VIRx 1.9 Revisions ============================== Date: 12/17/91 1. The licensing agreement for your usage of VIRx has been changed. Individual and educational users need not concern themselves with the change. For corporate and business users: VIRx may only be used within your institution for a 30 day evaluation period. If you wish to use VIRx after that period, please contact Microcom, Inc. at (919)-490-1277 for information on a site license. VIRx may not be bundled with other products without a written agreement: contact Microcom for details. 2. VIRx 1.9 now detects 85 newly discovered viruses, bringing the total count to 649, plus innumerable variants. 3. There is a known problem with occasional V2P6 false positives. If you encounter a file that VIRx indicates contains the V2P6 virus, please leave a message on Microcom's BBS at the number listed below with details immediately. If possible, please upload a copy of the file that is generating the V2P6 alert. 4. Our BBS is thriving and awaits your visit! It runs at up to V.32BIS speeds. Please upload suspect files to the BBS, where we'll examine them and let you know whether the file contains a virus. The latest copy of VIRx is always available on the BBS, and we welcome your suggestions and comments regarding our products. You can reach the BBS at (919)-419-1602 5. Finally, we are documenting our external signature file. This allows new viruses to be detected without having to wait for a new release of VIRx. You should be careful: if you use the external signature file and add a virus signature that we are already using within our internal virus signature database, VIRx will inform you that it has found a virus in memory. It is best to call our BBS on a regular basis and to get the external signature file that we make available thereon: the virus signatures in this file contain only tested strings which will not cause any of these problems. Here is the format of the external virus signature file, which must be on your C: drive, must be in a directory called "\VIREX" and must be called "VIREX.VIR": The represents whether the virus signature following is for a "Program" virus or a "Boot" virus. Use 'P' for program viruses and 'B' for boot sector viruses. You can also use a '#' as a comment line indicator, if you wish: such flagged lines will be ignored. The is, obviously, the name of the virus. It may not contain any spaces or other whitespace, a limitation of the external signature file. You might want to use underscores or hyphens instead of spaces. The is the translation of the hex signature string into an ASCII form. Each byte is represented by a zero- filled, right justified two place sequence: the proper representation of a hex "0xf" would be "0f"; to represent "0xff", use "ff". For example, if a new virus called NewVirus, a program type virus, were to have a signature string of "1 2 3 4 5 6 7 8 9 a b c d e f", its entry in the external signature file (C:\VIREX\VIREX.VIR) would be: #A comment line for the NewVirus external signature file example P NewVirus 0102030405060708090a0b0c0d0e0f Optionally, you could include both a checksum of these bytes (we use this to make sure that an end-user did not make a typing mistake) and a "nasty" indicator. A nasty indicator tells VIRx that the virus signature refers to a virus that can infect a clean file simply by VIRx examining that clean file: if such a virus is found in memory, VIRx will not scan further, and you should reboot with a clean, write-protected DOS floppy before scanning again. The nasty indicator is simply an exclamation point, "!". The checksum is a two byte long unsigned checksum of the signature bytes. You can use a program such as Sidekick in its hex calculator mode to determine what this checksum should be if you can't do hex math in your head (we can't, either!). If you choose to use the checksum, and/or the nasty indicator, they should be placed following the hex signature, using a between the signature and the checksum/nasty pair. The order of the checksum/nasty pair is unimportant. For example: # Example ZeroCheckSum Virus, nasty, program virus P ZeroCheckSum 00000000000000000000 0000! # Alternate example ZeroCheckSum Virus, nasty, program virus P ZeroCheckSum 00000000000000000000 !0000 # NonNastyZero, program virus P NonNastyZero 00000000000000000000 0000 # NastyVirus, no checksum, boot sector virus B NastyVirus 1234567890aabbccdd ! # NastyVirus, checksum, boot sector virus B NastyVirus 1234567890aabbccdd 04b2! Please make sure not to use these examples: you might end up frightening yourself or those around you with a false positive! Problems corrected from v1.8: 1. Some network scanning problems for non-Novell networks have been corrected. 2. The list of dis-infectors available in the full product can now be found by entering the -# option on the command line. ------------------------------------------------------------------------- VIRx 1.8 Revisions ============================== Date: 9/30/91 1. VIRx 1.8 now detects 21 newly discovered viruses, bringing the total count to 564. About 700 viruses, counting strains. 2. VIRx now utilizes an internal consistency check, and refuses to run if modified. 3. There is now a way to run VIRx silently when called from within a "check-out" type shell. Programmers interested in this should call Microcom for the details and very limited development assistance. 4. As part of the above, VIRx has a new option available for everyone, the -E switch. Use of this switch will direct VIRx to return an error level of 0 if and only if the system was completely tested and no viruses were detected. Otherwise, a non-zero error level will return. An error condition will return a non-zero error level as well. 5. Changes in certain areas of the code resulted in small speed increases. Yes, its faster again, just a bit, even with the new viruses. Problems corrected from v1.7: 1. A V2P6 virus false positive was corrected. Our apologies to Cross Communications Co. - makers of the "In+Touch Remote Control System". ------------------------------------------------------------------------- VIRx 1.7 Revisions ============================== Date: 8/04/91 1. VIRx 1.7 now detects 41 newly discovered viruses, bringing the total count to 543. 