T530083@UNIVSCVM.CSD.SCAROLINA.EDU (Dmitri Schoeman) (07/24/90)
If the anti virus programs would first perform a checksum, then couldn't a virus "outsmart" that program by just changing one (non executiong) byte in it's source? - -----Dmitri Schoeman
ewiles@netxcom.DHL.COM (Edwin Wiles) (07/26/90)
T530083@UNIVSCVM.CSD.SCAROLINA.EDU (Dmitri Schoeman) writes: >If the anti virus programs would first perform a checksum, then >couldn't a virus "outsmart" that program by just changing one (non >executiong) byte in it's source? > >- -----Dmitri Schoeman The problem with this is that most viri must be fairly small in size to have a reasonable chance of going undetected. A virus capable of regenerating the checksum would have to A) know where the checksum was being stored, B) know how the checksum was calculated, C) have the same checksum calculating code within itself, and D) have a sufficient number of "non-executing" bytes imbedded within itself to make whatever adjustment was necessary to the checksum (I'm not sure one is sufficient). Using something like "snefru" (a checksum calculator that apparently generates a very large and reliable checksum) would make this virtually impossible. The virus would be almost the same size as the "snefru" program itself! The "snefru" program that I have here is over 27K. Don't ask me for SNEFRU, it was posted in either comp.sources.misc or comp.sources.unix within this year. Go check either those groups or your local archiving site(s). I WILL IGNORE ANY SNEFRU REQUESTS! - -- Edwin Wiles.