VIRUS-L Digest Tuesday, 31 Jan 1989 Volume 2 : Issue 32 Today's Topics: CP/M viruses? Re: "FRG Nazi virus" / relevance to computer virus discussions INIT 29 further information and corrections (Mac) --------------------------------------------------------------------------- Date: Tue, 31 Jan 89 05:03-0500 From: David.Slonosky@QueensU.CA Subject: CP/M viruses? This may seem like a ridiculous question, but I just recently received a CP/M based computer (for free), and am wondering if any CP/M viruses were ever reported. Was there a "Dirty Dozen" of CP/M software? (Yeah, ya can quit gigglin' any time now!) :-) __________________________________ | | David Slonosky/QueensU/CA,"",CA | Know thyself? | SLONOSKY@QUCDN | If I knew myself, I'd run away. | |__________________________________| ------------------------------ From: J.D. Abolins Date: 31 Jan 89 Subject: Re: "FRG Nazi virus" / relevance to computer virus discussions While I found the posting useful for an article I am writing about misuses and abuses of computer technology, the posting had little relevance to the VIRUS-L discussion list. A far better spot for it would be RISKS DIGEST; in fact this subject was brought up in recent issue of RISKS. The programs mentioned are not, repeat, are not computer viruses. (They are, so to say, the viruses of the soul, but not of computers.) These obnoxious programs are "free standing" programs. As for FRG laws restricting such materials, there are major reasons for it. If you would like to discuss this subject further, you're welcome to doit off-line by e-mail to me. [Ed. True, the actual programs had nothing to do with viruses. However, the article that was cited called them viruses, and I don't believe that a mention of that here was out of line. It points out the fact that the public is very confused over viruses, and that the media is (apparently inadvertantly) only making matters worse. Nonetheless, any discussions on FRG laws, etc., should be done elsewhere, as Mr. Abolins suggests. J.D., please include your network address on your From: line, if possible. Thanks.] ------------------------------ Date: Tue, 31 Jan 89 08:46:42 -0500 From: Joel B Levin Subject: INIT 29 further information and corrections (Mac) There have been a few misconceptions floating around about INIT29 and how it works. It is quite virulent, spreading at the drop of a hat, and I don't want to minimize it; but there is a slight bit of overstatement in what I have read and I want to try to correct it a bit. 1. If you have booted from a clean system (System file and INIT, cdev, and RDEV type files are all clean), then you are running clean. Nothing will happen if you put an infected disk in your drive, if you look at an infected file with ResEdit or copy a file. The ONLY thing which does damage while you are running clean is to run an infected application. Doing so will infect your CURRENT System file. That's all it will do (not that it isn't enough); you will still be running clean afterward. Rebooting with an infected system file is necessary before the serious damage starts. 2. Booting from an infected system disk (one or more of your System file and the INIT, cdev, and RDEV type files IN YOUR SYSTEM FOLDER are infected) will cause your system to run dirty, i.e. with OpenResFile patched to infect anything it opens. Now you are in a state when merely opening any file with a resource fork will infect it with either an INIT 29 resource (if there is no CODE 0 resource) or with a new CODE resource (if there is a CODE 0 resource). It is thus true that merely inserting a floppy disk (under Finder, not necessarily in applications, which might not cause the Desktop file to be opened) a copy of INIT29 "infects" the Desktop file on that disk. And any documents or other miscellaneous files which are opened for any reason are likely to have an INIT29 written into them. However, the only significant INIT29's are those written into the System file or into a type INIT, cdev, or RDEV file in the system folder. In other files the INIT29 resource is less like an infection than like a benign tumor - -- it takes up space, is neither useful nor harmful, and sometimes gets in the way of something and causes it to break. [This doesn't mean that some future virus couldn't activate it somehow.] 3. The only sure way to deal with INIT29 at this moment is to have a completely clean system on a hardware LOCKED diskette, complete with a detection tool like VirusDetective. All copies of INIT29 may be safely removed. All infected applications should be deleted and restored from locked master disks (you did keep those around, of course, and locked :-)). At this moment I know of no available programs capable of properly removing the infection from an application-like file (i.e. has a CODE 0 resource), including Virex; but I guarantee you there will be one or more available before long. /JBL ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253