frisk@rhi.hi.is (Fridrik Skulason) (05/30/91)
David Chess wrote: Any sort of less-than-virus-length scan string is somewhat prone to false alarms, but ones with wildcards, if properly chosen, aren't necessarily any worse than ones without... Ross Greenberg wrote: We'll have to agree to disagree on this one, Dave. Well, tend to agree with David - I use wildcards in 15% or so of my search patterns - but only in the following cases: 1) When the pattern contains a reference to an address outside it. Example: : MOV AX,CS:[some_address_elsewhere] : or : JNE a_fairly_long_distance : 2) When the pattern contains an instruction which depends on the assembler used - Example: XOR AX,AX ; 31 C0 XOR AX,AX ; 33 C0 I have some variants of viruses where the only difference is due to this. Variable-length wildcards are in my opinion an absolute no-no...I never use them. For the viruses using the most complex types of encryption (Whale, Tequila, V2P2 and Adolph) I use an algorithmic approach, not a search string. I also try to avoid search patterns for viruses written entirely in a high-level language. - -frisk