csw76@seq1.keele.ac.uk (J.C. Kohler) (02/05/91)
Rob Slade writes: >>All versions of Word Perfect (at least since 4.2) have had a self >>testing module on them. Neither F-XLOCK nor SCAN /AV nor any other >>slef checker that adds code to the program can be used on it, since >>the added code invalidates the internal self test. Kip J Mussatt writes >If I am understanding you correctly, WP 4.2 and later versions should >be virus proof? If this is your assumption then why did we have an >epidemic of the Jeru II virus that infected almost every wp 4.2, 5.0, >and 5.1 at work? Again, if I am misunderstanding what you are saying >about WP product, then please clarify. If not, then could you please >shed some light on my question. Thanx Here comes the reply I got from Mr. Skulason himself >Date: 30 Jan 91 11:55:51 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) >Subject: Re: Problem with F-Prot 1.14 (PC) >This problem is a side-effect of the correction of another problem. >Here is what happened: >The "length" of EXE files can be defined in two ways - the actual (physical) >length of the file, and the length according to the header. Case in point: >Turbo C++ is an 800K file, but according to the header it is only 165K long. >When it is executed, only 165K are loaded into memory, but the program may >later load parts of itself as necessary. >Using F-XLOCK (to add automatic detection of infection of unknown viruses) >involves adding a small module to the end of the file. If Turbo C++ was >F-XLOCKed in this way, it would not run, as the resulting length of the file >was 800K (according to the header), and the file just could not be loaded >into memory. Altough I received two mail messages saying that it was because of the self checker in wp, I would say Mr. Skulason is right. I also heard of viri infecting wp, Jerusalem and PingPong. Isn't it easy to build a self-checker into a program ( as suggested WP has done )? I could imagine that you just check the .exe when it is running, you could play around with some XOR's to create a check. You could even put the value in a seperate file, as long as your checking algorithm is complexe enough. Christian [J.] Christian Kohler Keele university, United Kingdom JANET : csw76@uk.ac.keele.seq1 INTERNET : csw76%keele.ac.uk@nsfnet-relay.ac.uk BITNET : csw76%keele.ac.uk@ukacrl UUCP : ..!ukc!keele!csw76