textfiles/virus/DOCUMENTATION/vg-tbsig.nfo

         <20>irogen's Thunderbyte Anti-Virus Signature File Reader
                          version 3.0 02-05-95
                          for TBSCAN.SIG v6.22+
                          Last Tested On: v6.31
                            Coded by <20>irogen
                             [615.586.9515]

  <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>

    Welcome to the latest VG-TBSIG version. It appears that X number of
    versions ago [I've not had luxury of a computer for some time now],
    the TBSCAN.SIG file exceeded VG-TBSIG's heap and would cause a lockup
    after you gut thru about 64k of the file. This is fixed, this version
    should be able to handle TBSCAN.SIG files of an infinite length.

    I've distributed the complete source code and format (as much as I
    know) of the TBSCAN.SIG file. Feel phree to make any enhancments
    you wish as long as you redistribute the source code and give credit
    to the original author [thatz me], and any authors of new mods.

  Usage
  <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
    Place VG-TBSIG.COM in the same directory as TBSCAN.SIG and run.. the
    output is via DOS, so you can redirect it to a file.
     eg: VG-TBSIG > TBSIGS.TXT

    You'll get a listing of all signatures for virii and other programs
    defined in the data file. XCEPT, there are a few polymorphic virii
    which I'm not sure on how to extract the algotihm/signature as of yet.

    The groups of two hex bytes (4 ascii bytes) surrounded by '_'s are
    wildcards, and are defined as shown below in the technical info.

    Optional Switches:
     "l" - Do not list virus signatures.
      e.g.: VG-TBSIG l


  Technical Info
  <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>

  WildCards/Variable Positions:
   UserDef Ex     Description                     Signature String
   <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
      ?n     =  Skip n amount of bytes and continue.   = 388n
      ?@nn   =  Skip nn amount of bytes and continue.  = 38nn (see note 1)
                nn should not exceed 7F.
      *n     =  Skip up to n bytes.                    = 384n
      *@nn   =  Skip up to nn bytes and continue.      = 38nn (see note 1)
                nn should not exceed 1F.
      nL     =  One of the values in the range n0-n7.  = 382n
      nH     =  One of the values in the range n8-nF.  = 383n

  <20>note1: The highest bit is set to 1 provided nn is in the range suggested
          above. If it exceeds that range, then the highest bit is not set
          to 1.
  <20>note2: I believe all 00 bytes in the signatures are interpreted as
          wildcards.


   Example:
Virus : PC-Flu_II
<EFBFBD><EFBFBD>Signature : 50_383B_2001_3882__383B__3884__383B__3848_2E30_384E_E2
    Xlation : 50 Bh 2001 ?2 Bh ?4 Bh *8 2E30 *E 12




  Format of TBSCAN.SIG:
    There are two types of blocks in the data phile; I didn't need all
    the info from them so I didn't goto the trouble of filling in the missing
    blanks.

    The data blocks start at offset 80h in the phile.

      1) for virii which have multiple-scan strings defined, or some
         algorithmic approach (polymorphic):
            byte 0 = If 0 then no more entries
                 1 = 0FFh
                 2 = ?
                 3 = ?
                 4 = ?
                 5 = ?
                 6 = ?
                 7 = ?
                 8 = ?
                 9 = ?
                 A = length of virus name
                 B = ?
                 C = index to virus name (from start of block)
                 D = ?
                 E = index to next data block (from start of block)

         ptr to next block calculation: oldptr+ byte Eh


     2) for normal virii:
            byte 0 = if 0 then no more entries
                 1 = if 0Fh then non-virus entry or special entry
                 2 = ?
                 3 = ?
                 4 = if bit 6 = 1 then entry is user-defined
                 5 = ?
                 6 = ?
                 7 = length of signature
                 8 = length of virus name
                 9 = ?
                 A = start of virus name

         ptr to next block calculation: oldptr+ 0Ah+ byte 7h+ byte 8h


     Encryption of Virus Names:

       The virus names are encrypted in the following technique, which
       is actually a form of compression; if you'll notice every encrypted
       word decrypts to three bytes.

        <20> string XORed by A5h
        <20> NULL appended at end for stop point of next loop
        <20> string then processed thru the following loop:

         assume si=start of string, di=new location, bx=table [alphabet_. ,]
         start:
           lodsb           ; get byte
           test al,al      ; not all chars compressed/crypted..
           js continue
           stosb           ; store byte
           jnz start       ; 0 designates end of string
           ret
         continue:
           mov ah,al       ; save byte
           lodsb           ; get next byte
           mov dx,ax       ; save retrieved word
           mov al,ah       ; process first byte retrieved
           shr al,1        ; shift-right .. [xtract nibble]
           shr al,1
           call xlation    ; xlat- stosb- ret:ax=dx
           shl ax,1        ; shift-left
           shl ax,1
           shl ax,1
           mov al,ah
           call xlation    ; xlat- stosb- ret:ax=dx
           call xlation
           jmp start

         xlation:
           and al,1Fh
           dec ax
           xlat            ; xlation table defined below - al=bx[al]
           stosb           ; save byte
           mov ax,dx       ; restore retrived word
           ret

  table db 'abcdefghijklmnopqrstuvwxyz_. ,'




    Encryption of Virus Signatures is a simple byte XOR by A5h.



    History
  <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
  1.0   - Initial release                -  07-04-94
  1.01  - Minor bug fix -                -  07-04-94 (yes the same damn day)
          If two wildcards were located
          in a sequence, the second would
          not be designated by the '_'s.
  2.0   - Updated to read new TBSCAN.SIG -  07-19-94
          format in version 6.22
  3.0   - Updated to read TBSCAN.SIG files - 02-05-95
          exceeding 60k+.

                                     Have phun!
                                     Live to die.
                                     <20>irogen '95


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6

mQCNAixt9g4AAAEEANN3KDJ5NjmN1bm5cQGs352wJsQH6FBtOgnHEpZczJBXBwU1
HiMIL0a4ST16h/flarD2Jsekk5KMz0XF0/+ZAy98Ng3AglsWT+9mXnYxlnUwMaIc
0QeCU8ECQzQSRzSznWidEKsemYLC179eOEfOqNeYR5NndCo3mVS0HwB6IcbpAAUR
tAdWaXJvZ2Vu
=Hvsw
-----END PGP PUBLIC KEY BLOCK-----