | > | Systems Engineering, NASA Space Station Freedom / General Electric WP3 | Maybe I'm wrong, but maybe I'm right. -Justin vallon@sbcs.sunysb.edu