Re: Possible Virus
Everett L.(Rett) Williams writes:
> files from RDS pdex.exe - 177,780
> ex.exe - 177,468
>
> quarantined files pdex.exe - 185,780
> ex.exe - 185,468
Thanks for sending me one of your quarantined files.
I compared the quarantined pdex.exe versus the
clean pdex.exe from our site. It took a bit of work
(using the tool below) but I can tell you that the
quarantined file is simply the clean file with an
extra 8000-byte block inserted at the front
*by Norton Antivirus itself*, plus Norton inverted
all the other bits in the file: 0 becomes 1,
1 becomes 0 in each byte.
Therefore, there is *no virus* in either the clean pdex.exe
or the "quarantined" version, unless you believe
that the clean pdex.exe on our site, which has been
downloaded and used for many months by many
thousands of people is tainted.
Obviously what happened is that Norton
erroneously raised a warning flag against
ex.exe and pdex.exe, probably because they are
compressed executables. Norton then proceeded to
create the quarantined versions of ex.exe and pdex.exe
by adding an 8000-byte information block and
inverting all the bits. The information block contains
things such as your name "Rett Williams", the
name of the suspected virus, a whole bunch of 0's etc.
Regards,
Rob Craig
Rapid Deployment Software
http://www.RapidEuphoria.com
---------------------------------------------------------------
-- determine frequency of byte-values in a file
-- usage:
-- ex analyse > junk
-- the frequencies were totally mismatched, until
-- I sorted them and saw the inversion of bits
include sort.e
integer b, count
function analyse(sequence name, integer min, integer max)
-- get frequencies for file "name" from min byte to max byte
integer fn
sequence freq
freq = repeat(0, 256)
fn = open(name, "rb")
count = 0
while 1 do
b = getc(fn)
if b = -1 then
exit
end if
if count >= min then
freq[b+1] += 1
end if
count += 1
if count = max then
exit
end if
end while
return freq
end function
function abs(atom x)
if x < 0 then
return -x
else
return x
end if
end function
sequence f1, f2
f1 = sort(analyse("pdex.exe", 0, 999999))
for i = 1 to length(f1) do
printf(1, "%5d", f1[i])
if remainder(i, 12) = 0 then
puts(1, '\n')
end if
end for
puts(1, "\n\n")
f2 = sort(analyse("pdex.vir", 8000, 999999))
for i = 1 to length(f2) do
printf(1, "%5d", f2[i])
if remainder(i, 12) = 0 then
puts(1, '\n')
end if
end for
puts(1, "\n\n")
-- sum of differences
atom ss
ss = 0
for i = 1 to length(f1) do
ss += abs(f1[i] - f2[i])
end for
? ss / length(f1)
-------------------------------
|
Not Categorized, Please Help
|
|
