Thread: Maybe a Virus

  1. 05-13-2004 #1
    Coder87C
    Coder87C is offline
    Registered User
    Join Date
    Jul 2003
    Posts
    110

    Maybe a Virus

    Hello.

    I came to ask the programmers.


    I got a .exe from a friend that was 900KBs. My job was the hex edit a value in it. Which I knew the memory address ect.

    I edited the program and it worked fine then I re uploaded it and sent it to him.

    For some reason it was 400KB BIGGER and his e-mail service said it was infected.

    I dont have any viruses on my comp. I run 2 virus programs (thanks to my college I get them free).

    I use Yahoo Email I didnt say it was infected so I sent it to another email of his. He tryed to run it and it didnt work. He tryed to delete and he had to shift+delete it.

    I check it agian on my comp and it doesnt run. But I have no problem deleteing it.

    NOW is it possiable I could have sent him a netbus/Sub7 type virus were I can view his screen or getting what hes saying in MSN?

    Thankyou.
  2. 05-18-2004 #2
    Davros
    Davros is offline
    Code Monkey Davros's Avatar
    Join Date
    Jun 2002
    Posts
    812
    >I run 2 virus programs

    Not sure this is a good idea. Virus checkers work a low level and can interfere with each other.

    I would run regedit and see what you have starting up under the 'HKLM/Software/Microsoft/Windows/CurrentVersion/Run' key. Do a Google on any exe names which look suspicious.
    OS: Windows XP
    Compilers: MinGW (Code::Blocks), BCB 5

    BigAngryDog.com
  3. 05-19-2004 #3
    Fordy
    Fordy is offline
    &TH of undefined behavior Fordy's Avatar
    Join Date
    Aug 2001
    Posts
    5,793
    Virus checkers check the size of each section in an exe against it's recorded size in the exe's PE file header, if there's a mismatch (which there probably would be if you simply hex edited at one point) then the checker know's the file has been edited and assumes it's a virus.
    Board Rules
    Blog
  4. 05-20-2004 #4
    Davros
    Davros is offline
    Code Monkey Davros's Avatar
    Join Date
    Jun 2002
    Posts
    812
    >Virus checkers check the size of each section in an exe against it's recorded size in the exe's PE file header

    WOW! Hang-on a second!

    I'm currently working on a program which tags on data to the end of an exe.

    Are you saying that some virus checkers will report such legitimate files as virus infected? (The virus checker I use doesn't do this).

    If so, I'll need to get into editing the PE file header. Where can I find info on this?
    OS: Windows XP
    Compilers: MinGW (Code::Blocks), BCB 5

    BigAngryDog.com
  5. 05-20-2004 #5
    Fordy
    Fordy is offline
    &TH of undefined behavior Fordy's Avatar
    Join Date
    Aug 2001
    Posts
    5,793
    Yeah...at least they used to.

    If you want some info on PE headers try Iczelion's site...also Matt Pietrek wrote a series of articles a few years back
    Board Rules
    Blog
  6. 05-20-2004 #6
    Davros
    Davros is offline
    Code Monkey Davros's Avatar
    Join Date
    Jun 2002
    Posts
    812
    Thanks Fordy. Have found the site.

    Was wondering... if virus checkers examine the header for section sizes, what's stopping a virus from modifying these to match the modified file?
    OS: Windows XP
    Compilers: MinGW (Code::Blocks), BCB 5

    BigAngryDog.com
« Previous Thread | Next Thread »
Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Trojan horse generic
    By crvenkapa in forum Tech Board
    Replies: 8
    Last Post: 06-04-2007, 08:49 PM
  2. Virus in Commercial Download - Can anyone confirm this?
    By Davros in forum A Brief History of Cprogramming.com
    Replies: 6
    Last Post: 08-03-2004, 05:07 PM
  3. virus help
    By Benzakhar in forum Tech Board
    Replies: 9
    Last Post: 01-20-2004, 12:28 AM
  4. Virus Warning!
    By Hillbillie in forum A Brief History of Cprogramming.com
    Replies: 19
    Last Post: 08-17-2001, 01:22 AM