Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!rutgers!tut.cis.ohio-state.edu!gem.mps.ohio-state.edu!ctrsol!ginosko!usc!sdsu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: CHRISTOPHER%GACVAX1.BITNET@VMA.CC.CMU.EDU Newsgroups: comp.virus Subject: Viruses in archives (PC) Message-ID: <0006.8910241138.AA15306@ge.sei.cmu.edu> Date: 23 Oct 89 20:25:00 GMT Sender: Virus Discussion List Lines: 25 Approved: krvw@sei.cmu.edu Are there any programs currently available that will check for viruses within an archive file? I am familiar with the SHEZ program and how it can be used with VIRUSCAN to scan archives, but SHEZ un-arcs the archive file before running VIRUSCAN. My question is, does a program exist or could one be developed that searched for signs of an archived and infected program? I can see two big problems with this immediately. First, each different archiving algorithm will archive a virus (call it X) differently. An ARCed X will be different from a ZIPed X will be different from a ZOOed X, etc. Secondly, say that virus X attaches itself to the end of COM files. Will the output (archived file) of an archiving algorithm translate virus X into the same byte sequence every time? For example, program A is infected and becomes AX. Is arc(AX) (archived AX) the same as arc(A) + arc(X) and is arc(BX) the same as arc(B) + arc(X)? I inquire because I have archived programs/software, and I would like to know if programs in archives are infected without de-archiving them (at last count I had over 100 .ARC files) and then SCANing them as SHEZ does. Christopher Kane