From: Damian Yerrick Newsgroups: comp.os.msdos.djgpp Subject: Re: self-mod code and DJGPP - writable code segment? Organization: Pin Eight Software http://pineight.8m.com/ Message-ID: References: X-Newsreader: Forte Agent 1.7/32.534 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Lines: 37 X-Trace: /bGnt85RwdBbqme0X4rvwEczZe7IyLvEvzjw2ht8h9jlDBYmCH/dTifOyr1Vr66t1+LnxA+EARy2!OxiHQ+O4YKb/quZiW+4RX9MNkxa2jjmE4zwVnHxM9Tb5TCQmxYGKa5JmZ+hZhTZXL7at7SornO/N!ADW9hVI= X-Complaints-To: abuse AT gte DOT net X-Abuse-Info: Please be sure to forward a copy of ALL headers X-Abuse-Info: Otherwise we will be unable to process your complaint properly NNTP-Posting-Date: Wed, 15 Mar 2000 15:51:40 GMT Distribution: world Date: Wed, 15 Mar 2000 15:51:40 GMT To: djgpp AT delorie DOT com DJ-Gateway: from newsgroup comp.os.msdos.djgpp Reply-To: djgpp AT delorie DOT com On Wed, 15 Mar 2000 11:04:21 +0200 (IST), Eli Zaretskii wrote: >On Wed, 15 Mar 2000, nimrod a. abing wrote: > >> I was just curious about this. If the code >> segment is not writable, it seems to imply some >> sort of immunity to viruses for DJGPP programs. > >The viruses don't attach themselves to the protected-mode code produced >by DJGPP, they attach themselves to the short DOS stub prepended to DJGPP >programs. And since the COFF header follows that short stub, the virus >has good chances overwriting the COFF magic signature, which will cause >the startup code refuse to run the infected program. > >... > >The above-mentioned features do allow an early detection of an >infection. But more importantly, the viruses have >all but abandoned DOS programs as their target. Except the master boot record. >They now concentrate on Windows programs, so >any DOS program is probably more safe. Would the features allow early detection of an infected RSXNTDJ program? -- Damian Yerrick http://yerricde.tripod.com/ Comment on story ideas: http://home1.gte.net/frodo/quickjot.html AOL is sucks! Find out why: http://anti-aol.org/faqs/aas/ View full sig: http://www.rose-hulman.edu/~yerricde/sig.html This is McAfee VirusScan. Add these two lines to your .sig to prevent the spread of .sig viruses. http://www.mcafee.com/