Central Point Anti-Virus immunized file
(→Software) |
|||
| Line 16: | Line 16: | ||
* [https://winworldpc.com/product/central-point-anti-virus/1x Central Point Anti-Virus 1.x], at WinWorld | * [https://winworldpc.com/product/central-point-anti-virus/1x Central Point Anti-Virus 1.x], at WinWorld | ||
* [{{SACFTPURL|avmuseum|tnt814.zip}} Turbo Anti-Virus v8.14] | * [{{SACFTPURL|avmuseum|tnt814.zip}} Turbo Anti-Virus v8.14] | ||
| + | * [https://bencastricum.nl/unp/ UNP] - An example of a DOS utility that can de-immunize files | ||
== Sample files == | == Sample files == | ||
Latest revision as of 14:03, 27 March 2025
Some versions of Central Point Anti-Virus, and Turbo Anti-Virus by Carmel Software (from which Central Point Anti-Virus was derived), have an "immunize file" feature that can modify DOS EXE and COM executable files, to insert a tamper-detection feature. This article describes these modified files.
[edit] Identification
Immunized COM files are observed to start with 14 bytes having the following pattern: e9 ?? ?? 00 ?? ?? 22 19 35 93 59 57 54 80.
Immunized EXE files have a certain byte pattern starting at the entry point (refer to MS-DOS_EXE#Special file positions): e8 20 00, then 32 bytes copied from the original file, then 5b 81 eb 03 01 50 51 52 ....
All files contain text strings such as "Central Point Anti-Virus (c) 1991 CPS" or "CARMEL Software Engineering - Turbo Anti-Virus(tm)", and "Self Integrity Check warning", but they differ by version.
[edit] Software
- Central Point Anti-Virus 1.x, at WinWorld
- Turbo Anti-Virus v8.14
- UNP - An example of a DOS utility that can de-immunize files
[edit] Sample files
- IDEID.ZIP → *.COM
- PBPOPSI.ZIP → *.EXE
- MUSICS.ZIP → *.EXE, *.COM
- tnt814.zip → *.COM, *.EXE (Turbo Anti-Virus)
