        
                    *Identifying Windows Executables*
                                       
                        by Opic [CodeBreakers '98]


	This is a small article to help the newbie who is graduating from 
.com infection to DOS .exe infection.  There are many new things to consider 
with .exe infection, and one of the more confusing is the difference between
Windows .exe files and DOS .exe files. Windows .exe files (such as NE-New 
Executable or PE-Portable Executable) are either 16 or 32 bit Windows .exe
files (Windows .exe files can somtimes be indentified from DOS .exe files due
to the fact that often they will have a "personalized" icon for the program,
whereas DOS .exe files will have the "generic" program icon). The important
difference here is that Windows executables have a different file format then
the DOS .exe file.  This is where the complications come: If my DOS .exe 
virus searchs for *.exe, wont it find some Windows executables along the way
and try to infect them (because they have the same .exe name even though they
are totally different file formats)? Damn straight it will, and it will make 
a mess of them and the infected computer! (corrupt the NE/PE file, crash the 
computer ect....) and your nice little DOS exe virus is found out almost 
immediatly.  The simple solution? If you are just working on DOS .exe 
infectors you are most likly not ready to attempt to actually infect windows
executables, so instead we should simply avoid them. You can use my 
ExeIdent program (found in the cbutil directory of cb4) to find out if a 
certain .exe file is a Windows executable or a DOS executable. You can also
utilize the source code to ExeIdent (found in the source code section of cb4)
to write a routine into your DOS .exe virus so it wont infect Windows 
executables. (Sidenote: the source code to IdentExe is also provided as a
demo of how to buffer keystrokes from ther keyboard as Ive had many requests
to this in assembly from newbies recently). Also you can see the same method
is used in my Odessa.B virus (also in the source code section of CodBrk4).
Ultimatly what it comes down to is adding small details and checks into
your viruses to make them as compatible as possible, because if your virus
corrupts a system it will NEVER spread, it will be found long before it has
a chance to...Today DOS viruses can still survive, replicate, and infect 
the majority of PCs out there, BUT making your viruses windows compatible
will by FAR make them more contagious.  Stay tuned for more tips and articles
from the CodeBreakers on windows compatible viruses and in the quite near 
future windows infection.