Path: utzoo!attcan!uunet!portal!cup.portal.com!dan-hankins
From: dan-hankins@cup.portal.com (Daniel B Hankins)
Newsgroups: comp.sys.amiga
Subject: Re: IRQ virus
Message-ID: <13438@cup.portal.com>
Date: 12 Jan 89 06:45:52 GMT
References: <6434@louie.udel.EDU>
Organization: The Portal System (TM)
Lines: 18

In article <6434@louie.udel.EDU> gay%elde.epfl.ch@cunyvm.cuny.edu (David
Gay) writes:

>Instead of doing a checksum, why not check the size of the executable file
>? This would still allow you to "newzap" the file, but should detect any
>virus which prepends itself to the executable (though it could still
>search for a convenient block of nulls ...).

     It's worse than that.  The virus could compress the program (using
something as simple as Huffman or as complex as adaptive arithmetic
coding), and then prepend itself to the file.  Of course it would add some
noise in order to pad the file out to its original length (and possibly
checksum).
     Then, when the virus gets control, it does its stuff then decompresses
and loads the legitimate program.


Dan Hankins