-----BEGIN PGP SIGNED MESSAGE-----

Written By:                       
Michael Paris (Cris)

                       
                       Cris Signatures
               How To Add Them To Your Scanner

Cris will be servicing you with the latest Anti-Virus Signatures.
As we get these new viruses in, we will be testing and extracting
signatures that you will be able to add to your Anti-Virus scanner.
This is providing you are using a good scanner that will allow you
to add these. In this Document we will explain how it is done and
what scanners we are aware of that allow you to update it as you go
along.

In the following Crisnews reports that come out, we will include
the signatures that will be importable into F-prot, and A ready
made file for importing into TBSCAN.

Our studies show that the TBSCAN is the better all around scanner.
If you are a virus collector or researcher, you are better off
using both F-Prot and TBAV. F-Prot is better for the Caro names,
where as the TBSCAN has more options, and is better for finding the
new viruses that usually do not scan.

Note: This is as of date (no telling what might happen).

These new signatures will be posted in the Fido virus conference
and in the crisnet. You will be able to screen capture them or
write then down and add them manually to your scanner. Each update
will have a PGP signature. If there is no PGP signature, it is not
a Cris virus signature update.

                        HOW THIS WORKS

First The problem, F-prot only allows you to add 10 virus
signatures. we plan on releasing more then ten unscannable strings,
unless F-prot opens this channel and allows for more user definable
strings, we suggest the use of TBSCAN for this purpose. It is true
that the TBSCAN will show more false positives (detect viruses that
are not there) but we feel this is safe. It is better to be safe
then sorry.

Note: The comment that TBSCAN shows more false positives is when it is in 
Heuristics mode. Heuristics looks at the contents inside of the file
and analyses the code, in this mode the signatures are secondary. 
Using heuristics TBSCAN can find more viruses and trojans then other
scanners. But there is always that program that has code in it that looks
like it could do dammage, and TBAV will warn you of this.


                   ADDING SIGNATURES TO F-PROTECT


To add a string to F-prot just go to the directory where f-prot.exe
is and type f-prot {enter}

1. The menu appears, choose "Viruses"
2. Choose "New Signatures"
3. Choose "Add New Signature"
4. Type in Virus Name
5. Type "Y" if the virus infects .COM files
6. Type "Y" if the virus infects .EXE files
7. Type "Y" if the virus infects the boot sector
8. Type in the string. (or paste it in from a screen capture.


Now make sure when you scan using F-prot to use the switch /USER
if you do not type /USER F-prot will not scan for the strings you
added.

In other words when you scan, type:  f-prot c: /user {enter}

This is all there is to it. but remember, at this time you can only
have 10 signatures at a time.

                 ADDING SIGNATURES TO TBAV

To add signatures to TBAV, all you need to do is make A simple
ASCII text file. You will name this file USERSIG.DAT

To make this text file you will use a regular dos editor. The file
you make should have no blank lines, if you want to make a space
between each virus you will put a ; in where the space is.

Each virus will consist of three lines. The first line will be the
description of the virus or virus name. The second line will be
what the virus does, if it infects .COM files type COM INF if it
infects .COM and .EXE files type COM EXE INF on the line. The third
line is the virus string that you find in the PGP signed message.

This is what your file should look like when you are done with it.
(ALSO look at the USERSIG.DAT file in this crisnews for excample)

;begin of file
;
Golgi_Testicles_1
COM INF
5D81ED03011E06B80342CD213D03
;
Golgi_Testicles_2
COM EXE INF
5D81ED0301061EB83D3DCD213D3D
;
Golgi_Testicles_3
COM EXE INF
5D81ED0301B83D4DCD213D3D0074
;
;End of file

After making this file, copy it into the same directory where TBAV
is, and type TBGENSIG {enter}

Now you have added the new viruses to TBSCAN.

If you are experienced in extracting virus strings, or have access
to new viruses and want to help, give us a call.

Michael Paris (Cris)
1:115/863 (708) 863-5285


-----BEGIN PGP SIGNATURE-----
Version: 2.3a

iQBVAgUBLNc4EKM4CDusTF+9AQHh+AH+KF6Q0gewWhZXT9HBBkpYmgGPgD6uG349
5IjLY9LdKGqWqDZ3EchSQ6fwzLdH6keEHgMiWHX5aRZ6m4JI052nYQ==
=k5AD
-----END PGP SIGNATURE-----