132 lines
4.6 KiB
Plaintext
132 lines
4.6 KiB
Plaintext
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
Written By:
|
|
Michael Paris (Cris)
|
|
|
|
|
|
Cris Signatures
|
|
How To Add Them To Your Scanner
|
|
|
|
Cris will be servicing you with the latest Anti-Virus Signatures.
|
|
As we get these new viruses in, we will be testing and extracting
|
|
signatures that you will be able to add to your Anti-Virus scanner.
|
|
This is providing you are using a good scanner that will allow you
|
|
to add these. In this Document we will explain how it is done and
|
|
what scanners we are aware of that allow you to update it as you go
|
|
along.
|
|
|
|
In the following Crisnews reports that come out, we will include
|
|
the signatures that will be importable into F-prot, and A ready
|
|
made file for importing into TBSCAN.
|
|
|
|
Our studies show that the TBSCAN is the better all around scanner.
|
|
If you are a virus collector or researcher, you are better off
|
|
using both F-Prot and TBAV. F-Prot is better for the Caro names,
|
|
where as the TBSCAN has more options, and is better for finding the
|
|
new viruses that usually do not scan.
|
|
|
|
Note: This is as of date (no telling what might happen).
|
|
|
|
These new signatures will be posted in the Fido virus conference
|
|
and in the crisnet. You will be able to screen capture them or
|
|
write then down and add them manually to your scanner. Each update
|
|
will have a PGP signature. If there is no PGP signature, it is not
|
|
a Cris virus signature update.
|
|
|
|
HOW THIS WORKS
|
|
|
|
First The problem, F-prot only allows you to add 10 virus
|
|
signatures. we plan on releasing more then ten unscannable strings,
|
|
unless F-prot opens this channel and allows for more user definable
|
|
strings, we suggest the use of TBSCAN for this purpose. It is true
|
|
that the TBSCAN will show more false positives (detect viruses that
|
|
are not there) but we feel this is safe. It is better to be safe
|
|
then sorry.
|
|
|
|
Note: The comment that TBSCAN shows more false positives is when it is in
|
|
Heuristics mode. Heuristics looks at the contents inside of the file
|
|
and analyses the code, in this mode the signatures are secondary.
|
|
Using heuristics TBSCAN can find more viruses and trojans then other
|
|
scanners. But there is always that program that has code in it that looks
|
|
like it could do dammage, and TBAV will warn you of this.
|
|
|
|
|
|
ADDING SIGNATURES TO F-PROTECT
|
|
|
|
|
|
To add a string to F-prot just go to the directory where f-prot.exe
|
|
is and type f-prot {enter}
|
|
|
|
1. The menu appears, choose "Viruses"
|
|
2. Choose "New Signatures"
|
|
3. Choose "Add New Signature"
|
|
4. Type in Virus Name
|
|
5. Type "Y" if the virus infects .COM files
|
|
6. Type "Y" if the virus infects .EXE files
|
|
7. Type "Y" if the virus infects the boot sector
|
|
8. Type in the string. (or paste it in from a screen capture.
|
|
|
|
|
|
Now make sure when you scan using F-prot to use the switch /USER
|
|
if you do not type /USER F-prot will not scan for the strings you
|
|
added.
|
|
|
|
In other words when you scan, type: f-prot c: /user {enter}
|
|
|
|
This is all there is to it. but remember, at this time you can only
|
|
have 10 signatures at a time.
|
|
|
|
ADDING SIGNATURES TO TBAV
|
|
|
|
To add signatures to TBAV, all you need to do is make A simple
|
|
ASCII text file. You will name this file USERSIG.DAT
|
|
|
|
To make this text file you will use a regular dos editor. The file
|
|
you make should have no blank lines, if you want to make a space
|
|
between each virus you will put a ; in where the space is.
|
|
|
|
Each virus will consist of three lines. The first line will be the
|
|
description of the virus or virus name. The second line will be
|
|
what the virus does, if it infects .COM files type COM INF if it
|
|
infects .COM and .EXE files type COM EXE INF on the line. The third
|
|
line is the virus string that you find in the PGP signed message.
|
|
|
|
This is what your file should look like when you are done with it.
|
|
(ALSO look at the USERSIG.DAT file in this crisnews for excample)
|
|
|
|
;begin of file
|
|
;
|
|
Golgi_Testicles_1
|
|
COM INF
|
|
5D81ED03011E06B80342CD213D03
|
|
;
|
|
Golgi_Testicles_2
|
|
COM EXE INF
|
|
5D81ED0301061EB83D3DCD213D3D
|
|
;
|
|
Golgi_Testicles_3
|
|
COM EXE INF
|
|
5D81ED0301B83D4DCD213D3D0074
|
|
;
|
|
;End of file
|
|
|
|
After making this file, copy it into the same directory where TBAV
|
|
is, and type TBGENSIG {enter}
|
|
|
|
Now you have added the new viruses to TBSCAN.
|
|
|
|
If you are experienced in extracting virus strings, or have access
|
|
to new viruses and want to help, give us a call.
|
|
|
|
Michael Paris (Cris)
|
|
1:115/863 (708) 863-5285
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.3a
|
|
|
|
iQBVAgUBLNc4EKM4CDusTF+9AQHh+AH+KF6Q0gewWhZXT9HBBkpYmgGPgD6uG349
|
|
5IjLY9LdKGqWqDZ3EchSQ6fwzLdH6keEHgMiWHX5aRZ6m4JI052nYQ==
|
|
=k5AD
|
|
-----END PGP SIGNATURE-----
|