The heuristic scan examines the target object for signs of code fragments characteristic to viruses.
Flags and explanations:
ID | Name | Explanation |
# | DECODER | the file contains self-decoding code.This can be present in copy-protection programs. |
! | INVALID CODE | Illegal operation or jump to unreachable memory area. Probably a defected program. |
? | INVALID EXEHDR | The program has an invalid EXE header. Some viruses might corrupt the EXE header during infection. |
h | HIDDEN OR SYSTEM | Hidden file. |
p | PACKED | Compressed file. Needs to be extracted for scanning. |
w | WIN OR OS/2 HEADER | The program can only be run under Widows or OS/2 environment. |
x | SUSP. EXEHDR | The entry point of the EXE header points after the last relocation item. The most visible sign of viruses. |
A | SUSP. MEM. ALLOC | Unusual memory allocation or handling mechanism. |
B | BACK TO ENTRY | The program after execution runs back to the original entry point. Usual behaviour of viruses. |
D | DISK WRITE | Direct disk access. Normal program (apart from disk utilities) do not use this method. |
E | FLEXIBLE ENTRY | The code attempts to determine its entry address. |
F | SUSP. FILE ACCESS | Code fragment for creating or modifying files. used by virus infection routines. |
G | GARBAGE CODE | The program contains garbage code. Characteristic to polymorphic viruses or poorly written programs. |
J | SUSP. JUMP | The code contains consecutive jumps. Unusual for normal programs. |
K | UNUSUAL STACK | the EXE program uses unusual stack |
L | LOADING TRAP | The code attemptes to trap other programs. |
M | RESIDENT | The program hooks several critical interrupts. |
N | SUSP. EXTENSION | EXE file with COM structure or COM file with EXE structure. |
O | CODE OVERWRITE | The code is self-modifying but not self-decoding. |
R | RELOCATOR | The code directly modifies the CS:IP registers to relocate the execution. Not used in normal programs. |
S | SEARCH EXEC | The program is searching the disk for EXE/COM files. |
T | INVALID TIMESTAMP | Bad time-date. Many viruses use unusual file dates as infection indicator. |
U | UNDOCUMENTED INT | The code uses undocumented interrupt calls. |
Y | INVALID BOOT | The BOOT sector is not IBM format. |
Z | EXE COM DETERMINATE | The program attempts to determine whether the file is EXE or COM. Used in viruses but in several utliity programs also. |
© VirusBuster Kft., 1988-2001