Heuristics

See also: Macro virus heuristics

The heuristic scan examines the target object for signs of code fragments characteristic to viruses. 

Flags and explanations:

ID Name Explanation
# DECODER the file contains self-decoding code.This can be present in copy-protection programs.
! INVALID CODE Illegal operation or jump to unreachable memory area. Probably a defected program.
? INVALID EXEHDR The program has an invalid EXE header. Some viruses might corrupt the EXE header during infection.
h HIDDEN OR SYSTEM Hidden file.
p PACKED Compressed file. Needs to be extracted for scanning.
w WIN OR OS/2 HEADER The program can only be run under Widows or OS/2 environment.
x SUSP. EXEHDR The entry point of the EXE header points after the last relocation item. The most visible sign of viruses.
A SUSP. MEM. ALLOC Unusual memory allocation or handling mechanism.
B BACK TO ENTRY The program after execution runs back to the original entry point. Usual behaviour of viruses.
D DISK WRITE Direct disk access. Normal program (apart from disk utilities) do not use this method.
E FLEXIBLE ENTRY The code attempts to determine its entry address.
F SUSP. FILE ACCESS Code fragment for creating or modifying files. used by virus infection routines.
G GARBAGE CODE The program contains garbage code. Characteristic to polymorphic viruses or poorly written programs.
J SUSP. JUMP The code contains consecutive jumps. Unusual for normal programs.
K UNUSUAL STACK the EXE program uses unusual stack
L LOADING TRAP The code attemptes to trap other programs.
M RESIDENT The program hooks several critical interrupts.
N SUSP. EXTENSION EXE file with COM structure or COM file with EXE structure.
O CODE OVERWRITE The code is self-modifying but not self-decoding.
R RELOCATOR The code directly modifies the CS:IP registers to relocate the execution. Not used in normal programs.
S SEARCH EXEC The program is searching the disk for EXE/COM files.
T INVALID TIMESTAMP Bad time-date. Many viruses use unusual file dates as infection indicator.
U UNDOCUMENTED INT The code uses undocumented interrupt calls.
Y INVALID BOOT The BOOT sector is not IBM format.
Z EXE COM DETERMINATE The program attempts to determine whether the file is EXE or COM. Used in viruses but in several utliity programs also.

© VirusBuster Kft., 1988-2001