Path: utzoo!utgpu!watserv1!watmath!att!rutgers!ucsd!ucbvax!bloom-beacon!eru!luth!sunic!tut!funic!uwasa.fi!ts
From: ts@uwasa.fi (Timo Salmi LASK)
Newsgroups: comp.sys.ibm.pc.programmer
Subject: Re: How dows LZEXE work ???
Message-ID: <1990Jul10.154136.27605@uwasa.fi>
Date: 10 Jul 90 15:41:36 GMT
References: <9857@cs.utexas.edu> <4263@jato.Jpl.Nasa.Gov> <1990Jul9.232906.8904@Solbourne.COM> <1835@krafla.rhi.hi.is>
Organization: University of Vaasa
Lines: 26

In article <1835@krafla.rhi.hi.is> frisk@rhi.hi.is (Fridrik Skulason) writes:
>In article <1990Jul9.232906.8904@Solbourne.COM> imp@dancer.Solbourne.COM (Warner Losh) writes:
>>One last warning about LZEXE, it seems that most virus detection
>>programs can't find a virus inside an LZEXEed program.
>
>Well, as far as I know, there are two programs able to scan LZEXE-packed
>files.  One is the SCAN program from McAfee, but the other is F-PROT 1.11
>which I wrote.
>I think no other virus scanning program has implemented LZEXE-scanning yet.

One obvious, but less sophisticated way is to decompress the lzexe'd
program first, and then scan it.  This process can even be automated
using a batch file.  There is one in /pc/ts/tsbat21.arc to show the
principle.  Available by anonymous ftp from chyde.uwasa.fi, Vaasa,
Finland.  (Note that I'm not saying that direct lzexe scanning
weren't preferable (it is the better alternative), but just giving
information.)

Oh yes, and since someone is probably going to ask how to decompress
an lzexe'd file, there is a utility called /pc/pd2/unlzexe5.zip
available at the same site. 

...................................................................
Prof. Timo Salmi        (Moderating at anon. ftp site 128.214.12.3)
School of Business Studies, University of Vaasa, SF-65101, Finland
Internet: ts@chyde.uwasa.fi Funet: gado::salmi Bitnet: salmi@finfun