$Id: rhbvs.txt,v 1.82 2018/12/29 13:30:21 ralph Exp $
Format: UTF8/ISO-8859-15, Windows CR/LF, English (UK), Written in ASCII-DOC__________ ___ _________________ _____________
\______ \/ | \______ \ \ / / _____/
| _/ ~ \ | _/\ Y /\_____ \
| | \ Y / | \ \ / / \
|____|_ /\___|_ /|______ / \___/ /_______ /
\/ \/ \/ \/Behaviour based detection mechanisms (also called "Dynamic Detection")
Introducing RHBVS
RHBVS is a DOS virus scanner for DOS file and hybrid viruses using only heuristic scan technologies! Thus RHBVS must not be updated daily as a normal virus scanner. RHBVS uses furthermore an intelligent code analyser. Detection modules for batch viruses, Trojans, malware, scripting viruses like Coral Draw, VBS, HTML, Windows Batch (WBT), JavaScript, SHS (Windows Shell Scrap) and IRC (Mirc) script worms are also included!
This is currently/was a unique feature - no other scanner can scan e.g. IRC, HTML or VBS worms with heuristics! RHBVS gives you a detailed virus analysis based on the built-in scan engine.
Terms
Heuristic (computer science)
In computer science, a heuristic is a technique designed to solve a problem that ignores whether the solution can be proven to be correct, but which usually produces a good solution or solves a simpler problem that contains or intersects with the solution of the more complex problem.
Heuristics are intended to gain computational performance or conceptual simplicity potentially at the cost of accuracy or precision.
Computer Virus
In computer security technology, a virus is a self replicating program that spreads by inserting copies of itself into other executable code or documents (for a complete definition: see below). Thus, a computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. Extending the analogy, the insertion of the virus into a program is termed infection, and the infected file (or executable code that is not part of a file) is called a host. Viruses are one of the several types of malware or malicious software. In common parlance, the term virus is often extended to refer to computer worms and other sorts of malware. This can confuse computer users, since viruses in the narrow sense of the word are less common than they used to be, compared to other forms of malware such as worms. This confusion can have serious consequences, because it may lead to a focus on preventing one genre of malware over another, potentially leaving computers vulnerable to future damage. However, a basic rule is that computer viruses cannot directly damage hardware, only software is damaged directly. The software in the hardware however may be damaged.
While viruses can be intentionally destructive (for example, by destroying data), many other viruses are fairly benign or merely annoying. Some viruses have a delayed payload, which is sometimes called a bomb. For example, a virus might display a message on a specific day or wait until it has infected a certain number of hosts. A time bomb occurs during a particular date or time, and a logic bomb occurs when the user of a computer takes an action that triggers the bomb. However, the predominant negative effect of viruses is their uncontrolled self reproduction, which wastes or overwhelms computer resources.
Today (the trend started round 2005), viruses are somewhat less common due to the popularity of the Internet - instead malware, ransomware and Trojans meanwhile dominate.
Malware, short for malicious software, is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software. Malware is defined by its malicious intent, acting against the requirements of the computer user and so does not include software that causes unintentional harm due to some deficiency (e.g. bugs).
Why?
RHBVS was mainly written to be a test platform for the product VirScan Plus by ROSE SWE. All improvements done in VirScan Plus improves RHBVS, FindMirc and vice versa. For this reason RHBVS is limited in flexibility (e.g. checking boot sectors, Windows system memory or the MBR).
Requirements
-
IBM compatible PC with a 80386 CPU and co-processor!
-
620 KB of free memory and DOS version 5.0 or higher
-
Windows 32 bit (RHBVS will not run under Windows 64 bit) or plain DOS
Options and Switches
Command line options are NOT case sensitive. You can use the slash "/" or the hyphen "-" to start an option. Options can be set using the environment variable RHBVS
set RHBVS=...To disable an option set by setting RHBVS=… you can use the "-" at the end of the option!
when you set
set RHBVS=/allthan you can disable /all with
rhbvs c: -all-Command Line Options
Run RHBVS.EXE with
/? to see the current supported options.Try also
/?? or /UNDOC to see a list of the advance options.You can scan as many drives and directories as you want per run.
/vb Code Analyzer (past the switches /ANALYZE or /ANALYSE)With this switch RHBVS gives you a detailed description of all the flags the heuristic scan engines have found.
You can use the option
/vbk then RHBVS waits for a key stroke after every analysis.Use the additional option
/log to save the analysis into a log file.The Option /virsort
A special note about this option.
|
This is one of those "undocumented" switch RHBVS supports. With this switch you can sort in viruses AVP/FProt/VSP/DrSolly etc. misses. With this option RHBVS creates a log file suitable for Virsort or Zoo-Sort (utilities meanwhile deprecated). Take a look at the batch file RZOOSORT.BAT which is included in the package! |
For more "undocumented" switches try also: rhbvs -??
User documentation
This text file, it is written in AsciiDoc and rendered to a nice HTML file. German users should download the virus scanner "VirScan Plus" (VSPxxxx.*) and read the documentation there for further understanding.
Virus classification
RHBVS classifies the different virus types, their code size and the behaviour.
The classification has the following scheme:
{Virkit:}[Main Class]{.Length{.Minor Class}{.Germs} (Flags)-=[ Virkit ]=----------------------------------------------Viruses created with a virus kit just like+ Biological Warfare (BW)
+ DReg
+ Father_Mac
+ GOTH
+ IVP
+ NRLG, Nuke
+ PS-MPC, MPC, G2
+ TPE, MtE, GCAE, RTFM etc.
+ VCC
+ VCL
+ VLAD-=[ Main Class ]=------------------------------------------+ Backdoor- Backdoor (Trojan)
+ Bat - DOS Batch file virus or Trojan
+ Boot - Boot virus and EXE header infector
+ CSC - Coral script virus
+ Companion - small companion viruses
+ Crypt - encrypted virus
+ Fast - fast infector, like Dark Avenger
+ File - appending file infector
+ HLLx - High level language viruses
x stands for C=companion, O=overwriting, and P=parasitic
+ IIS - MS Internet Information Server Worm
+ Joke - Joke/Fun program. This is not a virus.
