Central Point Anti-Virus immunized file
(Created page with "{{FormatInfo |formattype=electronic |subcat=Executable envelopes |released=≤1991 }} Some versions of Central Point Anti-Virus have an "immunize file" feature that can modify...") |
|||
| Line 4: | Line 4: | ||
|released=≤1991 | |released=≤1991 | ||
}} | }} | ||
| − | Some versions of Central Point Anti-Virus have an "immunize file" feature that can modify [[MS-DOS EXE|DOS EXE]] and [[DOS executable (.com)|COM]] executable files, to insert a tamper-detection feature. This article describes these modified files. | + | Some versions of Central Point Anti-Virus, and Turbo Anti-Virus by Carmel Software (from which Central Point Anti-Virus was derived), have an "immunize file" feature that can modify [[MS-DOS EXE|DOS EXE]] and [[DOS executable (.com)|COM]] executable files, to insert a tamper-detection feature. This article describes these modified files. |
| − | + | ||
| − | + | ||
== Identification == | == Identification == | ||
| Line 13: | Line 11: | ||
Immunized EXE files have a certain byte pattern starting at the ''entry point'' (refer to [[MS-DOS_EXE#Special file positions]]): {{magic|e8 20 00}}, then 32 bytes copied from the original file, then {{magic|5b 81 eb 03 01 50 51 52 ...}}. | Immunized EXE files have a certain byte pattern starting at the ''entry point'' (refer to [[MS-DOS_EXE#Special file positions]]): {{magic|e8 20 00}}, then 32 bytes copied from the original file, then {{magic|5b 81 eb 03 01 50 51 52 ...}}. | ||
| − | All files contain text strings such as "{{magic|Central Point Anti-Virus (c) 1991 CPS}}" and "{{magic|Self Integrity Check warning}}", but they | + | All files contain text strings such as "{{magic|Central Point Anti-Virus (c) 1991 CPS}}" or "{{magic|CARMEL Software Engineering - Turbo Anti-Virus(tm)"}}, and "{{magic|Self Integrity Check warning}}", but they differ by version. |
== Software == | == Software == | ||
* [https://winworldpc.com/product/central-point-anti-virus/1x Central Point Anti-Virus 1.x], at WinWorld | * [https://winworldpc.com/product/central-point-anti-virus/1x Central Point Anti-Virus 1.x], at WinWorld | ||
| + | * [{{SACFTPURL|avmuseum|tnt814.zip}} Turbo Anti-Virus v8.14] | ||
== Sample files == | == Sample files == | ||
| Line 22: | Line 21: | ||
* {{CdTextfiles|640swstudio/BASIC/PBPOPSI.ZIP|PBPOPSI.ZIP}} → *.EXE | * {{CdTextfiles|640swstudio/BASIC/PBPOPSI.ZIP|PBPOPSI.ZIP}} → *.EXE | ||
* {{CdTextfiles|smsharew/MUSIC/MUSICS.ZIP|MUSICS.ZIP}} → *.EXE, *.COM | * {{CdTextfiles|smsharew/MUSIC/MUSICS.ZIP|MUSICS.ZIP}} → *.EXE, *.COM | ||
| + | * [{{SACFTPURL|avmuseum|tnt814.zip}} tnt814.zip] → *.COM, *.EXE (Turbo Anti-Virus) | ||
Latest revision as of 14:15, 16 February 2025
Some versions of Central Point Anti-Virus, and Turbo Anti-Virus by Carmel Software (from which Central Point Anti-Virus was derived), have an "immunize file" feature that can modify DOS EXE and COM executable files, to insert a tamper-detection feature. This article describes these modified files.
[edit] Identification
Immunized COM files are observed to start with 14 bytes having the following pattern: e9 ?? ?? 00 ?? ?? 22 19 35 93 59 57 54 80.
Immunized EXE files have a certain byte pattern starting at the entry point (refer to MS-DOS_EXE#Special file positions): e8 20 00, then 32 bytes copied from the original file, then 5b 81 eb 03 01 50 51 52 ....
All files contain text strings such as "Central Point Anti-Virus (c) 1991 CPS" or "CARMEL Software Engineering - Turbo Anti-Virus(tm)", and "Self Integrity Check warning", but they differ by version.
[edit] Software
- Central Point Anti-Virus 1.x, at WinWorld
- Turbo Anti-Virus v8.14
[edit] Sample files
- IDEID.ZIP → *.COM
- PBPOPSI.ZIP → *.EXE
- MUSICS.ZIP → *.EXE, *.COM
- tnt814.zip → *.COM, *.EXE (Turbo Anti-Virus)
