knudsen@ihlpl.ATT.COM (Knudsen) (11/03/88)
[In response to reports of a Coco OS9-L2 virus that attached itself to CC3DISK.dr on any OS9Boot files it could find] I can think of a few precautions you could take, mostly using the excellent (sometimes TOO good) error checking built into our favorite OS: (1) For all your boot files, do ident os9boot >/p and save the printout. This lists the 6-digit CRC and sizes of each module in the bootfile. Occasionally repeat the above on the same boot disk and compare the two lists. To attack a boot, the virus must either fix the CRC of any modules it changes (else the boot fails), or in the early phase of boot-up defeat the code that checks for valid CRCs and headers. Either way IDENT can catch it. If your IDENT is uninfected :-(. BTW, you can redirect the IDENT to a file instead of /p, then later do it to another file and CMP the two files. (2) Don't close the doors on any floppy drives you don't expect to use on the program you're executing. If the reported virus tried checking my /d1 or /d2 for an OS9Boot, the system would just hang while the drives spin forever. (If it overrides that dumb feature of CC3DISK, let's disassemble the virus and figure how to do that ourselves!) (3) Keep backups of all your bootfiles and CMP them occasionally with the copies you actually use. You could just keep the backup on the same disk under another non-obvious name. (4) Figure a way to hot-wire a Write Protect switch on your hard drive controller (why don't they all have this in the first place?!?!). Also wire such switches to your floppies (easy to do) and set them all ON when trying questionable software (at least until the software has a legitimate need to write, in which case you un-protect only the relevant drive). Finally let me say that for a while I thought I might be infected several months ago. Seems that L2 COBBLER has a bug whereby it insists on padding its output bootfiles to exact multiples of 256 bytes (sorta like XModem downloads). The extra garbage doesn't stop booting, but does mess up BootMod utilities and shows up on IDENTs. Of course this would have been a pretty crude virus if it were one. Anyone else notice this Cobbler bug? -- Mike Knudsen Bell Labs(AT&T) att!ihlpl!knudsen "Lawyers are like nuclear bombs and PClones. Nobody likes them, but the other guy's got one, so I better get one too."