Path: utzoo!attcan!uunet!lll-winken!ames!pasteur!ucbvax!moravian.EDU!nicholaA From: nicholaA@moravian.EDU Newsgroups: comp.sys.apple Subject: Re: viruses Message-ID: <8903032203.AA21531@batman.moravian.edu> Date: 3 Mar 89 22:03:21 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 32 > As anyone knows, a checksum is only effective if the person who wrote the vir > doesn't have the smarts to make the checksum add up after the virus has inser > itself. Some really smart cookie would probably have the virus checksum the > program itself before insertion, then rebalance the checksum...... Or they > could corrupt the checksum program itself to produce the same result every ti > no matter how the program looked. Actually, a more precise method would be to calculate a CRC-16 or CRC-32 on the image of the program. Of course, what should be done first is to read the first 3 bytes off the disk (the first JMP in most cases), and to check the length of the program against what it's _supposed_ to be. This is what ShrinkIt does, and it works fairly well. You mention that a virus program _might_ be able to look into an executable file, find the code used to generate a checksum, and somehow change the way it works. That, at best, at least on an Apple II, is laughable -- A virus would have to be _very_ special case sensitive to work right since the routines used by programs which protect themselves from virusii (?) vary tremendously. > Ryan Lanctot > > ------------- Andy Nicholas CsNET: nicholaA@moravian.edu Box 435 InterNET: nicholaA%moravian.edu@relay.cs.net Moravian College liberty!batman!nicholaA@sun.com Bethlehem, PA 18018 lafcol!lehi3b15!mc70!nicholaA@rutgers.edu Bang: rutgers!lafcol!lehi3b15!mc70!nicholaA AppleLink PE: ShrinkIt rutgers!liberty!batman!nicholaA -------------