ūirogen's Thunderbyte Anti-Virus Signature File Reader version 3.0 02-05-95 for TBSCAN.SIG v6.22+ Last Tested On: v6.31 Coded by ūirogen [615.586.9515] ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Welcome to the latest VG-TBSIG version. It appears that X number of versions ago [I've not had luxury of a computer for some time now], the TBSCAN.SIG file exceeded VG-TBSIG's heap and would cause a lockup after you gut thru about 64k of the file. This is fixed, this version should be able to handle TBSCAN.SIG files of an infinite length. I've distributed the complete source code and format (as much as I know) of the TBSCAN.SIG file. Feel phree to make any enhancments you wish as long as you redistribute the source code and give credit to the original author [thatz me], and any authors of new mods. Usage ÄÄÄÄÄÄÄÄÄÄÄÄ Place VG-TBSIG.COM in the same directory as TBSCAN.SIG and run.. the output is via DOS, so you can redirect it to a file. eg: VG-TBSIG > TBSIGS.TXT You'll get a listing of all signatures for virii and other programs defined in the data file. XCEPT, there are a few polymorphic virii which I'm not sure on how to extract the algotihm/signature as of yet. The groups of two hex bytes (4 ascii bytes) surrounded by '_'s are wildcards, and are defined as shown below in the technical info. Optional Switches: "l" - Do not list virus signatures. e.g.: VG-TBSIG l Technical Info ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ WildCards/Variable Positions: UserDef Ex Description Signature String ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ?n = Skip n amount of bytes and continue. = 388n ?@nn = Skip nn amount of bytes and continue. = 38nn (see note 1) nn should not exceed 7F. *n = Skip up to n bytes. = 384n *@nn = Skip up to nn bytes and continue. = 38nn (see note 1) nn should not exceed 1F. nL = One of the values in the range n0-n7. = 382n nH = One of the values in the range n8-nF. = 383n žnote1: The highest bit is set to 1 provided nn is in the range suggested above. If it exceeds that range, then the highest bit is not set to 1. žnote2: I believe all 00 bytes in the signatures are interpreted as wildcards. Example: Virus : PC-Flu_II ĄÄSignature : 50_383B_2001_3882__383B__3884__383B__3848_2E30_384E_E2 Xlation : 50 Bh 2001 ?2 Bh ?4 Bh *8 2E30 *E 12 Format of TBSCAN.SIG: There are two types of blocks in the data phile; I didn't need all the info from them so I didn't goto the trouble of filling in the missing blanks. The data blocks start at offset 80h in the phile. 1) for virii which have multiple-scan strings defined, or some algorithmic approach (polymorphic): byte 0 = If 0 then no more entries 1 = 0FFh 2 = ? 3 = ? 4 = ? 5 = ? 6 = ? 7 = ? 8 = ? 9 = ? A = length of virus name B = ? C = index to virus name (from start of block) D = ? E = index to next data block (from start of block) ptr to next block calculation: oldptr+ byte Eh 2) for normal virii: byte 0 = if 0 then no more entries 1 = if 0Fh then non-virus entry or special entry 2 = ? 3 = ? 4 = if bit 6 = 1 then entry is user-defined 5 = ? 6 = ? 7 = length of signature 8 = length of virus name 9 = ? A = start of virus name ptr to next block calculation: oldptr+ 0Ah+ byte 7h+ byte 8h Encryption of Virus Names: The virus names are encrypted in the following technique, which is actually a form of compression; if you'll notice every encrypted word decrypts to three bytes. ž string XORed by A5h ž NULL appended at end for stop point of next loop ž string then processed thru the following loop: assume si=start of string, di=new location, bx=table [alphabet_. ,] start: lodsb ; get byte test al,al ; not all chars compressed/crypted.. js continue stosb ; store byte jnz start ; 0 designates end of string ret continue: mov ah,al ; save byte lodsb ; get next byte mov dx,ax ; save retrieved word mov al,ah ; process first byte retrieved shr al,1 ; shift-right .. [xtract nibble] shr al,1 call xlation ; xlat- stosb- ret:ax=dx shl ax,1 ; shift-left shl ax,1 shl ax,1 mov al,ah call xlation ; xlat- stosb- ret:ax=dx call xlation jmp start xlation: and al,1Fh dec ax xlat ; xlation table defined below - al=bx[al] stosb ; save byte mov ax,dx ; restore retrived word ret table db 'abcdefghijklmnopqrstuvwxyz_. ,' Encryption of Virus Signatures is a simple byte XOR by A5h. History ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1.0 - Initial release - 07-04-94 1.01 - Minor bug fix - - 07-04-94 (yes the same damn day) If two wildcards were located in a sequence, the second would not be designated by the '_'s. 2.0 - Updated to read new TBSCAN.SIG - 07-19-94 format in version 6.22 3.0 - Updated to read TBSCAN.SIG files - 02-05-95 exceeding 60k+. Have phun! Live to die. ūirogen '95 -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAixt9g4AAAEEANN3KDJ5NjmN1bm5cQGs352wJsQH6FBtOgnHEpZczJBXBwU1 HiMIL0a4ST16h/flarD2Jsekk5KMz0XF0/+ZAy98Ng3AglsWT+9mXnYxlnUwMaIc 0QeCU8ECQzQSRzSznWidEKsemYLC179eOEfOqNeYR5NndCo3mVS0HwB6IcbpAAUR tAdWaXJvZ2Vu =Hvsw -----END PGP PUBLIC KEY BLOCK-----