+ JS - Java script virus
+ Mini - larger overwriting file infector
+ MIRC - MIRC script worm
+ Multi - Hybrid (multipartite) files and boot infector
+ Poly - Polymorphic encrypted virus
+ PIRC - PIRC script worm
+ SillyR - trivial memory resident file infector
+ Stealth - virus with stealth capabilities (size or file stealth)
+ TSR - virus stays resident in memory
+ Tiny - trivial appending file infector (e.g. Danish)
+ Trivial - overwriting file infector (e.g. Trivial.45)
+ WBT - Windows Batch virus
+ VBS - Visual Basic Scripting virus
+ VBS+VBS - multiple VBS infections of one host - yes RHBVS can
detect multiple infections!
+ Win32, - Windows platform specific virus or Trojan
+ Win95,98+ exact virus name, when using the switch /TROJ
+ exact virus name if found by the polymorph decryption engine
(Hare, MtE, BW, Grief, TPE, Lucky.Gott etc.)-=[ Length ]=----------------------------------------------If possible the virus size. If there is a question mark (e.g.) Virusname.438? the code analyzer assumes this as the virus size!
-=[ Germs ]=-----------------------------------------------If it is a Generation-1 sample.
-=[ Flags ]=-----------------------------------------------RHBVS uses the following flags as short cuts:
A - Anti debugging or anti heuristic code is used
B - can overwrite the boot sector/MBR (used by the payload or
by a boot sector infector)
D - found a decryption routine (virus seems to be encrypted)
E - Infects EXE headers like Headerbug or Pure
F - suspicious file access
H - uses hardware related instructions - common for boot viruses
I - uses INT 21h calls in a suspicious way
M - memory resident. Code will remain resident or will control
some of the DOS functions. Typical for resident file infector
O - opens files for writing code into it
R - suspicious relocation code, typical for file infector
T - checks the date or time (usually used for a payload etc.)
U - Virus tries to stay resident in UMB (upper memory blocks)
W - Windows malware or windows shell code! - uses at least FCB and/or directory stealth methods
# - is encrypted or uses code to confuse a code analyserFlags will be "compressed" if more than three flags were found.
RHBVS will show them as "flag: number of occurrence", e.g.: R:4Some terms
In computer terminology, polymorphic code is code that mutates while keeping the original algorithm intact.
Polymorphic code was invented in 1992 by the Bulgarian cracker Dark Avenger (a pseudonym) as a means of avoiding pattern recognition from anti virus software. This technique is sometimes used by computer viruses, shell code exploits and computer worms to hide their presence. Most anti virus software and intrusion detection systems attempt to locate malicious code by searching through computer files and data packets sent over a computer network. If the security software finds patterns that correspond to known computer viruses or worms, it takes appropriate steps to neutralize the threat. Polymorphic algorithms make it difficult for such software to locate the offending code as it constantly mutates.
Encryption is the most commonly used method of achieving polymorphism in code. However, not all of the code can be encrypted as it would be completely unusable. A small portion of it is left unencrypted and used to initial start the encrypted software. Anti virus software targets this small unencrypted portion of code.
Malicious programmers have sought to protect their polymorphic code from this strategy by rewriting the unencrypted decryption engine each time the virus or worm is propagated. Sophisticated pattern analysis is used by anti virus software to find underlying patterns within the different mutations of the decryption engine in hopes of reliably detecting such malware.
Stealth: Some viruses try to fool anti virus software by intercepting its requests to the operating system. A virus can hide itself by ensuring that a request of anti virus software to read an infected file is passed to the virus, instead of to the operating system. The virus can then return an uninfected version of the file to the antivirus software, so that it seems that the file is "clean". Modern anti virus software employs various techniques to counter stealth mechanisms of viruses. The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean.
False Positives
A false positive, also called false alarm, exists when a test reports, incorrectly, that it has found a signal where none exists in reality. Detection algorithms of all kinds have the tendency to create such false alarms. For example, optical character recognition (OCR) may detect an a where there are only some dots that look like an a to the algorithm being used.
When developing such software there is always a trade-off between false positives and false negatives (in which an actual match is not detected). In the language of statistical hypothesis testing, this is a question of balancing the risk of Type I errors (false positives which reject the null hypothesis when it is true) against Type II errors (false negatives which fail to reject the null hypothesis when it is false).
Usually there is some trigger value of how close a match to a given sample must be achieved before the algorithm reports a match. The higher this trigger value is, the more similar an object has to be to be detected and the fewer false positives will be created.
Due to the fact that RHBVS is a rule based virus scanner false positives are normal. Just send me the executable to verify the false alarm and to improve the scanner. With standard installations RHBVS triggers no false positives!
Known False Positives
Currently RHBVS flags some hacker tools like unHS etc. But no normal user has such stuff on this drive - so no action is taken to fix it. Other well known false positives are the memory resident TBAV and FProt anti virus programs.
RHBVS flags them as:
"D:\WINDOWS\TBAV_WIN\TBSCANX.EXE Fast.TSR.File (MBIBBMFR)"This means code to stay resident and to intercept file operation like opening or execution of executable files. When looking at the code analyser of RHBVS we see that TBSCANX stays memory resident (M- flags+TSR),
INT 21h sub functions 3D, 3E & 6C which is typical for a fast infector (Fast) and INT 13h sub function 02 which is typical for boot viruses (B- flags). Due to the fact TBSCANX stays resident it relocates (R-flags) to get its address.
THAT’S ABSOLUTELY RIGHT - SO RHBVS ONLY REPORTS A PROGRAM LOOKING LIKE A STANDARD FILE VIRUS…. :))
False positives causes by third party software
Ralf Borgmann reported that the DSAV.VxD intercept the "Live Bait Test" and reports an unknown virus. This is a bug and false positive of the DSAV.VxD - it can be reproduced only by the first start of RHBVS :-))
>>>>>>> Please send me also viruses RHBVS misses. <<<<<<<<<<8. Error Codes
RHBVS uses the following DOS return codes when terminating. You can use them in batch files or tools like Skull Check etc.
