Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: p1@arkham.wimsey.bc.ca (Rob Slade)
Newsgroups: comp.virus
Subject: re: Odd 77-byte files (PC)
Message-ID: <0008.9105131358.AA08971@ubu.cert.sei.cmu.edu>
Date: 10 May 91 20:40:59 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 29
Approved: krvw@sei.cmu.edu

zlsiial@cs.man.ac.uk writes:

> Some utility on my PC (running MS DOS 3.3) has been creating several
> hundred hidden files.  All had a filename of an existing COM or EXE

If it was hidden .COM files for each .EXE, then it would indicate the
new type of viral programs which Patricia Hoffman refers to as
"spawning".  However, since the hidden files do not have executable
filenames, it might be similar to the Norton Antivirus change
detection scheme.

NAV does not store all the checksum information for "innoculated"
files in one file, but in one hidden file for each innoculated
program.  The checksum files have filenames related to the program
files, but one character in the extension is altered.

Sorry not to have more details, but I can't find the specifics in the
manual.  (Thinks: what are READ.ME files for?  Sure enough.)

Yes, in the READ.ME file, you will find (at about line 125) a
description of the checksum files it creates.  For .COM it is ._OM,
for .EXE, ._XE, for .SYS, ._YS etc.

=============
Vancouver          p1@arkham.wimsey.bc.ca   | "If you do buy a
Institute for      Robert_Slade@mtsg.sfu.ca |  computer, don't
Research into      (SUZY) INtegrity         |  turn it on."
User               Canada V7K 2G6           | Richards' 2nd Law
Security                                    | of Data Security