culliton@uunet.UU.NET (Tom Culliton) (04/06/90)
RKARRAS@PENNSAS.UPENN.EDU (Dr. Ruth Mazo Karras) writes: > I have heard of a concern that text files (consisting of plain ASCII text) > may contain viruses. I had thought that only executable files such as > *.com or *.exe files were subject to viruses. Which view is right? Is there > risk in moving a text file from a mainframe to a PC? How many times has this question been answered? If you can't execute the file or run it via an interpreter it can't carry a virus. If its source code for a compiler or interpreter the danger is present that it contains malicious instructions but visual inspection can quickly settle that. Most viruses are on PC class machines and are specific to one architecture. Moving a text file from a mainframe to a PC is about as safe as you can get without typing with c*****ms on your fingers. The rest is all chicken little syndrome from people who don't know what they're talking about. (Sorry if that sounded a bit hot, I've been fighting a running battle with the chicken little types about it.) BTW, Modem viruses and setup memory viruses are also fictional for the same reason, its simply not possible to execute them.
peter@ficc.uu.net (Peter da Silva) (04/07/90)
There's one class of text files that can easily carry viruses: program
source files. See my "usenet virus" article (first posted shortly
before the Internet Worm incident, reposted periodically whenever
assertions that text files or source code files are safe come up) for
more on this subject... or just consider the Obfuscated C Contest.
- --
_--_|\ `-_-' Peter da Silva. +1 713 274 5180. <peter@ficc.uu.net>.
/ \ 'U`
\_.--._/
vdjb@wjh12.harvard.edu (David J. Birnbaum) (04/07/90)
It is possible for a text file to contain ansi instructions to remap
your keyboard, e.g., mapping a format or a global delete command (with
the appropriate response to any y/n query) to a single key.
This is not a virus, but it can be considered a trojan horse.
The ansi command will only take effect if the file is typed to the
screen; merely having it around does no harm, nor does looking at it
with other types of file viewers.
Ansi commands will only work if you are running an ansi driver of some
sort. Keyboard remapping only works if you have configured your
ansi driver to allow it. I use PC Magazine's ansi.com version 1.3 and
configure it to disallow keyboard remapping.
- -David
============================================================
David J. Birnbaum djb@wjh12.harvard.edu [Internet]
djb@harvunxw.bitnet [Bitnet]
============================================================kelly@uts.amdahl.com (Kelly Goen) (04/08/90)
Agreed no NON executable file can be used to infect however another
technique without providing examples would be the case of a bat file
being used to feed debug along with infectious code(SMALL) being kept
beyond the EOF marker in the last allocated cluster... note all DOS
routines(I/O) read the Entire cluster(not just up to EOF...) this can
be quite a bit of spare space on present drives... more ambitious
schemes would be a triply/redundant encrypted shadow file system using
either Hamming or other ER schemes such as Reed Solomon...this could
be used to store quite sophisticated system
penetration/Interdiction/ICE-Breakers... with out visibility to
normal virus scanners(most use the FAT and/or Directory Structures to
analyze the disk...) this vunerability does in certain cases extend to
other OS's besides **-DOS.... Something indeed to think about....still
another reason to upgrade completely to MMU managed
architectures(386/486 etc) using the VM8086 model ...
cheers
kellywoody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) (04/10/90)
Macintosh datafiles, as I understand them, have 2 parts, a resource fork and a data fork. Anything in resource fork (so I've been told) can execute. Does this imply that one could bury a virus in the resource fork of a data file? I'm sure that this has been hashed over before. Cheers Woody
flaps@dgp.toronto.edu (Alan J Rosenthal) (04/10/90)
cdss!culliton@uunet.UU.NET (Tom Culliton) writes: >How many times has this question been answered? If you can't execute the file >or run it via an interpreter it can't carry a virus. A counterexample to this assertion is the wdef viruses on the macs. They are carried in the Desktop file which is a data file describing the layout of the windows. >If it's source code for a compiler or interpreter the danger is present that >it contains malicious instructions but visual inspection can quickly settle >that. You're saying that you can quickly read the source code to an entire compiler and understand everything it does? I find this extremely hard to believe. ajr
kellogg@prodigal.psych.rochester.edu (Carol K. Kellogg) (04/11/90)
In article 2076, woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) said, in part... >Macintosh datafiles, as I understand them, have 2 parts, a resource >fork and a data fork. Anything in resource fork (so I've been told) >can execute. Does this imply that one could bury a virus in the >resource fork of a data file? > Arrrgh...more Macintosh Myths. First, one minor correction..."the resource fork of a data file" is an oxymoron - data file usually implies information stored in the data fork (which is non-executable), and a resource file implies a file in which the information is stored in the resource fork (SOME of which is exexcutable). Not _EVERYTHING_ in the resource fork can be executed - only executable resources, such as CODE (actual program code) resources, WDEF (window definition), INIT (startup "terminate and stay resident" type of code), etc. The ONLY way to infect a Mac file is to put a virus in one of these executable resources. Many viruses add their own CODE resource, and then patch the jump table so that they're executed before the rest of the application. There is one virus that spreads infections via WDEF resources, but its fairly easy to guard against. Disinfectant (an excellent virus protection/repair) utility deals effectively with all the known viruses on the Mac. >Woody Lars Kellogg-Stedman kellogg@prodigal.psych.rochester.edu
trebor@biar.UUCP (Robert J Woodhead) (04/11/90)
woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) writes: >Macintosh datafiles, as I understand them, have 2 parts, a resource >fork and a data fork. Anything in resource fork (so I've been told) >can execute. Does this imply that one could bury a virus in the >resource fork of a data file? >I'm sure that this has been hashed over before. >Cheers >Woody Not quite. Resource forks contain resources. Some resources are "code- bearing" resources, some are data. Only code bearing resources could ever get executed. However, for this to happen, the system (or an app) has to decide it wants to do so. For a variety of technical reasons, it is extremely unlikely that this can be induced to occur. It might be possible to write a virus that infects a certain application only and once in that app can spread to others (that piggybacks on that target app's documents) but it would be an unreliable and difficult infection vector. Summary : very difficult, unreliable, not bloody likely PS: a semi-example of this "piggybacking" is WDEF, which depends on a quirk of the OS to get executed if it is in the desktop file. However, the desktop file is a very special file on a macintosh. - -- Robert J Woodhead, Biar Games, Inc. !uunet!biar!trebor | trebor@biar.UUCP Announcing TEMPORAL EXPRESS. For only $999,999.95 (per page), your message will be carefully stored, then sent back in time as soon as technologically possible. TEMEX - when it absolutely, postively has to be there yesterday!