Error level | Meaning
------------+-------------------------------------------------
0 | RHBVS completed without any error and without
| finding any suspicious program!
1 | Misc. errors, like video mode or DOS version!
2 | The help screen was invoked.
3 | A virus was found in memory (by Quick Memory Scan)
4 | One of the signatures files (RHBVS.SIG or
| VIRSCAN.TRJ) is damaged or the access is denied!
5 | An error occurred creating the log file (/LOG=).
6 | Not used
7 | Path specified to scan: Access denied
8 | Insufficient memory/not enough memory
9 | VirScan.IRC|VirScan.VBS is missing or corrupt
10 | One or more suspicious files have been found!
11..18 | DOS error, please report it to ROSE SWE!
xx | Internal error, please report it to ROSE SWE!Technology
RHBVS uses currently more than 350 modules to detect the different kind of computer viruses. RHBVS can also emulate and follow a polymorphic hidden jump to the virus body for example used in the Nostradamus.3584 (a.k.a. Grief) viruses. All software modules has been taken from the virus scanner VirScan Plus from ROSE SWE. RHBVS will skip files smaller than 32 bytes.
The scanner even can detect and emulate anti heuristic programmed code! RHBVS has detection for Trivial and Mini viruses with detection rate above 98% as well as a detection for boot (images files) and hybrid viruses above approx. 80%.
The overall detection is (tested on my virus collection):
Version [Samples] 0.01 0.10 1.00 /TROJ
--[Percent]-------------------------------------------------------
ITW-Test set Germany 30.1 [412] 36.9 [412] 39.3 [412]
Classified viruses(1) N/A 64.1 [6037] 66.7 [6119]
Unclassified viruses 22.4 [1867] 27.5 [1867] 29.5 [2020]
------------------------------------------------------------------ Version [Samples] 1.03 (1) 1.05 (1) 1.07 (1)
--[Percent]-------------------------------------------------------
ITW 60.4 [379] 60.4 [379] 66.8 [373]
Classified(1) 77.7 [????] 77.3 [6808] 77.9 [8122]
Unclassified(2) 44.1 [2007] 45.6 [2371] 41.0 [1289]
------------------------------------------------------------------ Version [Samples] 2.00 (1) 2.02 (1) 2.03 (1)
--[Percent]-------------------------------------------------------
ITW 75.3 [402] 80.8 [647] 80.9 [649]
Classified(1) 82.1 [8122] 84.0 [9284] 84.4 [9215]
Unclassified(2) 45.3 [1289] 48.8 [1296] 49.6 [1203]
------------------------------------------------------------------ Version [Samples] 2.04 (1) 2.05 (1) 2.10 (1)
--[Percent]-------------------------------------------------------
ITW(3) 81.2 [649] 84.8 [649] 76.3 [2503]
Classified(1) 84.6 [9301] 85.9 [9408] 85.1 [9553]
Unclassified(2) 48.2 [1480] 50.1 [2532] 49.4 [1042]
------------------------------------------------------------------ Version [Samples] 2.11 (1) 2.20 (1) 2.22 (1)
--[Percent]-------------------------------------------------------
ITW(3) 84.1 [649] 76.3 [2503] 85.8 [649]
Classified(1) 84.6 [9301] 85.3 [10181] 79.2 [12409]
Unclassified(2) 42.8 [998] 42.4 [1962] 55.3 [978]
------------------------------------------------------------------ Version [Samples] 2.30 (4) 2.35
--[Percent]-------------------------------------------------------
ITW(3) 86.2 [1718]
Classified(1) 76.4 [18329]
Unclassified(2) 84.5 [1438] 86.8 [795]
MIRC scripts 100.0 [1018] 100.0 [1082]
------------------------------------------------------------------ Version [Samples] 2.50 (July 1999) 3.01 (Jan 2000)
--[Percent]-------------------------------------------------------
FProt, unique(1) 75.8 [19236/25393]
Unclassified(2) 72.1 [546/757] 88.2 [1871/2122]
AVP, unique 70.2 [10392/14801] 65.1 [9789/15057]
Scripts (IRC, VBS, JS) 100.0 [1233/1233]
------------------------------------------------------------------(1) Detectable by F-Prot (includes more than 700 HLL viruses & Trojans!) All viruses are unique (Virsort)!
(2) These are REAL viruses in my incoming directories, which are not scannable by the newest KAV and F-Prot versions!!!
(3) ITW test set based on Joe Wells ITW lists. Included are all ITW file and boot infector Some viruses used by the VTC ITW test bed has been added to the RHBVS ITW test bed as well as some RIMC viruses.
(4) With switches /TROJ and /HIGH
Main goal is to increase the overall detection rate as well as reduce the false positives.
Bugs & Limits
This program can only handle file names with a maximum of 67+12 chars length (including paths) because the MS-DOS box of NT. If you have longer file names (Win95/98/NT: supports IMHO 252 chars) then you have to map your paths. Detection has been added for LAN-Manager, Netware based networks and Microsoft compatible networks.
RHBVS is currently not able to scan inside archives (ARJ, ZIP, LHA etc.) as well as macro and boot viruses!
RHBVS cannot run under some debuggers like Soft Ice due to the HackStop security envelope.
RHBVS is limited in scanning MS Office documents, boot viruses as well as Win32 executable (PE/NE).
Usage & Testing
Testing a virus scanner is not an easy task and should be only done by experts on a large virus collection!
Suggested Options for Testing
-
File viruses
rhbvs <path> /all /high /log=c:\temp\vtc.log/trj is default -
Boot viruses (on disks)
RHBVS is not designed to scan for boot viruses. Use for that task
VirScan Plus or
the heuristic boot virus checker ChkPc.License
|
|
RHBVS is distributed as AnyWare. That means, the author (ROSE SWE) holds the full copyright on the program and documentation. The usage of the program is for free (just like Freeware). |
If you find this program useful and you want to see it improved just send me anything you think could be helpful, that means Email, viruses, bug, reports or even money …. :-)
History
Version 5
29.12.2018 5.04 Added new viruses. Documentation update.20.09.2018 5.03 Added 22.000 viruses.28.03.2018 5.02 This documentation was ported to AsciiDoc.06.12.2017 5.01 Small enhancements. Major reprogramming
of the signature based detection.29.11.2017 5.00 Trojan detection is not compatible with pre
5.00 releases. New viruses detection added.Version 4
27.11.2017 4.98 Public release with new viruses detection.09.09.2017 4.97 Public release. Enhancements and new viruses.15.02.2017 4.96 Enhancements and new viruses.22.04.2016 4.93 Public release. Enhancements and new viruses.20.04.2015 4.92 Public release. Enhancements and new viruses.10.11.2014 4.91 Public release. Enhancements and new viruses.30.12.2013 4.90 Generic encrypted script detection added.
