hello.

though i am concerned to talk about strategies that wiruses could use, i  
write this mail because some of you, even the ones with a lot of technical  
understanding of os/2 and experience in programming, seem to have quite  
wrong ideas of how a virus would have to work under os/2 in order to do  
damage.

of course we (may (as i don't know and don't mind)) have this problem with  
direct writing to disk, which is (not) possible as some of you say. well:  
why should one go that way? i would leave it aside.

amiga users will certainly remember the virus (forgot it's name) that only  
looked up the name of the first program executed in startup-sequence  
(startup.cmd in os/2) and simply copied the original program into a system  
subdirectory, giving it a name that could not be seen by a "dir". then it  
replaced the original file with itself and was started at boot time. i  
don't quite remember how it managed to start the original program  
afterwards though.

it renamed the original file to this "invisible" name because the amiga  
operating system was that straight forward and small that after a few  
months of close work with it a normal person could tell which is an  
original os file and which is not and thus the virus would have been  
detected much more easily. under os/2 though one would not have to mind  
too much about this as the os consists (on my machine) of about 1300 files  
and directories (!) which take up about 39mb (!) thus that the chance of  
being visually detected is rather low.

imagine a guy like me: testing and having a look at ca. 2 programs per day  
(os/2 shareware, freeware, pd, etc. which arrives via mailbox and file- 
net). how about one of this files being a trojan horse which does a rather  
dummy task (which must be appealing to others as well, maybe a little  
tetris game...) but which copies a special device driver into one of os/2s  
directories and entering it into config.sys as well, maybe using a good  
sounding name like "KBDBASE2.SYS" and thus installing at next bootup the  
viral device driver.

this could be done for device driver and programs. a "good" point
would be  
to look up config.sys and startup.cmd for programs being started but not  
running at the moment. i have a program that changes the mouse tracking of  
os/2 (because via notebook no acceptable setting could be achieved) which  
could be infected or replaced easily because it is run only to set certain  
values and then leaves memory so that its original file is not locked.

additionally the trojan horse could look up the startup drawer.

thus you could have the virus being installed and sitting there for months  
and after a certain time it could trash the system via valid system  
commands like del etc. it could even overwrite files before it deletes  
them (why even delete them at all, simply fill them with zeroes) so that  
the files original contents cannot be restored (except from a backup).

although the above is not a virus which is a stand-alone program that  
infects other programs in order to infect other computers it could still  
be rather succesful, depending on its dummy/trojan horse part.

you see, it does not need deep level programming skills or whatever,  
simply use what is there and what is common.

of course the above would be wiped off very easily, once detected, but  
until that time many other computers could already have been infected.  
thus damage can be achieved, though with the above strategy only rather  
limited, but it can be done.

the user is the weakest point of a computer system, right? and os/2 users  
being rather used to shareware, freeware and pd could be a good target for  
such a strategy.

bye bye

ps: some of the amiga viruses did very amazing things, quite interesting  
if i think about it now...but most of them not being possible under os/2  
(hooking into the system and instead of showing the boot sector (via anti  
virus program), showing a sector which is clean and neat...overwriting the  
boot sector went the same: the "dummy" sector was overwritten only (which  
of course can be rather treacherous if the written bootsector contained a  
little bootup program which wouldn't be loaded at boot time...))

## anhuth{at}elbe.clipper.de ##

--- CrossPoint v3.0 R