At 17:19 2003-08-21 +0000, John Conover wrote:
I think everybody has their own favorite way of detecting Virii/Worms
in e-mail attachments. Mine is at:
http://www.johncon.com/john/receivedIP/howto-virus.txt
A heads up on your odds of false positives in the header: because the bytes
following the PC executable signature are specific fields (rather than
program code), they can show up on other apps which may still be radically
different:
exe signature (2 bytes)
length of image mod 512 (2 bytes)
size of file in 512 byte pages (2 bytes)
Number of relocation table items (2 bytes)
Quite a few EXE files don't actually have relocation entries (particularly
if they're executable compressed, so the actual relocations are within the
real header which needs to be decompressed), but even if they DO have
relocations, if you're checking just the first seven bytes, you're getting
the MSB of the word value - so in most cases, you're going to see *0* for
that value.
At offset 0x12, there's a word checksum for the file, though there's no
guarantee that it is accurate (and of course, a checksum isn't nearly as
useful as a CRC).
The bottom line: signature checking using the first 7 bytes really only
tells you two things, neither of which confirms that the file is a virus:
* it has an MS executable signature (which even non-viruses have)
* it's a specific length (which any number of valid programs could be)
The odds quoted in your page are seemingly astronomical, but are not
representative of the true distribution of values within those headers.
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail