[11951] in APO-L
Viruses in Data Files--how it's done...
daemon@ATHENA.MIT.EDU (packy)
Tue Apr 18 16:00:31 1995
Date: Tue, 18 Apr 1995 15:55:46 -0400
Reply-To: anderpa@rpi.edu
From: packy <anderpa@rpi.edu>
To: Multiple recipients of list APO-L <APO-L@VM.CC.PURDUE.EDU>
Ok, folks, I'm not an expert on viruses, but I'll take a crack at explaining
things. If you're not interested in an explanation of HOW, then delete
now and read your other messages. I'm hoping that an explanation of things
will provide insight, and avoid a lot of arguing on the list.
All e-mail is data, and that data is read and interpreted by a mailer
program, be that elm, Pine, mail, VMS Mail, Eudora or whatever you're
using. When you read a mail message, the mailer looks at the data and
presents it on the screen; it doesn't execute any portion of that data
as a program.
What about MIME, you ask? Well, MIME (or Multipurpose Internet Mail
Extensions) is a standard that allows mailers to encode graphical and
sound data in a standard manner that will allow all other MIME-compliant
mailers to interpret the data. Part of the deal is the MIME-compliant
mailer needs programs to be able to display the data: for instance, my
version of Pine that I use at Russell Sage can recognise that I've been
sent a .GIF file, but since I don't have a .GIF viewer I'm out of luck.
So, for all intents and purposes, mail messages cannot spread viruses.
"But I have a friend who..." I hear. OK, here's how it can happen.
For those of you who have never used a Macintosh, a very short introductory
discourse on Mac usage. The Macintosh uses a graphical user interface,
where both programs and data files appear as little pictures on the screen.
These pictures are called ICONS. Now, every Mac data file contains
information on what kind of application created it: graphical files know
that they're graphics files, word processing files know they're word
processing files, sound files know that they're sound files. Now one of
the ways to run a program and load a data file is to point to the icon that
denotes the program and click on it. The program will load, and ask you if
you want to load a data file. You then specify the data file, the program
loads it, and everyone's happy.
There is another, much quicker way, that the Apple people came up with.
Since every data fiel knows what kind of data file it is, why not allow it
to load the application itself? If you click on a data file's icon on a
Mac, the operating system will look at what kind of file it is, determine
what the proper application should be, load that application and then load
the data file into that application. Neat, eh?
Here's where the virus problem comes in. Some smart aleck discovered that
he could disguise a program _AS_ a data file. When somebody clicked on one
of these programs (thinking it was a cool graphic or a neato sound) the
operating system, seeing that it was a program, dutifully ran that program.
The program, which is in fact a virus, would run, infect the system, and
then, just so the person who unwitting ran the virus wouldn't suspect
something, load up the graphics viewer or sound player and put a graphic or
sound into it. This way, all the data files on a system could be converted
from data files to data-carrying virus programs.
All this comes from the Mac's command for "run a program" being the same as
"run the application for this data file and load this into it": pointing at
an icon and clicking. Now in all mail readers, there isn't that option.
All data coming in over the net is treated as DATA; none of it is ever run
as a program. The worst thing that can happen while you're reading e-mail
is for you to read a message that contains data that makes your reader
choke up and die (or, if you're on a terminal, make your terminal go into
self-test mode). If that ever happens, kill your mail reader (or turn off
your machine) go back in and delete the message.
I hope that this has cleared up some confusion. If anybody has questions,
I would be happy to answer them via PERSONAL e-mail; I may not know the
answers, but I'll bet dollars to doughnuts that if I don't I know someone
who does. In any case, the question will be answered.
In Leadership, Friendship and Service,
Yours Fraternally,
-packy
+--------------------------------------------------------------------------+
| packy, EZ alum anderpa@rpi.edu |
| Nat#240135, Chap#797, Life#16015 1516 Jacob Street |
| Section 88 Staff Troy, NY 12180 |
| ABX Section Representative W: (518) 436-2754 |
| Russell Sage Contact Group H: (518) 274-5939 |
+--------------------------------------------------------------------------+
| APO at Sage via WWW! http://www.rpi.edu/~anderpa/aposage.html |
+--------------------------------------------------------------------------+
| RUSSELL SAGE: "Not a GIRLS' SCHOOL without MEN; |
| A WOMEN'S COLLEGE without BOYS." |
+--------------------------------------------------------------------------+
