From: Eli Zaretskii Newsgroups: comp.os.msdos.djgpp Subject: Re: DJGPP viruses (Re: HELP! "invalid page exception"??) Date: Thu, 16 Sep 1999 12:30:02 +0200 Organization: NetVision Israel Lines: 18 Message-ID: References: <37D534CD DOT 9FE72805 AT this DOT newsgroup> <37D6B63A DOT 68278B19 AT this DOT newsgroup> <37D7B0BD DOT DE998100 AT this DOT newsgroup> <7rmlv7$99s$1 AT solomon DOT cs DOT rose-hulman DOT edu> <7ro50d$e2b$1 AT solomon DOT cs DOT rose-hulman DOT edu> NNTP-Posting-Host: is.elta.co.il Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Trace: news.netvision.net.il 937477729 10037 199.203.121.2 (16 Sep 1999 10:28:49 GMT) X-Complaints-To: abuse AT netvision DOT net DOT il NNTP-Posting-Date: 16 Sep 1999 10:28:49 GMT X-Sender: eliz AT is In-Reply-To: <7ro50d$e2b$1@solomon.cs.rose-hulman.edu> To: djgpp AT delorie DOT com DJ-Gateway: from newsgroup comp.os.msdos.djgpp Reply-To: djgpp AT delorie DOT com X-Mailing-List: djgpp AT delorie DOT com X-Unsubscribes-To: listserv AT delorie DOT com Precedence: bulk On Wed, 15 Sep 1999, Damian Yerrick wrote: > > Not true. Every DJGPP program has a short real-mode stub prepended > > to it. As far as DOS (and DOS-based virus) is concerned, a DJGPP > > program is a very short real-mode program with lots of data attached > > to it. > > But wouldn't this appended data confuse most viruses to > high heck? No, viruses are programs, and programs cannot be confused ;-). Seriously, though: the stub usually confuses anti-virus software, not viruses. What viruses do is still infect the program, but when they do, they usually overwrite the beginning of the COFF image, and the program won't run anymore (the stub won't load it). See section 6.7 of the FAQ for more about this.