Enhancements and new viruses.30.10.2013 4.84 Enhancements for better detecting Win32 and
Win64 viruses. Added new viruses.03.03.2013 4.83 5000 viruses added, changed home page URL30.09.2012 4.81 Small enhancements, new viruses.16.10.2011 4.80 New viruses added, esp. the German
"Staatstrojaner" (file+live test).07.06.2011 4.79 New viruses added. Enhancements for Win32,
Dos32 and Linux console output.03.02.2011 4.78 New virus detection added. Fixed an
run-time error bug.13.08.2010 4.77 Added a lot of windows malware and
windows shellcode detection stuff.
New viruses added.18.06.2010 4.76 Win32.Shellcode handler improved.
VBS encrypted detection improved.13.04.2010 4.75 New viruses added. New icon for RHBVS.
Dox updated.19.03.2010 Major update/enhancements added to PeHead.14.03.2010 4.73/4.74 Small enhancements and new viruses added.19.02.2010 4.70-4.72 Small bug fixes and enhancements. New
viruses added.30.03.2009 4.68/4.69 Massive enhancements around the /rename
function. Bug fixes and new viruses added.06.02.2009 4.67 Small enhancements for Windows Vista.
New viruses added.16.11.2008 4.66 Small bug fixes and enhancements. New
viruses added.11.01.2007 4.65 Changes on the /Rename functions.30.09.2006 4.64 Enhancements, new viruses. Changed
virus database.09.08.2006 4.63 Small enhancements (e.g. .PNG detection).25.04.2005 4.62 Enhanced the docs. Added new signatures
to the heuristic scan engines.10.03.2005 4.60 Changed and enhanced the internal database.
Added new scan engines and viruses.06.01.2005 4.51 Enhanced VBS engine. New viruses added.13.11.2004 4.50 Added new viruses.19.08.2004 4.50-RC2 Added ~600 new viruses. Fixed a few
false positives.17.08.2004 4.50-RC1 Complete redesign of the script scanning
engines (VBS, Script, IRC, Batch etc.).
A lot of new viruses added.
The signature files (virscan.*) are not
compatible with the 4.1x and below
releases!16.06.2004 4.13 Small fixes, 400 viruses added.14.04.2004 4.12 Added QWTC - "Quick Windows Trojan Check"21.01.2004 4.11 Bug fixing of the command line handling
engine. New viruses added.09.09.2003 4.10 Bug fixing, RHBVS now requires a
coprocessor.07.09.2003 4.05 Added and enhanced some scan engines
and added tons of new viruses. Bug fixes.
(EXE file is therefore 20 KB bigger!).06.09.2003 4.02 Ported and enhanced some of the scan
engines to Linux. New viruses added.16.07.2003 4.00 New viruses. Changed the internal Trojan
and malware engine to run on Linux too.Version 3
13.05.2003 3.96 Added tons of new viruses.25.03.2003 3.95 New and enhanced engines for VBS viruses.27.02.2003 3.94 Fixes for HMA/A20 gate check. Added tons
of new viruses.07.11.2002 3.93 Added tons of new viruses.05.11.2002 3.92 Added new viruses, therefore internal hash
tables had to be adjusted.03.11.2002 3.91 Build 433
20.08.2002 3.91 Build 423
18.06.2002 3.91 Documented the switch /OnlyFull. Added
new viruses.05.05.2002 3.90 New viruses added. Changed the format of
Virscan.trj25.04.2002 3.81 Added new viruses. Fixed a false positive.
23.04.2002 3.80 Fixed a bug with Win2000/NT. Changed the
signature files.19.04.2002 3.73 Added 120 viruses.
11.04.2002 3.72 Added 300 viruses.17.03.2002 3.71 Changed documentation (also renamed from
*.DOC to *.TXT). Added new viruses.22.01.2002 3.70 New viruses. DOCS changed. Bundled with Win32
installer.09.01.2002 3.64 New viruses. Added .PIF file for Win9x.10.12.2001 3.63 New viruses added. New option -delYN added.08.10.2001 3.62 New viruses added.15.08.2001 3.61 New viruses. New generic scan engine for
IIS-Worms added. Should find every worm
that uses the IIS Backdoor. To scan for
such worms, you currently need the option
-ALL30.07.2001 3.60 Added 300 new batch and script viruses
using the new designed scan engines from
RHBVS 3.55. Those signatures are stored
in the new file "VIRSCAN.IRC".26.07.2001 3.55 Added tons of new viruses. Added .LNK as
default extension. Introduced a version
numbering to VIRSCAN.VBS (needed for new
generic script detection). Added generic
script detection engine. Added new engines.08.06.2001 3.51 New viruses added. Better detection of
anti heuristic programmed VBS viruses.03.05.2001 3.50 Depending on your machine (386, 486 etc.)
and operating system, RHBVS is now up to
20 percent faster. New viruses.16.03.2001 3.45 Added more than 100 new VBS viruses. Added
.JSE, .VBE, .WSH as a default extension.
Included on the fly decryption of MS VBS
encrypted files (.VBE). New signatures
added. VBS scan engine updated.17.02.2001 3.41 Update of the VBS scan engine to find
VBS.NeueTarife/AnnaKov. New viruses.19.01.2001 3.40 New viruses added (of course :). Option
-ShowErr added. Statistic enhanced
(+ time, + total errors). Some false
positives fixed. We have ported parts of
the scan engines to win32. As a benefit
the scanning is now much faster
due to the enhancements we had to do for
the porting.04.01.2001 3.32 Added four new scan engines, VBS engine
was enhanced. 70 new viruses added.27.11.2000 3.31 New viruses added.14.09.2000 3.30 Added Win32 Stealth Bait test. New
viruses added.25.07.2000 3.21 Added .VBA as default extension. /RenPE
enhanced. New viruses added.05.07.2000 3.20 Faster scanning due to rewrite of the VBS
and MIRC analyser Add option /NoScript
(same as /NoVBS). New viruses. Added 180
Trojans. Added MS Mail scanning (MSFT).
