vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) (06/20/91)
Is it possible to write a PC virus which installs itself whenever you place an infected disk in the drive and do a DIR command ? Steve. - -- --------------------------------------------------------------------------- - JANET E-mail : vanaards@uk.ac.man.cs.p4 (Steven van Aardt) -- -- Warning this user has been designated for termination on the 21.6.91 -- ---------------------------------------------------------------------------
PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) (06/21/91)
vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: > > Is it possible to write a PC virus which installs itself whenever > you place an infected disk in the drive and do a DIR command ? Yes. But on a PC this requires certain conditions, which mean it probably wouldn't spread very far. Mark Aitchison, Physics, University of Canterbury, New Zealand.
dkrause@miami.acs.uci.edu (Doug Krause) (06/21/91)
vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes:
#
# Is it possible to write a PC virus which installs itself whenever
#you place an infected disk in the drive and do a DIR command ?
Doesn't STONED act that way?
Douglas Krause One yuppie can ruin your whole day.
- ----------------------------------------------------------------------
University of California, Irvine Internet: dkrause@orion.oac.uci.edu
Welcome to Irvine, Yuppieland USA BITNET: DJKrause@uci.edu
bdh@gsbsun.uchicago.edu (Brian D. Howard) (06/22/91)
vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: > Is it possible to write a PC virus which installs itself whenever >you place an infected disk in the drive and do a DIR command ? Yes. You'd have to change command.com and have a dir.com or dir.bat just sitting there. I've actually manually done something like that as a prank (stay away from me on april 1...) (You asked merely if it was *possible*. Now, do you think you've got something like that going on?) - -- "Hire the young while they still know everything."
padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) (06/24/91)
vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: > > Is it possible to write a PC virus which installs itself whenever > you place an infected disk in the drive and do a DIR command ? Boy, I was hoping this one would go away but was rong again. 1) No: You cannot contract a PC virus by doing a DIR, a virus must be executed. 2) Once you have executed a virus, it could take control of the PC and infect floppies in this manner as several people have pointed out, but you cannot BECOME infected in this manner. Padgett
Kevin_Haney%NIHCR31.BITNET@CU.NIH.GOV (06/24/91)
vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: > > Is it possible to write a PC virus which installs itself whenever > you place an infected disk in the drive and do a DIR command ? Yes. But on a PC this requires certain conditions, which mean it probably wouldn't spread very far. Mark Aitchison, Physics, University of Canterbury, New Zealand. I would like to know just what these conditions are. If you have an clean, uninfected system with the normal system files, COMMAND.COM, etc., I would think that it is impossible to infect system memory or another disk by doing a directory listing on an infected diskette. (Of course, if you don't have a clean system with unmodified system files, anything can happen.) At no time does COMMAND.COM transfer program control to any executable code on a diskette when it does a directory listing via the DIR command. It looks at the diskette's root directory, files, and all other areas of the diskette as pure data. There is no way for a virus to become activated and infect a system if control is not passed to it at some point. With regard to the comment about the Stoned virus behaving this way, Stoned will infect a diskette if you do a DIR on it from a system which has the virus active in memory (as will most other memory-resident viruses). The only way for it to become active is by booting a system from an infected floppy or hard disk - it cannot become active if you do a DIR on an infected diskette from a clean system. And I would venture to say that this holds true for viruses in general.
