home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!gatech!darwin.sura.net!jvnc.net!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: MC1980@mclink.it (Luca Parisi)
- Newsgroups: comp.virus
- Subject: CPAV leftovers: summary (PC)
- Message-ID: <0001.9212221358.AA03720@barnabas.cert.org>
- Date: 19 Dec 92 22:15:09 GMT
- Sender: virus-l@lehigh.edu
- Lines: 24
- Approved: news@netnews.cc.lehigh.edu
-
- Here is what I've found out about the "leftovers" I mentioned.
-
- The "CARMEL Software" string is indeed added to files by the
- "Immunize" option of Central Point Anti Virus 1.0 and 1.2 (At least; I
- could only find those versions, and the new Windows one that has no
- such option).
-
- It is not part of the integrity checking program, however. It seems to
- be used to pad the executable file to a multiple of 16 before adding
- the self-checker, but only under certain conditions (I was unable to
- replicate it except on NU.EXE, and I found another padding string
- elsewhere). It is not deleted by the "Remove Immunization" option,
- although the file is restored to its original size. The padding string
- and a copy of the first bytes of the original immunized program can be
- read in the slack space and will disappear as expected when the
- deimmunized file is copied.
-
- The user who originally faced the program had indeed used CPAV, not
- the original CARMEL product.
-
- Thanks to those who supported me with suggestions.
-
- Luca Parisi
- <MC1980@mclink.it>
-