Added generic VBS detection (construction
kits etc.). Added generic Batch file
detection.22.06.2000 3.11 Added detection for 680 Backdoors. 20 new
VBS viruses added. Added .VXD and .SHS as
default extensions. Added 70 Trojans. SHS
will now be scanned too (VBS.Life_Stages).26.05.2000 3.10 Added detection for 250 Win/Win32 Trojans,
Backdoor and password stealing programs.
Added detection for 20 new VBS viruses.
Added .DLL extension as default. New viruses.07.05.2000 3.03 Due to the various VBS.Love-Letter variants
we added to the virus name additionally the
length. When you use RZOOSORT.BAT to sort
your Love-Letter variants, they go now in
separate directories.28.04.2000 3.02 Added MIRC detection in .PIF files. Added
option /NoVBS. /NoVBS is also set if
VIRSCAN.VBS was not found! New viruses :)
Added options /NoTrj and /NoTroj29.01.2000 3.01 Added HLP, AVI, CHM, FTS, CNT detection.
Added Joke class to RHBVS. New viruses :)
Changed the VBS detection engine for the
first anti RHBVS specific viruses.03.12.1999 3.00 Added ACE and (WAV) Wave detection. Added
"T" flag (time/date). Added 750 new viruses.
Added new scan engines. Added the options
/VB, /VBK (code analyser) and /REPORT.
Better Java script detection added. Nicer
screen output. The switch /stdout is now
obsolete and not supported any longer!Version 2
01.09.99 2.56 Added ARJ and LZH archive detection.
Renamed /ANALYSE to /WHOLE (planed to
add switch /ANALYSE[=language.dat]).
RHBVS can now handle multiple infections of
VBS viruses.11.08.99 2.54 New viruses. Tested RHBVS under Win2000b3
Server and fixed all bugs.24.07.99 2.52 Added new VBS, JS and MIRC viruses using a
new detection engine.18.07.99 2.51 WBT (Windows Batch) virus class added.
New viruses added.10.07.99 2.50 HTML, JS, CS and VBS detection added. New
viruses and other malware added.24.05.99 2.35 Approx. 500 viruses added. Basic PIRC, INF
and VBS detection added. Option /COMP
(generic companion detection) added.17.02.99 2.34 Option /NOMEM added. New viruses.
Added detection of HTML, PDF (Adobe Acrobat)
and MDB (MS Access) file format.15.01.99 2.33 Option /RAW added. Bug with long directories
under Win-NT fixed. Tons of new viruses and
Trojans added. Added Natas decryption engine
from VSP. Enhanced the rhbvscum.awk script.02.01.99 2.32 Command line handling improved. Mirc detection
improved. Code analyser and option /Virsort
enhanced. New viruses and Trojans added.
File sharing handling for Windows enhanced.29.12.98 2.31 Fixed some bugs and false positives.
Enhanced the Mirc classification. Added
the rhbvscum.awk script to the package.29.11.98 2.30 Added Mirc script worm detection and
heuristics. Improved file handling.
Improved /RENAME capabilities. New viruses
and Trojans If VIRSCAN.TRJ is found
automatically option /TROJ is added!20.10.98 2.24/2.25 Non public releases!24.08.98 2.23 New viruses and Trojans Added a new
Trojan detection. Added new entry point
detection. Bug fixes. RHBVS uses now the
same "smart renaming" engine like RFW.
SYS virus detection added.17.05.98 2.22 New viruses. Added new scan engines (VCL,
Mini, Trivial etc.).07.04.98 2.21 Fixed a lot of minor bugs in the /Rename
section. Better Live Bait Test. RZOOSort
changed. Added a new internal scan engine.
Tons of new viruses added :)18.03.98 2.20 /Rename, /Renumber now support more Excel
formats (.XLA, .XLS etc.), credits: A. Marx
Added advanced check for resident stealth
viruses (Stealth Live Bait Test). Added
more than 40 boot viruses and more than
70 file infector Improved the boot
heuristics. Minor bug fixes.
Currently I am working on a neural network
for RHBVS so it many take a time for the
next release :-))15.02.98 2.11 Added or fixed the following features:
+ Added more than 50 new viruses.
+ Fixed some false positives (R. Borgmann)
+ More compatible file access. Credits
(Christian Ghisler & Ralf Borgmann).
+ Added new search engines and flags.
+ RHBVS can now only be aborted with the
Escape key (SR by R. Borgmann).
+ Heuristic flag compression/sorting
+ /Renumber=Value switch now works
correctly (one of those undocumented
features :-))29.01.98 2.10 Enhanced check for stealth viruses and
fast infector added. Added 350 new
viruses. Enhanced companion detection.
Enhanced boot virus detection. Added new
search engines. Improved the statistics.
Enhanced code analyser Fixed some false
positives. Added the batch file
RZOOSORT.BAT to the package. RHBVS does
now a much better classification of the
virus using his new code analyser.
Changed the heuristic to produce less
false positives than the 2.05 release.28.12.97 2.04 Now the /LOG switch supports file names,
e.g. /LOG=C:\TMP\RHBVS.NEW etc. Changed
the error level (DOS return codes) and
documented them in RHBVS.DOC. New viruses
added, fixed some false positives and
bugs. New flag "A" added. Added the new
virus group "Poly". Added an entry point
resolver for the _310 virus. AVR for
boot viruses enhanced and improved.