frisk@rhi.hi.is (Fridrik Skulason) (06/25/91)
>vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: > Is it possible to write a PC virus which installs itself whenever >you place an infected disk in the drive and do a DIR command ? Not only possible - many such viruses already exist. They are either boot sector infectors which intercept INT13 and infect a disk whenever it is read from, or file infectors which intercept the FindFirst/FindNext functions - the DIR and DIR-2 viruses are a prime example. - -frisk
kenm@maccs.dcss.mcmaster.ca (...Jose) (06/26/91)
frisk@rhi.hi.is (Fridrik Skulason) writes: >>vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes : >> Is it possible to write a PC virus which installs itself whenever >>you place an infected disk in the drive and do a DIR command ? > >Not only possible - many such viruses already exist. They are either boot >sector infectors which intercept INT13 and infect a disk whenever it is read >from, or file infectors which intercept the FindFirst/FindNext functions - >the DIR and DIR-2 viruses are a prime example. I'm not sure that this (very correct) answer actually responds to the question. If I'm not mistaken, the question is whether a virus on a diskette can infect the system/hard drive simply by doing a DIR of the infected diskette; ie. can simply reading the infected disk cause the virus to be loaded into memory. I can't see how. Mr. Skulason, I think, is referring to a virus already in memory subverting the DIR command to place itself on a clean diskette. Have I interpretted everyone's statements correctly? ....Jose - ----------------------------------------------------------------------------- ".sig quotes are dippy"|Kenneth C. Moyle kenm@maccs.dcss.mcmaster.ca - Kenneth C. Moyle |Department of Biochemistry MOYLEK@MCMASTER.BITNET |McMaster University ...!uunet!mnetor!maccs!kenm
p1@arkham.wimsey.bc.ca (Rob Slade) (06/26/91)
dkrause@miami.acs.uci.edu (Doug Krause) writes: > vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes > # > # Is it possible to write a PC virus which installs itself whenever > #you place an infected disk in the drive and do a DIR command ? > > Doesn't STONED act that way? Well, yes and no. (Parenthetically here, let me state that it is hard to state with much assurance "what 'Stoned' does", since it must be the most widely "strained" viral program around today. But anyway ...) The Stoned virus usually will infect any disk that you "read" with a DIR command. But, in fact, it will infect just about any disk that it does access, regardless of how it does it. That said, the various strains show tremendous differences. I have one which will only infect disks in the A: drive, and another which refuses to infect anything unless som{ odd conditions{are satisfied. (I haven't figured them out compltely, but one sure way to infect a di{k is to read it with PCTOOLS.) {(Sorry for the line noise today.) ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security
PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) (06/26/91)
Kevin_Haney%NIHCR31.BITNET@CU.NIH.GOV writes: > vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) > writes: >> >> Is it possible to write a PC virus which installs itself whenever >> you place an infected disk in the drive and do a DIR command ? I wrote... > Yes. But on a PC this requires certain conditions, which mean it > probably wouldn't spread very far. > > I would like to know just what these conditions are. I'm not sure if I should broadcast the way in which a virus could do this, but I suppose I could mention the conditions... (1) Have ANSI.SYS (or similar) loaded, (2) Possibly make assumptions about what the user will type next, (3) Assume the user doesn't look too hard at the directory listing. I would expect such a virus, if it can be written, to have a low chance of spreading far. However, it is important to accept that *possibly* a virus could spread on PC's this way. Mark Aitchison.
frisk@rhi.hi.is (Fridrik Skulason) (06/26/91)
It seems I misunderstood a question which was posted here a while ago, so please disregard my earlier reply.... >vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: > Is it possible to write a PC virus which installs itself whenever >you place an infected disk in the drive and do a DIR command ? I wrote: >Not only possible - many such viruses already exist. They are either boot >sector infectors which intercept INT13 and infect a disk whenever it is read >from, or file infectors which intercept the FindFirst/FindNext functions - >the DIR and DIR-2 viruses are a prime example. But, as I said, this was a misunderstanding - I thought the original poster meant whether a resident virus could infect a diskette simply when the user issued a 'DIR' command. However, the question was whether a virus-infected diskette could infect the system, when the user issued a 'DIR' command. The answer to that question is a definite NO - on a PC, that is - but I am not sure if the same applies to the Amiga or the Mac - perhaps somebody else can clarify that. Sorry about any confusion caused by my earlier reply... - -frisk
PJML@ibma.nerc-wallingford.ac.uk (Pete Lucas) (06/26/91)
Most DOS PCs do not implement a hardware 'media change' flag, so they do not know that a diskette has been inserted until you try reading from it. (this is unlike an Apple Mac that has a 'media change' sense on its diskette drive). A virus doesnt 'know' that a new diskette has been inserted on a PC until the virus has had a look at whats there. Of course the write-protect notch/slide is 99.99% effective in my experience at preventing any illicit writes; you would, of course, have write-protected any diskette you put in the drive before doing the hypothetical DIR command, wouldnt you? (I do actually have a notchless diskette that on *some* drives can be written to - the diskette jacket is semi-transparent and on drives that use optical notch-sensing, enough light *sometimes* gets past to make the thing writable.... oh confusion!) Pete Lucas PJML@UK.AC.NWL.IA PJML%IA.NWL.AC.UK@UKACRL
c-rossgr@microsoft.COM (06/27/91)
