john@uunet.UU.NET (John Goodman) (11/22/89)
I am puzzled by something. Last summer I recall seeing an article about a virus that infected spreadsheets. That's right, spreadsheets, not spreadsheet programs. (Sorry, I don't recall either the author's name or the name of the article. I was given a copy, so I am unsure where or even if it was printed for wide distribution.) The described virus's method of action was an auto-executing macro that was hidden somewhere in a large spreadsheet where it was unlikely to be noticed, yet whenever the spreadsheet was loaded it would "do its thing." Since, this author asserted, modern spreadsheet programs often have very powerful macro languages including access to DOS functions and running DOS programs and an auto-execute feature, it is possible to write a comparably powerful virus in this fashion. Naturally, such a virus would not be found by looking only at .EXE and COM files (plus the boot sector). It could only be found by looking inside the worksheets and knowing something of the nature of their storage of that kind of macro (a knowledge that would vary by the brand and release of the various spreadsheet program on the market). What puzzles me is that this author said he had withheld saying anything about his ideas along this line until he had actually seen a live sample of such a virus. Then he did experiments in his lab to confirm his notion of what was going on, then wrote it all up in the paper I saw. I have seen nothing here about this problem, nor do the VIRUSCAN programs look for any such viruses. Has anyone here seen such a virus? Are there any programs that do check for such? Is there anyone concerned about this (potential or actual ??) problem? I also note that a similar virus problem could manifest with bogus code being included in any source file that would be "run" through an interpreter on any computer system (which includes a lot of games in interpreted BASIC, often distributed in a fashion that makes it at least very difficult to list their contents), so we are not really only talking here about spreadsheets and PCs. I am not sounding an alert, as I have not seen any such virus myself. I am instead voicing a concern and asking for references to any programs that might help one protect one's computer(s) (PC systems in particular) against that sort of threat. - ----------------------------------------------------------------------------- John M. Goodman, Ph.D. GOOD CODE WORKS P. O. Box 746, Westminster, CA 92684-0746 (714) 895-3195 (voice) uucp: ...!lll-winken.llnl.gov!spsd!stanton!john - -----------------------------------------------------------------------------
dtroup@uunet.UU.NET (David C. Troup) (11/28/89)
stanton!john@uunet.UU.NET (John Goodman) writes: [talk about a non-executable virus] >Has anyone here seen such a virus? Ive been working on several virus (or worms) for the Apple since I read about them back in 86. Since all I had was an Apple IIe, I really had to come up with some weird ideas for implementation for my experiments. What I came up with (in church one night!) was to use a text file that could be EXEC'd from BASIC (or from the HELLO [startup] program on the boot disk) that would execute the commands in that text file. This text file would write a program to memory, that would go and patch other startup programs with the text file, or a smaller version of it. No assembly used (I was ignarant back then), and all of it was done in BASIC with the EXEC'able text files. The programs were REALY difficult to follow; commands that were writing commands to do DOS functions. But it worked, and I infected an entire BASIC.101 class in 2 days. By having the worms cross checking the copy counter (max==21), they "knew" when they got everyone, and promtly killed themselves without anyone knowing. We got computers, we're tapping phone lines, I know that that ain't allowed_ _______ _______________ |David C. Troup / Surf Rat_2600 hz__________ _______)(______ | |dtroup@carroll1.cc.edu : mail______________ _______________________________|414-524-6809(dorm)/7343(work)______________