On Sat, 28 Jun 2003, Antony Stone wrote: > That does seem like a good idea. An obvious way to do it might be to have a > specific (short) string of characters as the start or end of the virus name > which classifies it in this way? > > As you say, providing this information as part of the signature and not > needing a separate list seems like a good move.
Providing the start and end strings of a virus is still does provide enough to do anything except produce a useless mangled file. If a virus replaces part of an exe's init code with a jump instruction to the end of the exec where the the init code has been moved to and the virus code added, just removing the beginning and ending of the virus code just invalidates the jump instruction. To get back to having a runnable program, the jump instruction needs replaced back with the init code that was originally there. Rather than bloat the database with begin/end strings, I would prefer there was a field in the database to specify an optional innoculation program. So, for a Word DOC virus there may be in the database an entry for another program that does intelligent Word DOC virus removal. That external program might keep a database that uses begin/end strings or something else to accomplish removing the virus without garbling the file format. Likewise, a IFrame exploit innoculator program could be specified in the database and then it is up to the innoculator program to decide what additional data files it need to intelligently modify the HTML. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
