-=> Mocking Tom Wasson to Stephen Shoesmith <=-
   
 TW> The reason that my simple virus protection scheme was limited to
 TW> *.COM files is that *.EXE files are actually modified by the loader. 
 TW> For example, the segment addresses must be installed by the *.EXE
 TW> loader when the *.EXE file is loaded into RAM.  This same program
 TW> could easily be corrupted and used to infect the executable code with
 TW> a virus.  I could see not simple means of detecting that such
 TW> happened.   
 TW> A CRC or checksum routine that verifed the integrity of the
 TW> executable code before that code executes could not be used in general
 TW> purpose *.EXE programs since the CRC and checksum routines do not know
 TW> what legal values would be assigned to instructions accessing Segment
 TW> Registers. 
in general, integrity checking can be used for ANYTHING so long as it's
reading it off the disk instead of in memory... and it's much more
secure as a separate entity...
a self-checking program only alerts you when it's been infected and then
only after you've executed it and thus the virus along with it... it
does not protect you from the virus... it won't even stop overwriting
infectors.. now you may notice that a program infected by an overwriting
infector no longer does what it's supposed to, but only after you've
executed it and by then it's too late because it's just overwritten
something else... and then there's companion viruses, they don't even
touch the original program...
self-checking, otherwise known as "immune" or "immunized", code is next
to useless from an anti-viral point of view...
... "wheres polonius?"-"he's at supp'... with the worms"...
--- TGWave v1.20.b09
---------------