26.Oct.2001
Jan Andersen (ML)
|
Virus Help Denmark: xvs.library V33.36
A new update of the "xvs.library" has been released today. This is a major update
and you should download the update right away, just read about the changes.
And what must be one of the best news in the anti-virus scene in 2001, the 'man'
himself is back on the Amiga scene. Georg Hoermann, the original programmer of
VirusZ III and xvs.library is BACK. Georg Hoermann and Jan Erik Olausen will work
together on the update of xvs.library in future.
Info about the new update of xvs.library:
Name: xvs.library v33.36
Achive name: xvslibrary.lha
Archive size: 82,452 bytes
Release date: 25 October 2001
Programmer: Jan Erik Olausen & Georg Hoermann
News for v33.36:
- After several years on a journey the sourcecodes finally came
back home;-) Yes, it's me (Georg Hörmann) again, still alive
and kicking virus asses... Thanks must go to Alex van Niel and
Jan Erik Olausen for keeping the project alive!
This update was done by me alone, but in the future, Jan Erik
and I will keep the library up-to-date together.
- Rearranged and enhanced the security stuff inside the library
for 100% detection of any (illegal) function patches. Programs
like 'ZeebsVS' will no longer work with this version. Thanks
must go to Zeeball for his demonstration of security gaps in
the older versions.
- Added support for 'IOZ (512 Bytes)' linkvirus. Thanks go to
Zeeball for sending it.
- Added support for 'Rexxfunc' trojan. Thanks must go to Zeeball
and Jan Andersen for sending it.
- Totally redesigned the scanner for virus tasks/processes. The
new code scans all tasks/processes for every known virus in just
one step and can even handle several running copies of one virus
correctly (thanks Zeeball for the hint).
- Checked ALL the stuff that has been added in my absence since
xvs.library 33.18. See below for what I have changed/fixed.
Thanks must go to Jan Andersen, Jan Erik Olausen and Zeeball
for sending me the missing viruses and lots of other stuff.
Special thanks to Zeeball for the ZeebsVS sourcecodes!
- Fixed file recognition for 'Bastard Installer 1'.
- Renamed 'Miami 4.0 Fake Installer' to 'MUI 4.0 Fake Installer',
because that's what it really is.
- Renamed 'CCCP Clone' bootvirus to 'Anal Rapes' (its real name),
fixed its memory recognition and added it to linkvirus brain.
- Removed recognition for 'Doubledensity' bootblock, this is just
an intro boot.
- Fixed longword access to odd address in 'Jode Capullos 2' file
recognition. This caused crashes on 68000 systems.
- Fixed memory removal code for 'Zakahackandpatch' and 'Zakapior'.
The processes of these viruses might stay in memory up to one
minute after they have been detected, that's not a bug, but
their own call to Delay() that we have to wait for.
- Fixed recognition for 'Hitch-Hiker 5.00 Installers' and added
the plain version created by xfdmaster.library 39.13.
- Renamed 'MadRoger Short' to 'NoName (248 Bytes)' to follow the
guidelines of VTC Hamburg (idea by Jan Andersen).
- Renamed '212 Bytes Link' linkvirus to 'NoName (212 Bytes)' and
fixed its memory removal code.
- Renamed 'Explode Trojan' linkvirus to 'Port 9876' and removed
the repair code, we can use 'Fungus' code instead.
- Renamed 'Explode Trigger' filevirus to 'Port 9876 Trigger'.
- Renamed 'Port 4097 Installer' to 'Port 4097' and added memory
removal code for the trojan's process. The process will stay
in memory for a while without doing any harm, see explanation
at 'Zaka...' above.
- Fixed 'Hitch-Hiker 5.00' memory removal code. The process gets
killed immediately, the patched stack addresses will disappear
one by one after a while without doing harm.
- Fixed memory and file recognition and the repair code for
'Motaba 3' linkvirus. Now it restores the correct library jumps
and can repair even files that have been damaged by the virus
(bad branch offsets!).
- Fixed memory and file recognition and the repair code for
'Bastard' linkvirus. Now restores all patched functions (inside
asl.library and VirusCheckerII) and repairs even big files with
bad branch offsets.
- File recognition for 'Bastard Installer 2' will now only detect
the plain, uncrunched virus as xfdmaster.library unpacks this
file correctly.
- Fixed brain entry of 'Port 2421' linkvirus (wrong virus length)
and added memory recognition. Moved 'Port 2421 Installer' from
linkvirus to filevirus brain as it cannot reproduce itself.
- Fixed 'Smeg 2a' and 'Smeg 2b' memory removal code. The processes
get killed immediately and the patched stack addresses disappear
one by one after a while without doing harm.
- Fixed repair code for 'Penetrator 2001' linkvirus to handle both
ways of infection and added memory removal code (removes the task
and 2 of 3 processes, the other one usually should already have
been run out or crashed because of bad coding!).
- Fixed memory recognition for 'Bobek 2' linkvirus and tuned the
file recognition/repair code. Thanks to Jan Erik Olausen for his
bug report about the beta-release of this code.
TO DO:
- Add some code to close TCP ports opened by several trojans.
- Add Neurotic Death 1-5 linkviruses. These are highly polymorphic, but
crash on my system if I try to infect some test files. I have received
several infected files already from other persons and will try to find
some solution for these viruses in the near future.
- Try to get and add GlobVec linkvirus. The only one who has it is Heiner
Schneegold (author of VT-Schutz) and VTC Hamburg, but Heiner doesn't
give his permission to the VTC to send me the virus :(
Authors:
Currently we are developing xvs.library together, so for bug reports, other
comments, new ideas etc. it's enough if you choose one of the following
addresses:
Georg Hörmann, Martinswinkelstr. 16c, 82467 Garmisch-Partenkirchen, Germany
email: ghoermann@gmx.de or ghoermann@epost.de
Jan Erik Olausen, Rødsveien 5, N-1671 Kråkerøy, Norway
email: virusexecutor@c2i.net
Download shortcut: http://home4.inet.tele.dk/vht-dk/amiga/xvs/xvs.htm
Remember if you use VirusZ, VirusChecker, Safe and VirusExecutor you
must update the xvs.library to have recog for the latest viruses.....
(ps) (Translation: rh)
[News message: 26. Oct. 2001, 14:26] [Comments: 0]
[Send via e-mail] [Print version] [ASCII version]
|
