frisk@rhi.hi.is (Fridrik Skulason) (02/19/90)
I wonder if the readers of this group have considered the effects of viruses like "The Number of the Beast" (alias "512" or "666") on checksum programs. As Vesselin Bontchev has pointed out, if the virus is active in memory, no changes to the infected program will be seen, since the virus will redirect any attempts to read the file so the original, non-infected file will be read instead. This means that with the virus active in memory no checksum program will be able to detect infection of files, NO MATTER HOW STRONG THE ALGORITHM used. All the discussion on which algorithm to use is therefore rather pointless... This is not a problem if the computer is first booted from a non-infected diskette, but how can one be sure that COMMAND.COM on the diskette was not infected ? - -- Fridrik Skulason, University of Iceland E-Mail: frisk@rhi.hi.is Technical Editor, Virus Bulletin (UK). Fax: 354-1-28801