A brand new way to fool TBScan 
   +----------------------------+       by Automag/VLAD


   Today I worked on some features for Antipode:
   I wanted it to infect a file during a scan by AV software so I added
   the usual int 21h 3Dh (open) infection.  It already infected the files
   under McAfee's SCAN so I added the 21h 6Ch (extended open) infection and
   F-PROT became a vector but I was surprised that TBSCAN didn't infect my 
   test files (5 byte .COM just 3 NOPs and an int 20h).  I took SoftICE and
   traced some code and was really surprised as TBSCAN didn't open any file
   in my directory!

   I thought that Frans had found a brand new way to open files ?  Taking
   int 21h as a breakpoint I found that TBSCAN just used the Find-Next
   function.  I was dispirited, how would I use TBSCAN as a vector ?
   Scanning another directory I was suprised to find TBSCAN used Int 21h 3Dh!

   Rebooting, I tried to scan my directory again and now TBSCAN only opened
   two files, both were infected (627 bytes long) while the others were
   skipped (5 bytes long).

   So here is the trick:
   TBSCAN does not 'waste' any time with tiny files, it just skips them.
   Let's imagine an algorithm...

      Int 21 4Bh entry point:
	   if (file_to_be_executed='TBSCAN.EXE')
	   then TBSCAN_FLAG=1
      end

      int 21 4E entry point:
	   if (TBSCAN_FLAG=1)
	   then
	   {
	   if DTA.FILEEXT=COM
	   then DTA.SIZE=0
	   }
      end

      int 21 4C entry point:
	   TBSCAN_FLAG=0
      end

   with such an int 21h, TBSCAN won't scan any COM file :)

   That's done and tested and TBSCAN doesn't scan any file :)
   The scanning is just a bit too fast as it scanned 726 executables in six
   seconds :)  Now Frans can say that TBSCAN is the fastest scanner ever !

   But anyway TBAV is the best AV program I have ever used...
   So greets to Frans Veldman...