Xref: news-dnh.mv.net comp.os.msdos.djgpp:1750 Path: news-dnh.mv.net!mv!news.sprintlink.net!sunic!sunic.sunet.se!news.uni-c.dk!diku.dk!terra From: terra AT diku DOT dk (Morten Welinder) Newsgroups: comp.os.msdos.djgpp Subject: Re: djgpp2 and TBAV Date: 26 Aug 1995 05:12:58 GMT Organization: Department of Computer Science, U of Copenhagen Lines: 55 Sender: terra AT tyr DOT diku DOT dk References: <303e5067 DOT sandmann AT praline DOT no DOT NeoSoft DOT com> Nntp-Posting-Host: odin.diku.dk To: djgpp AT sun DOT soe DOT clarkson DOT edu Dj-Gateway: from newsgroup comp.os.msdos.djgpp Chi Hoang writes: >well, this is what TBAV says on all djgpp2 programs: > Heuristic flags: c!?ZK AT i > c No checksum / recovery information (Anti-Vir.Dat) available. Well, that's for sure not our fault! :-) > ! Invalid opcode (non-8088 instructions) or out-of-range branch. We _need_ 386 instructions. Is that what it complains about? > ? Inconsistent exe-header. Might be a virus but can also be a bug. Hmm. DJ, Charles: any ideas? > Z EXE/COM determination. The program tries to check whether a file > is a COM or EXE file. Viruses need to do this to infect a program. It's wrong here. However, there is code in there to add ".EXE" to a file name. Is that what it complains about? > K Unusual stack. The program has a suspicious stack or an odd stack. The stack is not very big and accurs in the middle. I would think that is what is detected. > @ Encountered instructions which are not likely to be generated by > an assembler, but by some code generator like a polymorphic virus. Two things: djasm doesn't generate the same bit patterns as [mt]asm would have done, and the code is optimized by hand for size. > i Additional data found at end of file. Probably internal overlay. Right, and what's wrong with that? I say ship a compiled program and the source for the stub off to the author of TBAV. Have him _fix_ his program, or tell us what do to differently. Morten