p1@arkham.wimsey.bc.ca (Rob Slade) (04/17/91)
Since this got chopped up good, the first time ... We've had various discussions on the merits of "archived" and "self- extracting" files for virus protection. The following is from a local bulletin board: Original message from: Rene Blais, to: All -- RB> simple way to detect viruses without scan or any similar RB> program, as long as the virus infects EXE files no RB> self-extracting compressed files will work as the virus RB> scrambles the code. just a friendly hint from your friendly RB> neighborhood virus-hater I'm afraid it isn't that simple, Rene. If the virus is an "overwriting" type, then yes this procedure should work. However, if the virus is a "prepender" then it will execute *before* the code that decompresses the program. The self extraction module then may or may not fail to successfully run the program, depending upon how it deals with the additional code at the beginning of the file. In any case, if the viral program is one that "goes resident", then the machine's memory is infected. If the virus is an "appender", most of the same applies. It will have a "jump" placed at the beginning of the file to the virus code at the end, and then a "jump" instruction to the beginning of the file and, again, executes the virus before the self-extraction module starts to work. As with the prepender, the extraction of the program may or may not be affected by the presence of header and trailer information. However, in the case of the newer "spawning" viral programs, this procedure does nothing at all for detection, because "spawning" viri never touch the original file, relying on MS-DOS's "execution order preference" for .COM files, and creating a separate virus file. The separate file may be hidden from detection in various ways, and still be "infectious." ============= Vancouver p1@arkham.wimsey.bc.ca | "Don't buy a Institute for Robert_Slade@mtsg.sfu.ca | computer." Research into (SUZY) INtegrity | Richards' First User Canada V7K 2G6 | Law of Data Security | Security