Detection of the file infector.
File infectors may be of two type residential and non-residential infectors. Non-residential file infectors are less harmless unlike residential. They don't have a residential part that is set at some sectors of disks in order to block operating system request for one or another file or program. Non-residential infector activates by launching of certain software, performs its functions and stops its activity. After this work is done such virus pass administration to program and don't fail its operating. To detect infector like that it's enough to compare length of files on hard disk and of distributive copies. In case you see no differences try to make byte-after-byte comparison of distributive copies and programs that are in use.
One may also check up the dump of executable files. Sometimes it helps to detect virus at one thanks to present in its code of text rows. Some of the viruses leave the ".COM", "*.COM", ".EXE", "*.EXE", "*.*", "MZ", "COMMAND" text lines at the beginning of end of the file. There's another way of detecting of infected DOS-file, it's based on the peculiarities of structure of executable files, which is written on high-level programming language. Typical structure looks like this: segment of program code takes first place, then follows data segment, and at head-line of this segment the compiler's producer copy write line is placed. So, if at the dump of such file you find another code segment following the data segment you may summaries that file is infected.
The same is true for Windows; for this operating system standard scheme of segments distributing at executable files is: code segment, data segment, so if you see the data segment followed by another code segment you may consider your computer infected. We recommend you to launch residential blocker antivirus and watch after the messages it displays during tasting, those messages, which concern of the suspicious operating of programs. Some types of blockers not only block virus's signals but also determine address of source of these signals. As blocker detects the software with suspicious signals you should perform analyze of codes of suspicious program with the help of residential disassemble.
We should say that residential antivirus DOS-blockers usually appears to be helpless in case of performing operations in DOS-window of Winows'95, as because of peculiarities of this operating system virus is able to work round the blocker. The ways of detecting we have described are good for detecting both residential and non-residential file infectors, but theses methods are useless in case of stealth virus penetration. There's no such residential blocker that is able to detect stealth virus. Methods of file comparison and sectors reading are also of no use in this case.