FTHSMULD%rulgl.LeidenUniv.nl@CUNYVM.CUNY.EDU (Jeroen W. Pluimers) (03/08/91)
Dear readers, A few digests agi, there was a question about standard formats of data files for virus signatures. VIRSCAN and TBSCAN/TBSCANX use the format below. It has been copied from the documentation that was with TBSCANX v 2.1. The format may be spread freely and is fully public domain. Jeroen W. Pluimers - Gorlaeus labs, Leiden University - -=-=-=-=-=-=-=-=- VIRSCAN.DAT / TBSCAN.DAT format -=-=-=-=-=-=-=-=-=- FORMAT OF THE DATA FILE - ----------------------- The data file (called TBSCAN.DAT or VIRSCAN.DAT) can be read and/or modified with every ASCII editor. All lines beginning with ";" are comment lines. TbScanX ignores these lines completely. When the ";" character is followed by a percent-sign the remaining part of the line will be displayed on the screen. A maximum of 15 lines can be printed on the screen. Nice for "HOT NEWS"... In the first line the name of a virus is expected. The second line contains one or more of the next words: BOOT SYS EXE COM HIGH LOW These words may be separated by spaces, tabs or commas. TbScanX will only scan for viruses with the keywords COM or EXE. The other keywords will be ignored, and are only used by the non-resident version: TBSCAN. Also note that TbScanX will not distinguish between COM and EXE files. All executable files will be scanned for both EXE and COM viruses. This saves some memory. BOOT means that the virus is a bootsector virus. SYS, EXE and COM indicate the virus can occur in files with these extensions. Also overlay files (with the extension OV?) will be searched for EXE viruses. HIGH shows that the virus can occur in the memory of your PC, namely in the memory located above the TBSCAN program itself. LOW means that the virus can occur in the memory of your PC, namely in the memory located under the TBSCAN program itself. In the third line the signature is expected in ASCII-HEX. Every virus character is described by means of two characters. Instead of two HEX characters, two question marks (the wild- card) may also occur. The latter means that every byte on that position matches the signature. Below you will find an example of a signature: A5E623CB??CD21??83FF3E You can also use the asterisk followed by an ASCII-HEX character to skip a variable amount of bytes in the signature. The ASCII-HEX character specifies the amount of bytes that should be skipped. The signature could be: A5E623CB*3CD2155??83FF3E The next sequence of bytes will be recognised as a virus: A5E623CB142434CD21554583FF3E Instead of a signature in ASCII-HEX you can also specify a normal text. This should be put between double quotation marks. A correct signature is for example: "I have got you!" This series of three lines should be repeated for every virus. Between all lines comment lines may occur.
mrs@netcom.COM (Morgan Schweers) (03/11/91)
Greetings, Hmmm... I'll point out that the VIRSCAN/TBSCAN file format is similar enough to the ViruScan external data file that a conversion utility SHOULD be relatively trivial. For reference, our strings are one line/one virus, no 'BOOT' or 'COM', etc. seperators. The string format is similar, but rather than have a single hex-digit after the '*' you put a number in parentheses. (I.E. "01020304 *(4) 050607?090a" <virus name> ) The '?' wildcard ignores that hex-byte, the '*' will detect the next byte if it is within (x) bytes. Now for another 'flame' from me... "Unreadable/non-clear update scan strings." This makes it difficult for a user to add their own strings. These products might as well not have user-updatability, in effect. Unless the user has access to documentation on creating a virus 'string' through that particular utility, they can't expand it. I've got an open mind on this subject, however. (Not so open that my brain falls out, but anyhow...) If someone who uses this method can explain the rationale to me, I'll respond. I can think of two products which do this, and MAYBE a third. -- Morgan Schweers +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | I *AM* mrs@netcom.com, and ms@albert.ai.mit.edu. I'd prefer you use | | the netcom.com address, since MIT is now a WEE bit further away from | | me than I like calling... <Grin> In any case, I don't represent my | | employers. They don't listen to what I say, and I return the | | compliment whenever possible. <Grin> | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+