May 7th, 2002, 06:41 AM
Virus Free Sotware
Hi there all you genius guys!!
Well I was working on the how virus works and the cause of the spreading them. I found somehwere that a virus attaches to an exe like this: it rips up the exe in three parts the header, the body and the footer. Now in header it calls the code of the worm or virus whatever you call it and forward the executation to footer which is what is the virus exec. No once this code is executed, it throws the execution back the body which is main program, and then the original program runs.
First question: Is this true??
Second question: Is there any way to make sure that your executables are not vulnerable to any worm/virus to get into it??
May 9th, 2002, 10:34 PM
First Question: Sounds completely plausible to me.
Unfortunately this is not the only way a virus can add itself to an executable, nor is even this method reliably detectable.
An executable file that changes size is often a sign of a virus (or at least it was under DOS), but these days with so many patches out for *everything* many programs are patched frequently by users and/or the OS so they change size a lot.
Second Question: An executable program you've written can run a checksum or other kind of check on its own binary to detect modification, however this is not useful because:
1. You make it difficult to modify the program as you have to change the checksum each time the program is modified.
2. The technique can easily be defeated by several types of virus, notably "Companion" viruses which don't even modify the exe files, just sit along side them (possibly copying the original file back again before executing it)
3. You're closing the stable door after the horse has bolted, because by the time your code gets run, the virus has already started (and in some cases finished) its dirty work
Finally, "worms" are not viruses, they don't infect programs and instead spread by themselves, so no program is in fact vulnerable (unless you make a server program with a security hole and a worm exploits that, but that's only likely to happen these days if you're Microsoft or Sun)