>From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) > >vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: >> >> Is it possible to write a PC virus which installs itself whenever >> you place an infected disk in the drive and do a DIR command ? >1) No: You cannot contract a PC virus by doing a DIR, a virus must be executed . There is at least one batch file running around that, when you "exec" it, it turns into a virus. If a machine is using ANSI.SYS, it is possible to rename files to provide for reprogramming the keyboard. An argument can be made that causing the, say, F3 key to execute some program or some some batch file due to it being reprogrammed could mean that doing a simple directory could later *cause* a virus to be executed. Ross
thomas@diku.dk (Thomas Nikolajsen) (06/27/91)
frisk@rhi.hi.is (Fridrik Skulason) writes: >>vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes : >> Is it possible to write a PC virus which installs itself whenever >>you place an infected disk in the drive and do a DIR command ? >The answer to that question is a definite NO - on a PC, that is - but >I am not sure if the same applies to the Amiga or the Mac - perhaps >somebody else can clarify that. Amiga : yes it is possible, and done, I only know of one virus which does that, this one is called SADDAM. The "bug" that allows the method used by SADDAM is fixed in the (more or less released) new version of the operating system (AmigaDOS 2.0). I don't think it should be possible in AmigaDOS 2.0. >- -frisk thomas
padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) (06/28/91)
Good grief - this question reminds ne of John Carpwenter's "The Thing", it just will not die. >> Is it possible to write a PC virus which installs itself whenever >> you place an infected disk in the drive and do a DIR command ? NO, NEIN, NON, NEGATORY - you cannot write a virus to infect when an uninfected PC does a DIR of an infected floppy disk (unlike the Macintosh) I don't care about batch files (which also execute, just interpretedly), ANSI control sequences (which also execute), or 1-2-3 macros. In order to subvert the DIR command (not that difficult) something MUST execute and a PC will mot execute ANYTHING without being commanded to (boots result from a microcoded command designed into the CPU - part of the reason for the 640k "barrier". Of course, once resident, code can tell the processor to do anything it is capable of doing via software, the operating system doesn't care, and at any time. You want the PC to play "Yankee Doodle" at 5 pm? easy. You want all the letters to fall down in a pile on the bottom of the screen every half hour ? trivial. But they all must execute first and that takes human help either by leaving a floppy in A when booting, or by executing an infected file (.COM, .EXE, .BAT, .WK1, .SYS, .APP, or whatever). If DIR could infect, it would be easy for an infected user to say both/he/it she just put the disk in the drive to see what it was, but no, they HAD to have tried to run "ASTROT*T" or "Kermit vs the Naked Nazi Nymphs" or "1ON2" or that un-tested program with the hand-lettered label in Arabic/Swahili/Kanjii. While software commands could be hidden in a batch file with sequences that would prevent reading by TYPE (but not from LIST or even WordStar) and be passed as an unscannable uuencoded, packed, compressed file, at some point some person had to tell it to execute whether or not they knew thay were doing so. Only then can a virus (or any other malicious software) infect a PC. Padgett If this doesn't kill the subject, I'll have to use a lead pipe.
walker@aedc-vax.af.mil (William Walker C60223 x4570) (06/28/91)
Steven van Aardt (vanaards@project4.computer-science.manchester.ac.uk) writes: > Is it possible to write a PC virus which installs itself whenever > you place an infected disk in the drive and do a DIR command ? Lots of people replied: > Yes. But A. Padgett Peterson (padgett%tccslr.dnet@mmc.com) replies: > No ... you cannot BECOME infected in this manner. Padgett is right. To infect a PC, viral code must be executed from the medium on which it is stored. The DIR command does not execute any code from the disk or diskette it is viewing, but just displays the information contained in the sectors of the requested directory or subdirectory. Therefore, if you do a DIR of an infected diskette on a clean PC, there is no way to infect the PC. Someone else has mentioned the possibility of renaming a file to contain ANSI.SYS codes for remapping the keyboard, but this would not be transparent to the user, as the remaining information (date, time, and size) would be shifted to the left. Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | "Non sequitur -- your facts are Arnold Engineering Development Center | un-coordinated." M.S. 120 | -- NOMAD Arnold Air Force Base, TN 37389-9998 |
GLWARNER@SAMFORD.BITNET (THE GAR) (06/28/91)
>From: Doug Krause <dkrause@miami.acs.uci.edu> >> >vanaards@project4.computer-science.manchester.ac.uk (Steven van Aardt) writes: ># ># Is it possible to write a PC virus which installs itself whenever >#you place an infected disk in the drive and do a DIR command ? > >Doesn't STONED act that way? > >Douglas Krause One yuppie can ruin your whole day. NO! Stoned does NOT act that way. At least if I am understanding the question properly. If I am, then the virus is impossible. Let me make sure I understand. We have booted from some drive, C, and are now, after the COMMAND.COM from C has been loaded, doing a DIR on some infected disk, A. The question is, can the infected disk A, infect C. NO. The code that is being executed is in RAM, not on drive A. Without executing any code from A, we cannot invoke a virus. STONED works by executing the boot sector on the infected drive A, but this can only happen at boot time, not by executing a DIR command. Macintosh's CAN infect C from A in the above case, because inserting a disk executes the DESKTOP program on that disk. If the DESKTOP on A is infected, getting a listing will give you the virus (WDEF usually!) /++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\ ! Later + Systems Programmer ! ! Gary Warner + Samford University Computer Services ! ! + II TIMOTHY 2:15 ! \+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/