Sanity (integrity) self check added!13.12.97 2.03 Fixed again some false positives received
from Ralf Borgmann. About 230 new viruses
added. Now the signatures file RHBVS.SIG
also contains flags. Added new search
engines. Modified the live bait test to
fool the DSAV.VxD.21.11.97 2.02 Fixed about 10 false positives (credits
Ralf Borgmann). Added new search engines
and new viruses. Overall detection ratio
is now 84 percent!08.11.97 2.01 Fixed two false positives. Added more than
20 new scan engines. Enhanced the Mini
and Trivial scan engine. Added more than
200 viruses! RHBVS now scans also files
with the extensions .IMG, .BOT and .BIN.01.11.97 2.00 Added the option /LOG to generate a
simple log file.
Added more than 80 new scan engines -
they are the compressed and optimized
search strings from VirScan Plus.Version 1
12.10.97 1.07 Added new viruses. Added a new entry
point detection for the _1015 virus.20.09.97 1.06 Windows NT compatibility enhanced. Added
new viruses.09.08.97 1.05 Added some viruses and a new entry point
detection engine for the Demo Fraud virus.
Windows-NT compatibility enhanced. Added
a PIF file for Windows NT 4.0.13.07.97 1.04 Added the switch /FILETYPE. Added a check
for corrupted files. Added a few new
viruses. Fixed some false positives.06.07.97 1.03 Enhanced the Mini-AVR module. Added new
viruses. Fixed some minor bugs. Added
option /HEUR. Release for SAC ftp etc.28.06.97 1.02 Fixed two false positives. Added a few
viruses. Changed the help screen.
Added one search engine for EXE-Header
viruses. Changed access mode for faster
accessing write protected discs. Added
the 'E'-Flag.11.06.97 1.01virnet Changed some DOCS. Release for Virnet.
09.06.97 1.01 Added the Option /CONT and /HIGH.
Enhanced one search engine to find the
Make2 virus.07.06.97 1.00 Added the option /TROJ.
Improved the Tiny code analyser, added the
flags 'H' and '#'.
First official releaseBeta Versions
29.05.97 0.10 Improved the detection rate more than 5%!27.05.97 0.02 Added the option /AUTO and /BEEP.
Added RHBVSGER.FAQ, enhanced the DOC.
Fixed a bug when redirecting the output
using the stdout option (rhbvs -stdout>file)
Detection on exe packers added.22.05.97 0.01 Initial releaseCredits
People who helped to improve this product or have given feedback.
|
|
In alphabetical order |
Andreas Haak code analyser & more
Andreas Marx technical consultant :)
Axel Pettinger Mirc stuff
Bert De Rijck Fam_????
Carsten Kruse Mr. "enhancements"
Christian Ghisler technical consultant :)
Claus Vogt
Frank Ziemann Backdoor, Trojan and Worm testing
Hanno Boeck Mr. "false positives" :)
Jerry Hodges CRC32
Joe Hartmann Mirc, false positives, RIMC project
Joerg Abdinghoff initial idea for /ANALYZE, now /vb or /vbk
Lukas-Fabian Moser
Laurent Gerard new virus
Mano Schwarz
Mathias Brunner
Masterball/codeBreaker HMA/A20 testing
Michael Hering checksum, FP, RHBVS.DOC, easily switches
Nobert Kirch stdout bug
Peter Kosinar FP, missed viruses
Ralf Borgmann Mr. RHBVS beta tester :)
Robert Flogaus-Faust
Sebastian Boehm
Stonehead Mr. "false positives" :)
Tjark Auerbach DOX
Toralv Dirro RIMC project
Valentino Tosatti Mr. "false positives" :)
Veit KannegieserYou? ..
Files
CRCHECK.TXT checksum file of the whole distribution
ROSEBBS.TXT the author's address and ROSE support BBS, WWW etc.FILE_ID.DIZ short description of the package
RHBVS.XXX checksum file for integrity check
RHBVS.MSG Message/language file for switch /vb
RHBVS.DOC this documentation
RHBVS.EXE the main executable
RHBVS.PIF Win 3.1/9x/NT/2000 program interface file :-)) RHBVS.SIG some heuristic scan engines and flags
VIRSCAN.TRJ signature file for HLL viruses and Trojans
VIRSCAN.IRC signature file for script and batch viruses (IRC, BAT...)
VIRSCAN.WSM signature file for script viruses (IRC, VBS, JS, CSC...)
[windows script malware]RHBVSCUM.AWK AWK script to create statistics reports from RHBVS.LOG
RZOOSORT.BAT handy batch file to sort your unknown viruses!Miscellaneous
Why is RHBVS.EXE such a small program? Well it is compressed using a so called online compressor. Here are the results finding the best compressor for RHBVS.EXE
Original size (10.06.2000) = 342.560 bytes **
(17.07.2003) = 385.120 bytes
(09.09.2003) = 396.928 bytes
(25.04.2005) = 407.344 bytes
(10.02.2007) = 410.944 bytes
(13.08.2010) = 413.280 bytes
(28.11.2017) = 415.664 bytes (147kb compressed)
(28.03.2018) = 416.832 bytes (132kb compressed)Compressors (always newest versions, used on the 342 KB executable **)
UPX --lzma 1????? (used)
UPX -9 114964
UPX 116349
wwpack 3.05 133588
Compack 5.1 140330
Ainexe 142627
AVPack 145527
Diet 147731
Pklite 2.01 150024
LzEXE 152456Computer Viruses and Malware - A Short Overview
A computer virus is a piece of code (software) that is installed on a computer either by a hacker, by another compromised computer (replication), malicious attachments/mails or a website (drive-by infection). It performs functions that the computer owner does not authorize and does not want.
Viruses are sometimes also referred to as malware. This is usually where they have adverse effects on the computer user, such as logging each keystroke (through a keylogger), audio recording or snapshots of each screen.
Such infection can lead to identity theft, endangerment of bank or purchase card data or loss of confidential data. It is more likely to occur on home computers that are normally not as security managed as corporate computers.
Malware
Malware, or malicious software, is a generic term for a variety of malicious or intrusive software, including computer viruses, worms, Trojans, ramsomware (ransoms), spyware, adware, scareware and other malicious programs. It can take the form of executable code, scripts, active content and other software. Malware is defined by its malicious intent, which violates the requirements of the computer user - and therefore does not include software that causes unintentional damage due to a defect.
