Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!stanford.edu!agate!e260-1e.berkeley.edu!c60b-1eq
From: c60b-1eq@e260-1e.berkeley.edu (Noam Mendelson)
Newsgroups: comp.binaries.ibm.pc.d
Subject: Re: Self-test of LHA (was Re: LHA212JP.EXE .lzh archiver)
Keywords: japan lha self-test virus
Message-ID: <1991Apr24.192453.10511@agate.berkeley.edu>
Date: 24 Apr 91 19:24:53 GMT
References: <1991Apr23.113026.2657@unlinfo.unl.edu> <1991Apr24.030220.15637@agate.berkeley.edu> <625@uitecgw.uitec.ac.jp>
Sender: root@agate.berkeley.edu (Charlie Root)
Organization: University of California, Berkeley
Lines: 25

In article <625@uitecgw.uitec.ac.jp> nemossan@uitec.ac.jp (Sakurao NEMOTO) writes:
>Further you can *test* newly arrived LHA-selfextracted file using older
>LHA.EXE program.
>Try	C:>LHA T lha212.exe
>	    |  |    |
>	    |  |    +--------- Newly arrived selfextract file
>	    |  +-------------- specify to TEST
>	    +----------------- older executable file of LHA
>
>If the newly arrived selfextract-LHA is from Yoshi, you will see
>	"This is original from Yoshi."-message.

You shouldn't count on this type of check.  The source code for LHa
is out, and any determined hacker could make an EXE file look as if
it came from Yoshi.
This is sort of like doing a CRC test and comparing it to the CRC
listed in the documentation (LHa is a bad example, unless you read
Kana).  I've seen people claim that source files were genuine because
the CRCs of the EXE files matched those in the docs ...

-- 
+==========================================================================+
| Noam Mendelson   ..!ucbvax!web!c60b-1eq       | "I haven't lost my mind, |
| c60b-1eq@web.Berkeley.EDU                     |  it's backed up on tape  |
| University of California at Berkeley          |  somewhere."             |