Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!elroy.jpl.nasa.gov!usc!apple!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: frisk@rhi.hi.is (Fridrik Skulason)
Newsgroups: comp.virus
Subject: Re: LZEXE - a possible anti virus application (PC)
Message-ID: <0010.9012171526.AA00375@ubu.cert.sei.cmu.edu>
Date: 14 Dec 90 19:27:25 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 20
Approved: krvw@sei.cmu.edu

davidsen@crdos1.crd.ge.COM (Wm E Davidsen Jr) writes:
>frisk@rhi.hi.is (Fridrik Skulason) writes:
>
>| On the other hand, if the program is first infected, and then LZEXEd,
>| the main effect will be that the majority of current anti-virus
>| programs will not detect the virus.
>
>  I'm not sure that's correct... the steath virus will return an
>uncorrupted copy of the program when read by a checking program, and
>presumably this is what gets compressed by lzexe.

Ah - only if the virus is active when the program is LZEXEd - I am
assuming somebody might be using LZEXE on programs known to be
infected, in order to hide the virus.  That person would be careful
not to have the virus active at the time.

If the virus is active, you are correct - the stealth virus will be
eliminated.

- -frisk