On Friday, 12-30-1994  Clemens Anhuth wrote to All about "Virus
Strategies" as follows:

CA> amiga users will certainly remember the virus (forgot it's name)
CA> that only   looked up the name of the first program executed in
CA> startup-sequence   (startup.cmd in os/2) and simply copied the

Hi Clemens,

The first files accessed during the bootstrap of OS/2 are OS2BOOT,
OS2LDR and OS2KRNL. These are locked by the file system while OS/2 is
active and cannot be modified. The STARTUP.CMD does not even have to
exist; if it does exist, the most sophisticated it can be is a REXX
exec. There is no way that a REXX exec can access the low-level
functions needed to create virus-like behaviour.

CA> it renamed the original file to this "invisible" name because the
CA> amiga   operating system was that straight forward and small that
CA> after a few   months of close work with it a normal person could
CA> tell which is an   original os file and which is not and thus the
CA> virus would have been   detected much more easily. under os/2 though
CA> one would not have to mind   too much about this as the os consists
CA> (on my machine) of about 1300 files   and directories (!) which take
CA> up about 39mb (!) thus that the chance of   being visually detected
CA> is rather low.

The sheer size of OS/2 does make it a large haystack in which to
hide/find a needle. However, a decent virus scanner should be able to
maintain an inventory of the system directories, especially if it
assigns an extended attribute to valid system files; any "intruder"
would lack this EA (its name and content should be machine-specific)
and be readily identified. It should also checksum or CRC any text
files (such as CONFIG.SYS and STARTUP.CMD) so that any background
tampering with these can be detected.

These are not the only strategies that could be employed to protect
against viruses.

CA> imagine a guy like me: testing and having a look at ca. 2 programs
CA> per day   (os/2 shareware, freeware, pd, etc. which arrives via
CA> mailbox and file-  net). how about one of this files being a trojan
CA> horse which does a rather   dummy task (which must be appealing to
CA> others as well, maybe a little   tetris game...) but which copies a
CA> special device driver into one of os/2s   directories and entering
CA> it into config.sys as well, maybe using a good   sounding name like
CA> "KBDBASE2.SYS" and thus installing at next bootup the   viral device
CA> driver.

See the previous paragraph about protecting CONFIG.SYS and device
driver executables.

[text deleted]

CA> additionally the trojan horse could look up the startup drawer.

The Startup folder requires SOM programming to access, since it is not
a folder like a directory, but a bunch of EA's attached to the
Desktop's OS/2 System folder and meaningful to the WorkPlace Shell. This
would make a virus the size of a whale. Also, people who use shells like
TSHELL, instead of the WorkPlace Shell, do not even have a Startup
folder.

What you have described here are strategies for damaging a user's
system, but not for further infecting other systems. This is not true
virus behaviour, since it doesn't spread.

I am not certain that it is totally impossible to code a virus for
OS/2. However, it is very difficult. Furthermore, I believe any code
that could implement virus-like behaviour under OS/2 would be so large
that the cost of downloading it would be sufficient to attract the
user's attention.

Regards

Dave

 * KWQ/2 1.2i * We now return to our regularly scheduled flame-throwing.
--- Maximus/2 2.02