It was thus said that the Great Tony Duell once stated:
>
> My guess (never having seen this virus, and certainly never having
> written a virus) is that the code is not 0 bytes long (for the obvious
> reason), but that it overwrites some bytes in the files it infects rather
> than addting itself to the file, so the file remains the same size.
>
> So the _change_ in file size is 0 bytes.
>
> Of course this there is real virus code in the infected file, NAV can
> detect that particular byte pattern.
>
> And maybe because it overwrites part of the file, information from the
> file is lost, which is why the file can't be disinfected
I used to do a lot of assembly programming under MS-DOS and I found that
if I did
;********************************************
segment para public 'DATA'
some_value dw 34
some_string db 'Hello there',0
some_buffer db 4096 dup(0)
end segment
;********************************************
That when that particular segment was assembled, the amount of space it
took up in the executable was 5,010 bytes---the large areas of 0 filled
space wouldn't be compressed at all! And in looking over other executables
(ones from Microsoft, others from elsewhere) revealed huge portions of
executable files nothing but zeros. There was no compression done of at
least the data segment. So it would be easy enough for a virus to scan the
executable for a portion that is nothing but zeros, and hide in there.
-spc (Figure this might be on topic since it's been 10 years or so since
I've done MS-DOS assembly programming 8-)
Received on Wed Jul 18 2001 - 18:52:39 BST
This archive was generated by hypermail 2.3.0
: Fri Oct 10 2014 - 23:33:53 BST