Programs officially delivered by companies can be considered malware if they secretly violate the interests of the computer user.
(Computer) Virus
A computer virus is a type of malicious software program ("malware") that, when executed, replicates itself by modifying other computer programs and appending or inserting its own code. When this replication succeeds, the affected programs are then said to be "infected" with a computer virus.
The term "virus" is also commonly, but erroneously, used to refer to other types of malware. "Malware" encompasses computer viruses along with many other forms of malicious software, such as computer "worms", ransomware, spyware, adware, Trojan horses, keyloggers, rootkits, bootkits, malicious Browser Helper Object (BHOs) and other malicious software. The majority of active malware threats are actually Trojan horse programs or computer worms rather than classic computer viruses.
(Computer) Boot Virus
Boot viruses are the oldest known computer viruses. These viruses were the most common form of viruses until 1995, but are now extinct. Nowadays there are almost no boot sector viruses any more, because BIOS and operating systems usually have a well-functioning software or hardware protection.
A boot virus is a computer virus that becomes active when the computer starts (boots) before the operating system (DOS, Linux or Windows) is fully loaded. Boot sector viruses exploit the fact that the boot sector is always loaded first. On floppy disks, the virus is at least partially in the boot sector, so that even floppy disks that do not contain any files can be infected. On hard disks, the virus infects the master boot record (MBR) or in the logical boot sector.
A boot sector virus infects the boot sector of floppy disks and the master boot record (MBR) of a hard disk. The boot sector is the first physical part of a floppy disk and one sector (512 bytes). The boot sector is used by boot floppies to boot from the floppy disk. If a user wants to boot from an infected boot floppy or forgets an infected floppy disk in the floppy drive when the computer starts, the BIOS accesses this sector and executes it with the appropriate BIOS boot setting. The virus then attempts to infect the MBR of the hard disk each time the computer starts. When an infected computer starts, the MBR, which is normally responsible for recognizing the different partitions on the hard disk, is loaded. The now loaded virus remains in memory and monitors access to floppies. When a diskette is inserted into a computer infected with a boot sector virus, the virus infects the boot sector of the diskette.
Known boot viruses are the form virus, Parity Boot and Boot-437.
Multipartite Virus
A multipartite virus is a computer virus that infects and spreads in multiple ways. The term was introduced to describe the first viruses that included DOS executable files and PC BIOS boot sector virus code, where both parts are viral themselves. Prior to the discovery of the first of these, viruses were categorized as either file infectors or boot infectors. Because of the multiple vectors for the spread of infection, these viruses could spread faster than a boot or file infector alone.
Trojan horses
A Trojan horse is a program that does something undocumented which the programmer intended, but that users would not accept if they knew about it. By some definitions, a virus is a particular case of a Trojan horse, namely, one which is able to spread to other programs (i.e., it turns them into Trojans too). According to others, a virus that does not do any deliberate damage (other than merely replicating) is not a Trojan. Finally, despite the definitions, many people use the term "Trojan" to refer only to a non-replicating malicious program.
Ramsomware
Ransomware is a particularly invasive form of malware that takes a victim’s data or device and holds it hostage (or displays bogus claims of illegal activity, porn usage or suggests that a system is already infected with viruses) until a sum of money is handed over in order to secure its release. Ransomware has existed since around 1989, in the form of the “DOS-AIDS” Trojan (aka PC Cyborg) which encrypted files on a hard drive and then demanded a payment of $189 to unlock them again. Ramsomware had become in the last few years a significant and global threat.
Malicious Mining Software (Crypto-Miner)
Starting in 2018 Malware authors are increasingly relying on malicious mining software. This year for the first time there have been more infections of this type than with ransomware. More and more online criminals seem to turn their backs on Ramsonware and rely on crypto-miner. They secretly dig crypto money on infected computers - Monero is particularly popular. This is obviously extremely lucrative, as the latest figures show.
Reasons for the turnaround? If a ransomware/Trojan strikes and encrypts data from victims, they usually have to pay a ransom in the form of bitcoins. This is an obstacle that not every victim can or will take. Crypto-miner, on the other hand, only needs to infect computers. Afterwards, they dig in secret without any sacrifices and make silently sure that they bring the authors big profits - and not too short when you look at the exploding prices of different crypto currencies.
Scam
Any means of cheating or misleading a person and gaining their trust or receiving information to which the cheater is not entitled.
Spyware
Spyware is a type of computer virus that hides on your computer or mobile device, records your private data and sends that information back to whoever created it or monitors it. The tricky thing about spyware, and what separates it from the growing threat of ransomware is the fact that, spyware is designed to both install discretely and operate silently in the background.
Backdoors
A point of access to a hidden program/system. Backdoors are usually intentionally created by a programmer for debugging or maintenance purposes, but if compromised, they can pose a security risk to unauthorized users or software, allowing access and causing damage. Malware often installs Backdoors on compromised systems!
Botnets
A bot is a programs that run automated tasks over the Internet. Botnets are collection of bots that run autonomously and automatically. Typically they perform repetitive tasks at a much higher rate than a human is capable of. They can be used for malicious purposes, such as denial of service attacks or infecting other computers. An infected computer is called a bot or zombie.
Macro viruses
A macro is a piece of code that can be embedded in a data file. A macro virus is thus a virus that exists as a macro attached to a data file. In most respects, macro viruses are like all other viruses. The main difference is that they are attached to data files (i.e., documents) rather than executable programs. Document-based viruses are, and will likely continue to be, more prevalent than any other type of virus.
Worms
Worms are very similar to viruses in that they are computer programs that replicate functional copies of themselves (usually to other computer systems via network connections) and often, but not always, contain some functionality that will interfere with the normal use of a computer or a program. Unlike viruses, however, worms exist as separate entities; they do not attach themselves to other files or programs. Because of their similarity to viruses, worms also are often referred to as viruses.
Stealth viruses
What is a stealth virus? A stealth virus is one that, while active, hides the modifications it has made to files or boot records. It usually achieves this by monitoring the system functions used to read files or sectors from storage media and forging the results of calls to such functions. This means that programs that try to read infected files or sectors see the original, uninfected form instead of the actual, infected form. Thus the virus’s modifications may go undetected by antivirus programs. However, in order to do this, the virus must be resident in memory when the antivirus program is executed, and the antivirus program may be able to detect its presence.