2. The scanning inside PKLite and LZExe precompressed executables has been sped up by 20-25%, through determined use of a profiler. Additionally, the infection site is now correctly reported. Problems Corrected from v1.6: 1. All the viruses that could sometimes escape detection, such as the "research" Virus-101, are now caught. ------------------------------------------------------------------------- VIRx 1.6 Revisions ============================== Date: 7/01/91 1. VIRx Version 1.6 now detects six newly discovered viruses, bringing the total count to just over 500. 2. VIRx now indicates whether an infected compressed program was infected before or after the compression (PKLITE and LZEXE). This was trivial to implement, but a useful addition. 3. Another few cycles were shaved off our decompression routines: experience pays. For those wondering, all decompression routines are completely internal and done in memory --- and always have been. Problems Corrected from v1.5: 1. False positives for the "Sathanyc/Goblin/Necrop" viruses. VIRx Version 1.5 was incorrectly identifying "ICE'ed" programs as infected. An example of this was the well known TIMESET program: our apologies and gratitude to Peter Petrakis for being a good sport about our mistake. 2. Occasional false positives for "Scrnched" files: fixed. 3. The P1 Virus string was occasionally left in DOS buffers: another scanner program which apparently used the same string would make erroneous reports of an active P1 Virus in memory. This has been fixed. 4. Due to similar templating of the V2P6 Virus, VIRx would find a possible infection in the VDEFEND program. This was rectified. ------------------------------------------------------------------------- VIRx 1.5 Revisions ============================== Date: 6/26/91 1. VIRx 1.5 detects over 80 additional newly discovered viruses, bringing the total to almost 500. This was accomplished without slowing down the scanner. 2. Wildcard string scanning is included for detecting viruses otherwise resistant to general scanner detection. 3. VIRx scans PKLite pre-compressed files internally about 10% faster than previous versions; probably not noticeable except on slower machines. Problems Corrected from v1.4: 1. Another rare problem with scanning certain Novell Network server volumes has been corrected. 2. The technique used to clean our scanning search strings out of memory has been changed. This change will prevent certain other anti-virus scanners from erroneously reporting an assortment of viruses active in the computer's memory immediately after a VIRx scan has completed. 3. Certain rare situations would result in VIRx scanning extremely slowly. This has been fixed. -------------------------------------------------------------------------- VIRx 1.4 Revisions ============================== Date: 5/11/91 1. VIRx now scans memory above 640K through 1 Meg if the -X command line option is selected. This feature is added for detection of viruses like E.D.V. that search high memory for writable RAM, and for protection against possible infected device drivers that have been loaded high. Note: Many programs use that area of memory for special disk caching and this has been noted to have caused some problems with incorrect results for some machines. 2. If a batch mode is selected, the resulting screens will now time out if you do not hit a key and the scan will continue. This makes the batch mode fully useable for unattended operation. 3. When this software becomes outdated, it will warn the user that scanning with outdated software can result in new viruses being missed. Then the user can elect to continue the scan anyway. Previous versions of VIRx would cease to function on the cut-off date; this is no longer the case, although you are advised to update your software before that date arrives. We consider VIRx 1.4 to be outdated by October, 1991, although we recommend obtaining each monthly update of VIRx in any case. 4. VIRx 1.4 detects over 50 newly discovered viruses, bringing the total to over 400. This was accomplished without slowing down the scanner. 5. VIRx 1.4 can now take multiple targets on the command line, allowing an entire set of file systems to be scanned: VIRx C:\ D: E:\thisdir F:\thatdir\thisfile scans the entire C: disk, the current directory on the D: drive and its children, the specified directory on the E: drive and its children and the specified file on the F: drive. Any options you select on the command line are valid for each target you specify. 6. Both decompression routines, LZEXE and PKLITE, were optimized for speed of decompression and memory model independence. String selection of compressed file hits take about 50% as long as did VIRx 1.2. Problems Corrected from v1.2 : 1. Problem with scanning certain Novell Network server volumes has been corrected. 2. Execute-only files on Novell Networks are handled properly now on screen as well as in the log. 3. There was a bug when write-protected files were scanned and discovered to contain a virus. Fixed. 4. False positive on Marc Perkel's MARXMENU menu compiler Marxcomp.exe, version 2.27, for the KAMAKAZI virus has been corrected. Our apologies to Marc. 3. PKLite from PKWare uses a special compression method on unusually highly compressible files that version 1.2 of VIRx did not decompress properly every time. This has been corrected, and VIRx 1.4 fully supports all compression methods used by PKLite as of version 1.05, still including the -e switch available in PKLite Professional.