Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!rutgers!usc!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: David.M..Chess.CHESS@YKTVMV
Newsgroups: comp.virus
Subject: re: Future AV software (PC)
Message-ID: <0002.8910031107.AA02205@ge.sei.cmu.edu>
Date: 2 Oct 89 00:00:00 GMT
Sender: Virus Discussion List 
Lines: 12
Approved: krvw@sei.cmu.edu

Unfortunately, it's just about impossible to scan for new viruses by
examining the on-disk image of programs, and looking for things like
INTs.  Three (at least) of the families of PC viruses out in the world
today store themselves on disk in "garbled" form, with only a little
"degarbler" stored in clear.  That degarbler doesn't contain any INTs
or other suspicious instructions, and the garbled part of the virus
appears to be random data.  The nasty instructions don't appear until
the virus executes, and the degarbler converts the garbled stuff to
code.  So it's really only possible to catch these things at runtime
(as Flushot+ and similar programs try to do), not on disk...

DC