The very first DOS virus, Brain, a boot-sector infector for example monitored physical disk input/output and redirected any attempt to read a Brain-infected boot sector to the disk area where the original boot sector was stored.
File stealth viruses
In addition to hiding the boot information, DOS file stealth viruses attack .com and .exe files when opened or copied, and hide the file size changes from the DIR command. The major problem arises when you try to use the CHKDSK/F command and there appears to be a difference in the reported files size and the apparent size. CHKDSK assumes this is the result of some cross-linked files and attempts to repair the damage. The result is the destruction of the files involved.
Full stealth viruses
With a full stealth virus, all normal calls to file locations are cached, while the virus subtracts its own length so that the system appears clean.
Countermeasures against Stealth Viruses?
You need a clean system so that no virus is present to distort the results of system status checks. Thus you should start the system from a trusted, clean, bootable diskette before you attempt any virus checking.
Encryption
One method of evading malware detection is to use simple encryption to encipher (encode) the body of the malware, leaving only the encryption module and a static cryptographic key in cleartext which does not change from one infection to the next.
What is a polymorphic virus?
A polymorphic virus is one that produces varied but operational copies of itself. This strategy assumes that virus scanners will not be able to detect all instances of the virus. One method of evading scan-string driven virus detectors is self-encryption with a variable key. Polymorphic code was the first technique that posed a serious threat to virus scanners.
More sophisticated polymorphic viruses (e.g., V2P6) vary the sequences of instructions in their variants by interspersing the decryption instructions with "noise" instructions (e.g., a No OPeration instruction (NOP), or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g., Subtract A from A, and Move 0 to A). A simple-minded, scan-string based virus scanner would not be able to reliably identify all variants of this sort of virus; in this case, a sophisticated scanning engine has to be constructed after thorough research into the particular virus.
One of the most sophisticated forms of polymorphism used so far is the Mutation Engine (MtE) or the Trident Polymorph Engine (TPE), which comes in the form of an object module. With such mutation engines, any virus can be made polymorphic by adding certain calls to its assembler source code and linking to the mutation-engine and random-number generator modules.
The advent of polymorphic viruses has rendered virus scanning an increasingly difficult and expensive endeavor; adding more and more search strings to simple scanners will not adequately deal with these viruses.
What is an armored virus?
Armored viruses use special tricks to make the tracing, disassembling, and understanding of their code more difficult. A good example is the Whale virus.
What is Phishing/Vishing?
Phishing is when a 3rd party tricks an user into giving information in an email or by a phone call (vishing).
Links / Pointers
Some viruses that were very widespread
Cascade
The Cascade virus (also known as Herbstlaub in Germany) is a prominent DOS computer virus that is a memory resident virus written in assembly language. Cascade was widespread in the 1980s and early 1990s. It infected DOS .COM files and had the effect of making text on the screen cascade down and form a heap at the bottom of the screen. It was notable for using an encryption algorithm to avoid being detected. However, one could see that infected files had their size increased by 1701 or 1704 bytes. In response, IBM developed its own antivirus software.
The virus has a number of variants. Cascade-17Y4, which is reported to have originated in Yugoslavia, is almost identical to the most common 1704 byte variant. One byte has been changed, probably due to a random "mutation". This, however, has resulted in a "bug" in the virus. Another mutated variant is also known - it infects the same file over and over.
Jerusalem
Jerusalem is a DOS virus first detected in Jerusalem, in October 1987. On infection, the Jerusalem virus becomes memory resident (using 2kb of memory), and then infects every executable file run, except for COMMAND.COM. COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. .EXE files grow by 1,808 to 1,823 bytes each time they are infected. The virus re-infects .EXE files each time the files are loaded until they are too large to load into memory. Some .EXE files are infected but do not grow because several overlays follow the genuine .EXE file in the same file. Sometimes .EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.
The virus code itself hooks into interrupt processing and other low level DOS services. For example, code in the virus suppresses the printing of console messages if, for example, the virus is not able to infect a file on a read-only device such as a floppy disk. One of the clues that a computer is infected is the mis-capitalization of the well-known message "Bad command or file name" as "Bad Command or file name".
The program contains one destructive payload that is set to go off on Friday the 13th, all years but not in 1987. On that date, the virus deletes every program file that was executed. Jerusalem is also known as BlackBox because of a black box it displays during the payload sequence. If the system is in text mode, Jerusalem creates a small black rectangle from row 5, column 5 to row 16, column 16. The rectangle is scrolled up by two lines.
As a result of the virus hooking into the low-level timer interrupt, PC-XT systems slow down to one fifth of their normal speeds 30 minutes after the virus has installed itself. The slowdown is less noticeable on faster machines. The virus contains code that enters a processing loop each time the processor’s timer tick is activated.
Symptoms also include spontaneous disconnection of workstations from networks and creation of large printer spooling files. Disconnections occur since Jerusalem uses the interrupt 21h low-level DOS functions that Novell Netware and other networking implementations required to hook into the file system.
Jerusalem was initially very common (for a virus of the day) and spawned a large number of variants. However, since the advent of Windows, these DOS interrupts are no longer used, so Jerusalem and its variants have become obsolete.
/* End of Document */
Copyright
©opyright by
__________ ________ ____________________ ___________ _____________
\______ \\_____ \ / _____/\_ _____/ / _____/ \ / \_ _____/
| _/ / | \ \_____ \ | __)_ \_____ \\ \/\/ /| __)_
| | \/ | \/ \ | \ / \\ / | \
|____|_ /\_______ /_______ //_______ / /_______ / \__/\ / /_______ /
\/ \/ \/ \/ \/ \/ \/-------------------------------------=-----------------------------------
ROSE SWE See ROSEBBS.TXT for
Dipl.-Ing. Ralph Roth full address, FAX and PGP keys.
http://rose.rult.at
rose_swe@hotmail.com All Rights Reserved!
-------------------------------------=-----------------------------------End
End of the documentation! Thank you for reading it. Bye!