Just Launched: You can now import projects and releases from Google Code onto SourceForge
We are excited to release new functionality to enable a 1-click import from Google Code onto the Allura platform on SourceForge. You can import tickets, wikis, source, releases, and more with a few simple steps. Read More
> Someone told me that infecting a file leaves
> some traces, as you have to start the original file, so that people
> don't notice the infection. But I am the wrong person to answer such
Recognizing that a file has been modified after compilation is not that
difficult. The problem is in determining whether those changes are
caused by a parasitic virus or some other program, for example a runtime
decompressor like UPX.
However, parasitic viruses are less of a problem than they used to be - what
people are seeing nowadays are backdoors and worms and they are structurally
just like any other application.
> Do you mean that I must search for viruses that are compressed by UPX,
> Petite and writes some code to a segment to execute it then?
Many worms are UPX-compressed. However, the UPX compression code is (usually)
not a part of the worm and it is not variable, so all instances of the worm
will look identical. To detect those samples, you do not need UPX unpacking.
However, if someody takes an existing virus or worm and UPX compresses
that, an anti-virus program will not recognize the compressed file unless
can handle UPX compression, which can either be hardcoded or done by
emulating the decompression of the program itself.
Fridrik Skulason Frisk Software International phone: +354-540-7400
Author of F-PROT E-mail: frisk@... fax: +354-540-7401