$Id: pehead.txt,v 3.2 2010-10-26 21:21:14 Ralph Exp $
------------------------------------------------------------------------

PEHEAD - Heuristic Virusscanner for Win32 link viruses (not trojans or malware).


Example Output of the Win32.CIH virus:


----=[ Win95.CIH.1230 ]=------------------------------------------------------
DOS Filesize	1.759/000006DF
MZ stub length	1.168/00000490    	MZ image length	1.104/00000450
PE Headerpos	128/00000080		Signature	4550 0000
EP-RVA  	4.112/00001010 		PE-Headersize	512/00000200
Base of Code 	00001000		Base of Data 	00002000
Machine-ID	014C/i386		Subsystem 	4.0
File Alignment 	00000200		RAM Alignment 	00001000

Section    Name    VirtSize   RVA    PhysSize FileOfs  Flags   Segm Char.
   1    [.text   ] 00001000 00001000 00001000 00000200 60000020  XR CODE EP

File EP  = 00000210/528,  Remainder = 4.080/00000FF0,  Real = 1.231
Sig @ EP = 558D4424F833DB648703E8000000005B8D4B519090905150500F014C24FE5B83
Suspious Code, Type = Win32.CIH, Flags=1/PE/C+0/SEH/StackPop/Ring0_FileIO
Signature for RHBVS = 24448D554C0EB947EC6E24142C48C9D90DBFD8D1519723F7
------------------------------------------------------------------------