XRJDM@SCFVM.GSFC.NASA.GOV (Joe McMahon) (09/11/90)
Um, I hate to dispute your point that *everything* should be checked, but soundfiles (be they "snd " resources or FSSD/SFX! files from SoundEdit) have no executable code and can't be infected by nVIR. Are you sure that, say, SoundPlay, wasn't on the disk as well? --- Joe M.
76476.337@CompuServe.COM (Robert McClenon) (09/20/90)
Another correspondent made the following comments in response to my description of a virus in a sound effect file. > Um, I hate to dispute your point that *everything* should be checked, > but soundfiles (be they "snd " resources or FSSD/SFX! files from > SoundEdit) have no executable code and can't be infected by nVIR. Are > you sure that, say, SoundPlay, wasn't on the disk as well? 1. On checking with the coworker and his manager, it seems that the sound file was really a modified "Sound" cdev Control Panel File, which does contain executable code. Of course, anyone should have known that a cdev is executable. 2. There were other files on the disk, and they may have included a desk accessory or sound editor that may have also had nVIR. 3. The real problem is of course that he had Virex installed and didn't use it. 4. It is true that nVIR only infects executable code. But other Macintosh viruses affect other types of resources. Therefore: Check everything. 5. Free software is worth LESS than you paid for it if it has viruses. Robert McClenon Neither my employer nor anyone else paid me to say this.
alexis@cmcl2.nyu.edu (Alexis Rosen) (09/25/90)
Look, this whole discussion of nVIR in sound files is bogus. nVIR and its variants can only *infect* applications (including Finder and DA Handler) and the system file. Of course, it can *affect* anything. The assertion that you should check everything is fairly decent advice for beginners, but there are definitely many types of files that will remain forever uninfectable. (That is, with a healthy contagious virus.) In general, these are data files which don't contain information which is interpreted as anything like instruction sequences by a fairly generic command processor. Yes, I know that that's a pretty vague definition, but it's pretty accurate too for all of that. Note that this definition pretty much rules out ever having a complete active virus in a sound file (in the formats which we generally use. If someone were to invent a sound format that, like TrueType for example, were to consist of data and instructions, that might just possibly be excepted). I wonder about how close a "command processor" has to be to a turing machine in order to be ably to spread infectious code. Some requirements are obvious, some are not. Interestingly enough, this definition allows for viruses in english text. Of course, those viruses infect humans. Specifically, their brains. (Mention "memes" in sci.nanotech if you want to get flooded with info about this...) - --- Alexis Rosen cmcl2!panix!alexis
pjc@sirius.melb.bull.oz.au (Paul Carapetis) (09/26/90)
Alexis Rosen said: > The assertion that you should check everything is fairly decent advice > for beginners, but there are definitely many types of files that will > remain forever uninfectable. (That is, with a healthy contagious > virus.) In general, these are data files which don't contain > information which is interpreted as anything like instruction > sequences by a fairly generic command processor. Yes, I know that > that's a pretty vague definition, but it's pretty accurate too for all > of that. It is my belief that any file on the mac which is capable of displaying itself as an icon has executable code to do so. If this is true, then ANY file is open to infection by a virus designed to take advantage of this. Of course, it is very possible that I have been mis-informed and the above premise is totally incorrect, in which case, I apologise in advance. Any comments from knowledgable mac users? Blueskies, | Paul Carapetis, Software Advisor (Unix, DOS) | Phone: 61 3 4200944 | | Melbourne Development Centre | Fax: 61 3 4200445 | | Bull HN Information Systems Australia Pty Ltd |-------------------------| | ACSnet : pjc@bull.oz | What's said here is my | | Internet: pjc@melb.bull.oz.au | opinion (and its right!)|
XRJDM@SCFVM.GSFC.NASA.GOV (Joe McMahon) (09/28/90)
pjc@sirius.melb.bull.oz.au (Paul Carapetis) writes: >It is my belief that any file on the mac which is capable of >displaying itself as an icon has executable code to do so. If this is >true, then ANY file is open to infection by a virus designed to take >advantage of this. This is incorrect. Display of icons is done by the Finder. The icons themselves come from a special resource file known as the Desktop, which is built incrementally as new files are written onto the disk. Icons are added to this file only when the new file contains what is known as a "bundle", a set of resources which map file types and creators to icons. You can see this happen by copying a document for which you do not have the application onto a disk. The document will show up as the "generic document" (the dog-eared page icon). When the application to which the file belongs is added to the disk, the document will acquire its proper icon (the window in which it lives must be closed and reopened for this to happen). You may have been confused by the description of some of the Mac viruses such as WDEF and CDEF. These viruses essentially override the "standard" resources of the same type, and add their virus code on top. >Of course, it is very possible that I have been mis-informed and the >above premise is totally incorrect, in which case, I apologise in >advance. No problem. We're always happy to educate. --- Joe M.
blob@Apple.COM (Brian Bechtel) (09/29/90)
pjc@sirius.melb.bull.oz.au (Paul Carapetis) writes: >It is my belief that any file on the mac which is capable of >displaying itself as an icon has executable code to do so. If this is >true, then ANY file is open to infection by a virus designed to take >advantage of this. No. Icons consist of 32x32 bitmaps. An icon may be displayed for a file which has no resources at all, only data (for example, a plain text file.) Icons are displayed by the Finder, using a desktop database which ties a specific file type and file creator to a specific icon. No code is taken from the file itself. For more information, read "The Finder Interface," chapter 1 of Inside Macintosh, volume III. - --Brian Bechtel blob@apple.com Advanced Technology Group "My opinion, not Apple's" Apple Computer, Inc.
