Maybe a Virus
I came to ask the programmers.
I got a .exe from a friend that was 900KBs. My job was the hex edit a value in it. Which I knew the memory address ect.
I edited the program and it worked fine then I re uploaded it and sent it to him.
For some reason it was 400KB BIGGER and his e-mail service said it was infected.
I dont have any viruses on my comp. I run 2 virus programs (thanks to my college I get them free).
I use Yahoo Email I didnt say it was infected so I sent it to another email of his. He tryed to run it and it didnt work. He tryed to delete and he had to shift+delete it.
I check it agian on my comp and it doesnt run. But I have no problem deleteing it.
NOW is it possiable I could have sent him a netbus/Sub7 type virus were I can view his screen or getting what hes saying in MSN?
>I run 2 virus programs
Not sure this is a good idea. Virus checkers work a low level and can interfere with each other.
I would run regedit and see what you have starting up under the 'HKLM/Software/Microsoft/Windows/CurrentVersion/Run' key. Do a Google on any exe names which look suspicious.
Virus checkers check the size of each section in an exe against it's recorded size in the exe's PE file header, if there's a mismatch (which there probably would be if you simply hex edited at one point) then the checker know's the file has been edited and assumes it's a virus.
>Virus checkers check the size of each section in an exe against it's recorded size in the exe's PE file header
WOW! Hang-on a second!
I'm currently working on a program which tags on data to the end of an exe.
Are you saying that some virus checkers will report such legitimate files as virus infected? (The virus checker I use doesn't do this).
If so, I'll need to get into editing the PE file header. Where can I find info on this?
Yeah...at least they used to.
If you want some info on PE headers try Iczelion's site...also Matt Pietrek wrote a series of articles a few years back
Thanks Fordy. Have found the site.
Was wondering... if virus checkers examine the header for section sizes, what's stopping a virus from modifying these to match the modified file?