I've got one thread rockin' over here:
http://www.antionline.com/showthread...112#post782112

I made this one to help fill in some of the holes. How are malware definitions built? They have to be more than just a checksum. Also, is it possible to hack a definition file, like the adaware reference file, or the Norton signatures to see how they identify a certain piece of malware?

I would guess that the scanner reads a file, and compares it to some sort of list of entries. But what would the entry contain? And if polymorphism is involved, what would the def look like?

Google doesn't know, but I was wondering if someone could mess around with the adaware reference file and possibly notice if it's possible at all to reverse engineer it.

AA Reference file attached

Thanks