Mail Archives: djgpp/1995/08/26/06:24:00
Chi Hoang <choang AT freenet DOT calgary DOT ab DOT ca> writes:
>well, this is what TBAV says on all djgpp2 programs:
> Heuristic flags: c!?ZK AT i
> c No checksum / recovery information (Anti-Vir.Dat) available.
Well, that's for sure not our fault! :-)
> ! Invalid opcode (non-8088 instructions) or out-of-range branch.
We _need_ 386 instructions. Is that what it complains about?
> ? Inconsistent exe-header. Might be a virus but can also be a bug.
Hmm. DJ, Charles: any ideas?
> Z EXE/COM determination. The program tries to check whether a file
> is a COM or EXE file. Viruses need to do this to infect a program.
It's wrong here. However, there is code in there to add ".EXE" to a
file name. Is that what it complains about?
> K Unusual stack. The program has a suspicious stack or an odd stack.
The stack is not very big and accurs in the middle. I would think
that is what is detected.
> @ Encountered instructions which are not likely to be generated by
> an assembler, but by some code generator like a polymorphic virus.
Two things: djasm doesn't generate the same bit patterns as [mt]asm
would have done, and the code is optimized by hand for size.
> i Additional data found at end of file. Probably internal overlay.
Right, and what's wrong with that?
I say ship a compiled program and the source for the stub off to the
author of TBAV. Have him _fix_ his program, or tell us what do to
differently.
Morten
- Raw text -