Path: utzoo!attcan!uunet!tut.cis.ohio-state.edu!zaphod.mps.ohio-state.edu!uwm.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: lexw@idca.tds.PHILIPS.nl (Lex Wassenberg) Newsgroups: comp.virus Subject: Re: new virus 1022 (PC) Message-ID: <0010.9007121452.AA11310@ubu.cert.sei.cmu.edu> Date: 12 Jul 90 13:01:13 GMT Sender: Virus Discussion List Lines: 45 Approved: krvw@sei.cmu.edu >>Is the text you mentioned contained in straight ASCII in the virus >>itself? In that case, If you own a virus scanner which is modifiable >>(that is, it works with a .dat file that contains the fingerprints of >>virusses) you could easily adapt the scanner so that it will recognize >>the virus. For example, use as fingerprint the first line: "This >>message is dedicated to". That would be: >> >>54686973206D6573736167652069732064656469636174656420746F >> >>But you could just as easily pick one of the other lines (or all of them). To which the moderator added: > >[Ed. The danger in looking for ASCII strings, of course, is that you >could get a lot of false alarms. This digest, for example, would be >identified as containing the virus, since it contains the string "This >message is dedicated to". Perhaps searching for the string _and_ some >identifiable code would be more robust? Just a thought...] That would off course be true if you scan ANYTHING on your disk. However, since virusses are only dangerous when they are executed, most scanners only scan boot sectors, .COM files and ..EXE files. By doing so, this digest would NOT be marked infected, in fact it wouldn't be marked at all since it's a plain text file. The same holds for .DAT files or any file that contains no executable code. Off course there could be such clever virusses that hide part of themselves in other files than the ones which they are invoked from. In that case scanning a file for ASCII text makes no sense. You would have to scan for the part that will initially be executed, the first few instructions of the virus. Otherwise you'll not be able to tell WHICH file causes the malfunctioning of your system. { By the way, I wouldn't feel very comfortable if I knew there was a virus on } { my disk, even if I knew it would be in a file that's never executed :-) } ________________ / / ___ _____/ Lex Wassenberg, Philips TDS / / /__ \/ ___/ Apeldoorn, The Netherlands / / ___/ /__ lexw@idca.tds.philips.nl / / /____/\___/ / /____________/ It's said that only 10 people on the whole world understood /_______________/ Einstein. I'm so brilliant that nobody understands me at all . Disclaimer: Since nobody understands me, I speak only for myself.