CHRISTOPHER%GACVAX1.BITNET@VMA.CC.CMU.EDU (10/24/89)
Are there any programs currently available that will check for
viruses within an archive file? I am familiar with the SHEZ program
and how it can be used with VIRUSCAN to scan archives, but SHEZ
un-arcs the archive file before running VIRUSCAN. My question is,
does a program exist or could one be developed that searched for signs
of an archived and infected program?
I can see two big problems with this immediately. First, each
different archiving algorithm will archive a virus (call it X)
differently. An ARCed X will be different from a ZIPed X will be
different from a ZOOed X, etc. Secondly, say that virus X attaches
itself to the end of COM files. Will the output (archived file) of an
archiving algorithm translate virus X into the same byte sequence
every time? For example, program A is infected and becomes AX. Is
arc(AX) (archived AX) the same as arc(A) + arc(X) and is arc(BX) the
same as arc(B) + arc(X)?
I inquire because I have archived programs/software, and I would
like to know if programs in archives are infected without de-archiving
them (at last count I had over 100 .ARC files) and then SCANing them
as SHEZ does.
Christopher Kane
<CHRISTOP@GACVAX1.BITNET>