Path: utzoo!censor!geac!torsqnt!news-server.csri.toronto.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: RADAI@HUJIVMS.BITNET (Y. Radai)
Newsgroups: comp.virus
Subject: Re: LZEXE - a possible anti virus application (PC)
Message-ID: <0007.9012061747.AA16948@ubu.cert.sei.cmu.edu>
Date: 6 Dec 90 12:45:00 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 28
Approved: krvw@sei.cmu.edu


  Tom Farrell writes:
>I use a program on my hard drive called LZEXE. It is a shareware
>program from France, used to compress EXE files so that they take up
>less disk space. It often achieves approximately 50% savings, and
>still allows you to run the program. ....
>                                           .... The really neat part,
>though, is that it includes a self-check into every file compressed
>with the utility, so that if the file has been changed it will notify
>you. This would detect the presence of a virus in the software.

  LZEXE really is a nice program, but the part about virus detection
is misleading at best.  If a virus infects an executable *after* it
has been LZEXE-compressed, then this should get detected by LZEXE's
CRC check.  (Actually, even this part is no longer correct since this
check was apparently removed in Ver. 0.91 of LZEXE.)  But the CRC
check doesn't help in the least if the file was infected *before*
compression.  In fact, compression makes matters *worse* in this case
since most programs which scan files for known viruses will not detect
them within a compressed file.  (A few anti-viral programs, such as
McAfee's SCAN and Skulason's F-FCHK have been modified to recognize
known viruses within LZEXE-compressed files.  Unfortunately, this
doesn't help against other methods of executable compression, e.g.
Microsoft's EXEPACK.)

                                     Y. Radai
                                     Hebrew Univ. of Jerusalem, Israel
                                     RADAI@HUJIVMS.BITNET