Want to know if there are any exe or com infectors active on your
system?
Virus Trap 1.0 creates a set of two test files (exe & com) with known
crc values then executes them and compares the integrity before and
after to see if anything has attacked them.
The company that produced it (Diamond CS) no longer offers it on their
site for whatever reason, but it's available here:
http://teknoweb.asia-links.com/download/vtrap.exe
put it in a folder in your program files and create a link to it so you
can find it whenever you suspect something.

Another trick the miscreants use is to hijack your shell open command
for executables and have a seemingly innocent file be in fact an
executable.
There's an application that lists all file types that are registered
with executable extensions on your system, so you can see if there are
any "new" ones besides the usual ones (exe scr com bat pif)
It's called "List exe" and is available here:
http://www.misec.net/products/LExE.zip
Same as above, create folder and link.

Good luck

Bart

Bart Bailey <(E-Mail Removed)> wrote:

> Want to know if there are any exe or com infectors active on your
> system?
> Virus Trap 1.0 creates a set of two test files (exe & com) with known
> crc values then executes them and compares the integrity before and
> after to see if anything has attacked them.

The concept is well known and was implemented in many AV products, Iris' and
Eliashim's eSafe, to mention two. One of the weak points of the above
implementation is the use of a static file and name, what makes it easy to avoid
by viruses. Many viruses now have a list of files to avoid.

> The company that produced it (Diamond CS) no longer offers it on their
> site for whatever reason, but it's available here:
> http://teknoweb.asia-links.com/download/vtrap.exe

The program isn't self contained. It requires the presence of a DLL
(MSVBVM60.DLL) not found on all systems.

Regards, Zvi
--
NetZ Computing Ltd. ISRAEL http://invircible.com (E-Mail Removed)
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
E-mail sent in reply to this post will not be considered private and
will be answered in the newsgroup. Top posting is not appreciated!

Frederic Bonroy <(E-Mail Removed)> wrote:

> Bart Bailey wrote:
>
> > Want to know if there are any exe or com infectors active on your
> > system?
> > Virus Trap 1.0 creates a set of two test files (exe & com) with known
> > crc values then executes them and compares the integrity before and
> > after to see if anything has attacked them.
> > The company that produced it (Diamond CS) no longer offers it on their
> > site for whatever reason [...]
>
> The reason could be that it's not particularly useful against stealth
> viruses,

Full stealth viruses, as we knew them for 16 bit DOS executables (e.g. Frodo),
do not exist for the more complex executable structures, such as NE (were used
under Windows 16 bit) and PE. It's impossible to conceal all the changes made
to a PE, when infecting it. At the time, CIH was claimed to use "stealth" as it
doesn't affect file size (it resides in the PE header, filling empty space), but
it isn't stealth at all and discloses its presence if you know where to look
for.

Regards, Zvi
--
NetZ Computing Ltd. ISRAEL http://invircible.com (E-Mail Removed)
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
E-mail sent in reply to this post will not be considered private and
will be answered in the newsgroup. Top posting is not appreciated!

In Message-ID:<(E-Mail Removed)> posted on
Sun, 20 Jul 2003 17:57:48 +0300, Zvi Netiv wrote:

>Many viruses now have a list of files to avoid

Maybe that's why it always comes up negative ;-)

Bart

In Message-ID:<bfdor9$dhc7t$(E-Mail Removed)> posted on
Sun, 20 Jul 2003 11:53:54 +0200, Frederic Bonroy wrote:

>If you suspect a virus, use a virus scanner...

Of course!

Bart

In Message-ID:<bfdor9$dhc7t$(E-Mail Removed)> posted on
Sun, 20 Jul 2003 11:53:54 +0200, Frederic Bonroy wrote:

>> The company that produced it (Diamond CS) no longer offers it on their
>> site for whatever reason [...]
>
>The reason could be that it's not particularly useful against stealth
>viruses, viruses that avoid infecting goat files (I didn't look at these
>particular goat files, I'm just stating that such viruses exist),
>viruses that are not memory-resident and infect files only in the
>current
>directory or viruses that infect neither DOS .exe nor .com files...

Maybe that's why they no longer offer it,
gives a false sense of sterility?

Bart