XPUM04@prime-a.central-services.umist.ac.uk (Anthony Appleyard) (08/01/90)
There has been several bouts of discussion on Virus-L on the subject of
antivirals that spread like viruses. As far as I can tell from reading back
issues of Virus-L, a few antivirus viruses have been released, with varying
results:-
(1) Mac: The original nVIR deleted a system file, so a new nVIR was
released which killed the old one.
(2) PC: Den Zuk was released to kill Brain; it also killed obsolete
versions of itself. But Den Zuk had a bug, which made it delete data when
infecting small disks.
(3) Amiga: North Star (I & II), supposed to kill other viruses and nothing
else. It works like a normal bootblock virus, with two good exceptions. If
it finds a unknown bootblock (normally an auto-loading game), it DOESN'T
replace that bootblock, so the game keeps working. If it finds a virus on a
write-protected disk, it asks you to remove the write-protection.
(4) Amiga: System Z (3.0 & 4.0 & 5.0): boot sector virus, asks the user's
permission before infecting anything.
The arguments put against them are:-
(1) Ethics: System Z handles this point by asking the user's permission
before infecting.
(2) Risk of them malfunctioning and becoming ordinary harmful viruses: E.g.
Den Zuk. This point should be handled by thorough testing and debugging.
(3) Risk of them being hacked into harmful viruses: There are enough
ordinary harmful viruses about for virus-writers to hack at. Antivirus
viruses can be protected by some sort of internal checksum tested by
well-encrypted code, to test for unauthorized alteration.
The main inaccessible reservoir of virus infection is the many
microcomputers in private ownership, often used mainly by children and
teenagers, who are often ignorant of viruses, imagining that virus damage
is hardware malfunction or software bug or the way of the world, with no
hope of access to email or the usual channels of getting virus news and
antivirals. There are far too many of these micros for any sort of national
register to be kept of where each is kept, for a tester to go round them
like in a firm or a university. The only way that I can see of getting some
sort of antiviral well distributed among this widely scattered chronically
infested population, would be for the antiviral to distribute itself, i.e.
to spread like a virus. It is a choice of evils. For example, if Den Zuk
hadn't got the bug of malfunctioning on small disks, it would likely have
spread largely ignored, and flushed out the harmful Brain from most of the
places where it breeds in children's bedrooms among unsupervised IBM PC's
and casually-exchanged game floppies, until a Brain-infected videogame gets
run on a university or official or school computer and endangers important
programs and data.
{A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Wed, 01 Aug 90 14:50:32 BSTCHESS@YKTVMV.BITNET (David.M.Chess) (08/02/90)
Anthony Appleyard <XPUM04@prime-a.central-services.umist.ac.uk> writes, among other things: > For example, if Den Zuk hadn't got the bug of malfunctioning on > small disks, it would likely have spread largely ignored, and > flushed out the harmful Brain from most of the places where it > breeds... I imagine there will be lots of flames on this, and I don't really want to add to them (on the other hand, I don't want there to be no response to the item, so here I am!). I'm not sure if Mr. Appleyard means to imply that if the Den Zuk had only been less buggy, it would have been a Good Thing; if that's the intent, though, I'd like to disagree strongly! Any virus (with or without the Den Zuk's Brain-removal, "logo" and other side effects) that messes around with my system without my knowledge is a Bad Thing. It will eventually spread to some place where it will do harm (a non-standard disk format that it doesn't notice, but messes up; a new version of the op system that it's not compatible with; or whatever). The only anti-virus virus that would be at all defensible would be one that announced itself in large and unmissable letters when first run, and gave the user the option (which I, personally, would always exercise) to tell it to erase itself completely from the system. Even then, I don't entirely share Mr. Appleyard's confidence that there are already so many sample viruses out there that one more won't provide budding virus writers with extra education. I'm not certain that it would, but I wouldn't want to take the chance... DC
frisk@rhi.hi.is (Fridrik Skulason) (08/09/90)
In addition to the viruses described in the original posting, some of the variants of Yankee Doodle are anti-virus viruses - they modify the Ping-Pong virus, so it will self-destruct. - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |