From: Damian Yerrick <Bullshitd_yerrick AT hotmail DOT comRemoveBullshit>
Newsgroups: comp.os.msdos.djgpp
Subject: Re: self-mod code and DJGPP - writable code segment?
Organization: Pin Eight Software  http://pineight.8m.com/
Message-ID: <h7cvcs4ucael32pfin6a5nbdo0q1kliadj@4ax.com>
References: <INEPKJNPJEEIBAAA AT shared1-mail DOT whowhere DOT com> <Pine DOT SUN DOT 3 DOT 91 DOT 1000315105955 DOT 17230V-100000 AT is>
X-Newsreader: Forte Agent 1.7/32.534
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Lines: 37
X-Trace: /bGnt85RwdBbqme0X4rvwEczZe7IyLvEvzjw2ht8h9jlDBYmCH/dTifOyr1Vr66t1+LnxA+EARy2!OxiHQ+O4YKb/quZiW+4RX9MNkxa2jjmE4zwVnHxM9Tb5TCQmxYGKa5JmZ+hZhTZXL7at7SornO/N!ADW9hVI=
X-Complaints-To: abuse AT gte DOT net
X-Abuse-Info: Please be sure to forward a copy of ALL headers
X-Abuse-Info: Otherwise we will be unable to process your complaint properly
NNTP-Posting-Date: Wed, 15 Mar 2000 15:51:40 GMT
Distribution: world
Date: Wed, 15 Mar 2000 15:51:40 GMT
To: djgpp AT delorie DOT com
DJ-Gateway: from newsgroup comp.os.msdos.djgpp
Reply-To: djgpp AT delorie DOT com

On Wed, 15 Mar 2000 11:04:21 +0200 (IST), Eli Zaretskii
<eliz AT is DOT elta DOT co DOT il> wrote:

>On Wed, 15 Mar 2000, nimrod a. abing wrote:
>
>> I was just curious about this. If the code 
>> segment is not writable, it seems to imply some 
>> sort of immunity to viruses for DJGPP programs.
>
>The viruses don't attach themselves to the protected-mode code produced 
>by DJGPP, they attach themselves to the short DOS stub prepended to DJGPP 
>programs.  And since the COFF header follows that short stub, the virus 
>has good chances overwriting the COFF magic signature, which will cause 
>the startup code refuse to run the infected program.
>
>...
>
>The above-mentioned features do allow an early detection of an 
>infection.  But more importantly, the viruses have
>all but abandoned DOS programs as their target.

Except the master boot record.

>They now concentrate on Windows programs, so 
>any DOS program is probably more safe.

Would the features allow early detection of an infected
RSXNTDJ program?

-- 
Damian Yerrick  http://yerricde.tripod.com/
Comment on story ideas: http://home1.gte.net/frodo/quickjot.html
AOL is sucks! Find out why: http://anti-aol.org/faqs/aas/
View full sig: http://www.rose-hulman.edu/~yerricde/sig.html

This is McAfee VirusScan. Add these two lines to your .sig to
prevent the spread of .sig viruses.  http://www.mcafee.com/