Hello Clemens,

 > though i am concerned to talk about strategies that wiruses 
 > could use, i  write this mail because some of you, even the 
 > ones with a lot of technical  understanding of os/2 and 
 > experience in programming, seem to have quite  wrong ideas of 
 > how a virus would have to work under os/2 in order to do  
 > damage.

You are quite right. OS/2 Viruses actually do exist : about three or four
of them, I think. The source code for one of them was even published in the
40Hex electronic magazine (wich used to be available on netcom.com). It was
a simple overwriting virus that corrupted the files it infected. 

The biggest and only problem for a executable file infector under OS/2 is
to quickly find the entry point of a potential target. The so-called
security offered by the OS is very efficient in preventing infection at
execution time (like those dos tsr viruses that hook int 21h fun 4bh and
infect files when they are executed) but is useless against direct-action
viruses (virus is executed, search for (unopened) targets, infects and
doesn't stay resident).

Also, under dos, there is a kind of virus that's called
"companion" that takes advantage of the fact that com files are
executed before exe. All the virus has to do is to localize an xxxx.exe
file, put a copy of itself in the same directory, name it xxxx.com and make
it launch xxxx.exe. Under OS/2, the same could happen depending on the
execution order of the com, exe and cmd...
(wich I am not aware of)

One last type of virus I can think of is the "path companion"
wich uses the mechanism described above but takes advantage of the fact the
os will execute the first file with a certain name even if the actual
program is further down the path.

Pierre Vandevenne - F-PROT Technical Support BENELUX & France.

--- Squish v1.01