kent@circus.camex.com (Kent Borg) (10/01/90)
pjc@sirius.melb.bull.oz.au (Paul Carapetis) writes: >It is my belief that any file on the mac which is capable of >displaying itself as an icon has executable code to do so. If this is >true, then ANY file is open to infection by a virus designed to take >advantage of this. Yes and no. No. A file requires no executable code to get its icon displayed on a Mac screen. If a file leaves the right data structures in its "resource fork" the Mac system will read those "resources", and display the correct icon for the file. Yes. This is an avenue for infection. The resource fork is a very general purpose part of the Macintosh architecture. There are many different kinds of resources, and programmers can make up there own. Of these different resources, many are executable resources. When the Finder (the name of the Mac's "shell" program.) needs to display a window, it asks for the correct window definition, or "WDEF", resource. The WDEF virus hides in the desktop file, the place Finder looks for icons. If the Finder is looking in the desktop file and also needs to display a window, it will use the WDEF code to do it, and it will be tricked by the "implied loader" WDEF in the infected desktop file. The Mac is different from others computers in many ways, but I think it is safe to say that no matter what, a virus needs to get *some* executable code run to actively do anything. That doesn't mean that the code has be somewhere we expected to find it, and it doesn't mean that the virus must run to spread. It might find some extra space in a data structure which gets copied in the normal course of events. To become alive, it will have to be run at some point, but it might spread while dormant. Back to the question of a virus hiding in a Macintosh sound: First, the virus might somehow be on the disk which holds the sound. WDEF is perfectly happy to spread this way. Second, Mac sounds don't have to be just raw digitized bits, they can contain "instructions" of a sort. I have not studied them very carefully, so I don't know whether they are powerful enough to support a virus. To be powerfull enough, I think they must be equivalent a Turing machine and they need access to the outside world. Anyone know a lot about Format 1 "snd " and "snth" resources? >| Paul Carapetis, Software Advisor (Unix, DOS) | Phone: 61 3 4200944 | >| Melbourne Development Centre | Fax: 61 3 4200445 | >| Bull HN Information Systems Australia Pty Ltd |-------------------------| >| ACSnet : pjc@bull.oz | What's said here is my | >| Internet: pjc@melb.bull.oz.au | opinion (and its right!)| - -- Kent Borg internet: kent@camex.com AOL: kent borg H:(617) 776-6899 W:(617) 426-3577 "The prospect of their mass excites astrophysicists, who are always on the lookout for ways to make the universe heavier" -- The Economist, 9-22-90
alexis@cmcl2.nyu.edu (Alexis Rosen) (10/02/90)
pjc@sirius.melb.bull.oz.au (Paul Carapetis) writes: >Alexis Rosen said: >> The assertion that you should check everything is fairly decent advice >> for beginners, but there are definitely many types of files that will >> remain forever uninfectable. (That is, with a healthy contagious >> virus.) In general, these are data files which don't contain >> information which is interpreted as anything like instruction >> sequences by a fairly generic command processor. Yes, I know that >> that's a pretty vague definition, but it's pretty accurate too for all >> of that. > >It is my belief that any file on the mac which is capable of >displaying itself as an icon has executable code to do so. If this is >true, then ANY file is open to infection by a virus designed to take >advantage of this. > >Of course, it is very possible that I have been mis-informed and the >above premise is totally incorrect, in which case, I apologise in >advance. > >Any comments from knowledgable mac users? This is not correct. However, there was one small flaw in my conclusion, though not the idea behind it, which this reminds me of. In fact, icons are *not* stored as executable code. It is easy to make a file with an icon that has no code. So that's not a specific route for a virus. However, there is an important point I didn't make in the last posting. What I said was, a sound (as we currently know them) cannot be infected by any virus. This does *not* lead to the conclusion that a sound _file_ cannot be infected. The problem is the way that the Mac deals with resource forks. If you are an application and you-- Oh no. I've just invented a virus. - --fortunately, GateKeeper Aid (and probably SAM Intercept) will deal with it. As I was saying, If you're an application and you open a resource file of any sort, for any reason, *all* of it's resources, including CODE and various ?DEFs, get used in preference to yours. So you could write a virus that chose to live in any resource file, and it could spread very quickly. In fact, there is one virus that will "infect" non-application resource files, including sounds, but it doesn't qualify, because the baby viruses are stillborn- not executable or infectious. It's called INIT 29. Anyway, I stand by my first statement absolutely. No copy of nVIR will EVER infect a sound file. Ever. No exceptions. BTW, somebody sent me mail a few days ago. It got badly mangled by the mailer (like when the post office sends you a cancelled stamp in a plastic bag and says "sorry about mis-handling your mail!") but it occurs to me now from the line or so that survived that it might have been a response to my first note. If it was, you might care to re-send. - --- Alexis Rosen {cmcl2,apple}!panix!alexis alexis@panix.uucp
pjc@sirius.melb.bull.oz.au (Paul Carapetis) (10/04/90)
Thank you to all who have set me straight on mac icons. I now better understand the mechanics in use and you have inspired me to do some study on the internal operations of the mac. This will be directly useful as there are several macs in my area that fall into my area of responsibility. Thanx again, | Paul Carapetis, Software Advisor (Unix, DOS) | Phone: 61 3 4200944 | | Melbourne Development Centre | Fax: 61 3 4200445 | | Bull HN Information Systems Australia Pty Ltd |-------------------------| | ACSnet : pjc@bull.oz | What's said here is my | | Internet: pjc@melb.bull.oz.au | opinion (so I am told!) |