Newsgroups: comp.binaries.ibm.pc.d
Path: utzoo!utgpu!cunews!dfs
From: dfs@doe.carleton.ca (David F. Skoll)
Subject: Re: LHA212JP.EXE .lzh archiver at garbo.uwasa.fi
Message-ID: <dfs.672518450@yar>
Keywords: japan lha
Sender: news@ccs.carleton.ca (news)
Organization: Carleton University, Ottawa, Canada
References: <1991Apr21.074001.18243@uwasa.fi> <1991Apr22.032912.23254@agate.berkeley.edu> <1991Apr23.113026.2657@unlinfo.unl.edu> <jochenw.672412891@ikki> <groot.672485960@baukje.idca.tds.philips.nl>
Date: 24 Apr 91 18:40:50 GMT

In <groot.672485960@baukje.idca.tds.philips.nl> groot@idca.tds.philips.nl
(Henk de Groot) writes:

>About SFX files:

>What is the problem with selfextracting files <-> virusses? You can scan the
>SFX file with a good virus scanner (like F-PROT) and than run it! The 
>resulting files may be contaminated but you have the same result with 
>running an unpacker on an arbitrary archive.

Not quite.  Here's the problem:  Suppose a self-extracting archive "A"
contains a file "F" which is contaminated with known virus.  When you first
scan "A", you will not detect the virus, since "F" is compressed.  So you
innocently execute "A", which unpacks "F" and then...

Someone has modified "A" so that after unpacking "F", it immediately executes
it.  This is a seemingly innocent operation which most virus scanners will
not catch!  If you make a scanner which catches all attempts to execute
a file named "F", you might catch a lot of legitimate software.

The whole problem is that a self-extracting archive has the potential to
execute unpacked files before you've had a chance to scan them.

--
David F. Skoll