X-Authentication-Warning: delorie.com: mailnull set sender to djgpp-workers-bounces using -f Date: Wed, 16 Jan 2002 10:23:29 -0500 Message-Id: <200201161523.g0GFNTX11672@envy.delorie.com> From: DJ Delorie To: djgpp-workers AT delorie DOT com Subject: [FlorinGhido AT yahoo DOT com: 12 files from >bnu2112b.zip< ARE INFECTED with a trojan virus!] Reply-To: djgpp-workers AT delorie DOT com Sure enough, there are two djgpp images there. Ideas? ------- Start of forwarded message ------- From: "Florin Ghido" To: Subject: 12 files from >bnu2112b.zip< ARE INFECTED with a trojan virus! Date: Wed, 16 Jan 2002 17:11:29 +0200 Content-Type: text/plain; charset="iso-8859-2" X-Priority: 1 X-MSMail-Priority: High X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Hi, DJ Delorie! I found that 12 files from the archive bnu2112b.zip ARE INFECTED with a trojan virus. The virus is written also in DJGPP, and it may be find immediately searching in the EXE files 'stub.h generated', the second time found around 95% of the file. Being written in DJGPP, the virus has also a stub. The image of these files is: STUB+image+STUB+virus, that is, two executables concatenated. The archive is: 15.07.2001 11:47 2.707.938 bnu2112b.zip The INFECTED files are: 03.07.2001 05:51 271.872 size.exe 03.07.2001 05:51 525.312 objdump.exe 03.07.2001 05:51 291.328 ar.exe 03.07.2001 05:51 270.848 strings.exe 03.07.2001 05:51 291.328 ranlib.exe 03.07.2001 05:51 455.168 objcopy.exe 03.07.2001 05:51 321.024 addr2line.exe 03.07.2001 05:51 330.240 nm.exe 03.07.2001 05:51 455.168 strip.exe 03.07.2001 05:51 474.112 as.exe 03.07.2001 05:51 387.584 gprof.exe 03.07.2001 05:51 448.000 ld.exe The virus is about 9024 bytes in size, but the size can slightly vary because of the zero padding to make filesize multiple of 512. Please send me a response with some details you found, or at least something to confirme you received this mail. Best regards, Florin Ghido ------- End of forwarded message -------