Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!wuarchive!cs.utexas.edu!uunet!mcsun!hafro!isgate!krafla!frisk From: frisk@rhi.hi.is (Fridrik Skulason) Newsgroups: comp.sys.ibm.pc Subject: Re: .COM and .EXE files Message-ID: <1283@krafla.rhi.hi.is> Date: 30 Oct 89 11:14:56 GMT References: <254A1CA0.5798@maccs.dcss.mcmaster.ca> Reply-To: frisk@rhi.hi.is (Fridrik Skulason) Organization: University of Iceland (RHI) Lines: 70 Followup-To: In article <254A1CA0.5798@maccs.dcss.mcmaster.ca> cs4g6ag@maccs.dcss.mcmaster.ca (Stephen M. Dunn) writes: > > This is true ... does anyone know the rough proportion of viruses that >search for files to infect against those which infect programs that you >run? Here is the list. Viruses marked with * can be considered "common". Those marked with - are very rare. Direct Action viruses: - DataCrime - DataCrime II - 405 - Ghost - South African - SysLock * Vienna Resident: - Agiplan - April 1st. * Cascade - Dbase Fu Manchu - Icelandic * Jerusalem Lehigh Mix1 - Screen Vacsina Both: - Oropax Traceback I have not yet had time to look at the following four "new" viruses: - Aids - Alabama - Dark Avenger - Yankee >a virus which tried to defeat all such >mechanisms (or even many of them) would soon grow pretty big, and would then >likely have to specialize in infecting only larger .COM or .EXE programs >to decrease the likelihood of detection - if you suddenly found that the >ASK utility you may use for asking questions in batch files grew from >509 bytes to 8.3K, you'd become suspicious pretty quickly. Well - the minimum size of a virus is around 400 bytes (assuming it is written in assembly language, like most viruses are). Adding code to remove read-only protection etc. can add 200-300 bytes to the code. The rest of the virus code - the "damage" part - can be anything from 0-3000 bytes in the viruses that are known today. Many of them use a number of tricks to bypass protection methods, but they simply are not very large. Their size is from 405-3555 bytes, in most cases around 1800 bytes. The "Aids" virus, which is written in Turbo-Pascal is of course much larger, around 12K. -frisk -- Fridrik Skulason University of Iceland frisk@rhi.hi.is Guvf yvar vagragvbanyyl yrsg oynax .................