File-Scan-1.43/0000755000175000007640000000000010236172426012405 5ustar wwwadminwebFile-Scan-1.43/examples/0000755000175000007640000000000010236172426014223 5ustar wwwadminwebFile-Scan-1.43/examples/procmail/0000755000175000007640000000000010236172426016031 5ustar wwwadminwebFile-Scan-1.43/examples/procmail/scanvirus.pl0000755000175000007640000002740107755471035020424 0ustar wwwadminweb#!/usr/bin/perl -w ########################################################################### # # ScanVirus for use with Procmail # # Copyright (c) 2003 Henrique Dias . All rights reserved. # This program is free software; you can redistribute it and/or modify # it under the same terms as Perl itself. # Last Change: Sat Nov 15 18:36:03 WET 2003 # ########################################################################### use strict; use locale; use MIME::Explode qw(rfc822_base64); use Digest::MD5 qw(md5_hex); use File::Scan; use Net::SMTP; use Fcntl qw(:flock); use vars qw($VERSION); $VERSION = '0.06'; if($ENV{HOME} =~ /^(.+)$/) { $ENV{HOME} = $1; } if($ENV{LOGNAME} =~ /^(.+)$/) { $ENV{LOGNAME} = $1; } #---begin_config---------------------------------------------------------- my $path = $ENV{'HOME'}; my $scandir = "$path/.scanvirus"; my $logsdir = "$scandir/logs"; my $quarantine = "$scandir/quarantine"; my $smtp_hosts = ["smtp1.myorgnization.com", "smtp2.myorgnization.com"]; my $hostname = "myhostname.myorgnization.com"; my $subject = ["Returned mail: Virus alert!", "Returned mail: Suspicious file alert!"]; my $unzip = "/usr/bin/unzip"; my $notify_sender = "yes", my $suspicious = "no"; my $timeout = 180; my $copyrg = "(c) 2003 Henrique Dias - ScanVirus for Mail"; #---end_config------------------------------------------------------------ use constant SEEK_END => 2; my $preserve = 0; my $pattern = '^[\t ]+(inflating|extracting): (.+)[\n\r]'; unless(@ARGV) { print STDERR "Empty args\n"; exit(0); } $SIG{ALRM} = sub { &logs("error.log", "Timeout"); }; &main(); #---main------------------------------------------------------------------ sub main { unless(-d $scandir) { mkdir($scandir, 0700) or exit_script("$!"); } my $id = (my $tmp_dir = ""); do { $id = &generate_id(); $tmp_dir = join("/", $scandir, $id); } until(!(-e $tmp_dir)); mkdir($tmp_dir, 0700) or exit_script("$!"); my $explode = MIME::Explode->new( output_dir => $tmp_dir, check_content_type => 1, decode_subject => 1, exclude_types => ["image/gif", "image/jpeg"], ); my $headers = {}; my $line_from = ; my ($from) = ($line_from =~ /^From +([^ ]+) +/o); eval { alarm($timeout); open(OUTPUT, ">$tmp_dir/$id.tmp") or exit_script("Can't open '$tmp_dir/$id.tmp': $!"); $headers = $explode->parse(\*STDIN, \*OUTPUT); close(OUTPUT); alarm(0); }; my %attachs = (); for my $msg (keys(%{$headers})) { if(exists($headers->{$msg}->{'content-disposition'}) && exists($headers->{$msg}->{'content-disposition'}->{'filepath'})) { my $file = $headers->{$msg}->{'content-disposition'}->{'filepath'}; $attachs{$file} = 0; } } my $result = scalar(keys(%attachs)) ? &init_scan($tmp_dir, \%attachs, $from, $ENV{LOGNAME}) : 0; if($result && $quarantine) { unless(-d $quarantine) { mkdir($quarantine, 0755) or exit_script("$!"); } &deliver_msg("$tmp_dir/$id.tmp", $line_from, $ENV{LOGNAME}, $quarantine); } unless($preserve) { if(my $res = &clean_dir($tmp_dir)) { &logs("error.log", "$res"); } } exit($result); } #---extract_file---------------------------------------------------------- sub extract_file { my $fh = shift; my $size = shift; my $buff = shift; my $file = shift; open(NEWFILE, ">$file") or return("Can't open $file: $!"); flock(NEWFILE, LOCK_EX); binmode(NEWFILE); print NEWFILE $buff; while(read($fh, $buff, $size)) { print NEWFILE $buff; } flock(NEWFILE, LOCK_UN); close(NEWFILE); return(""); } #---decode_b64_file--------------------------------------------------------- sub decode_b64_file { my $files = shift; my $tmp_dir = shift; my $file = shift; my ($filename) = ($file =~ /\/?([^\/]+)$/); my $decoded = join("/", $tmp_dir, "$filename\.eml"); open(ENCFILE, "<$file") or return("Can't open $file: $!\n"); open(DECFILE, join("", ">$decoded")) or return("Can't open $decoded: $!\n"); binmode(DECFILE); while() { print DECFILE rfc822_base64($_); } close(DECFILE); close(ENCFILE); $files->{$decoded} = ""; return(""); } #---mhtml_exploit--------------------------------------------------------- sub mhtml_exploit { my $files = shift; my $tmp_dir = shift; my $file = shift; my ($error, $buff, $filename, $size) = ("", "", "", 1024); open(FILE, "<$file") or return("Can't open $file: $!"); binmode(FILE); while(read(FILE, $buff, $size)) { $buff =~ s{^MIME-Version: 1.0\x0aContent-Location: *File://([^\x0a]+)\x0aContent-Transfer-Encoding: binary\x0a\x0a}{}o or last; if($filename = join("/", $tmp_dir, $1)) { unless($error = &extract_file(\*FILE, $size, $buff, $filename)) { $files->{$filename} = ""; } last; } } close(FILE); return($error); } #---unzip_file------------------------------------------------------------ sub unzip_file { my $files = shift; my $program = shift; my $tmp_dir = shift; my $file = shift; my $pid = open(UNZIP, "-|"); defined($pid) or return("Cannot fork: $!"); if($pid) { while() { if(my ($f) = (/$pattern/)[1]) { $f =~ s/ +$//g; $files->{$f} = ""; } } close(UNZIP) or return("Unzip error: kid exited $?"); } else { my @args = ("-P", "''", "-d", $tmp_dir, "-j", "-n"); exec($program, @args, $file) or return("Can't exec program: $!"); } return(""); } #---init_scan------------------------------------------------------------- sub init_scan { my $tmp_dir = shift; my $files = shift; my $from = shift || "unknown"; my $user = shift || "unknown"; my $to = join("\@", $user, $hostname); my %param = (max_txt_size => 2048); my $fs = File::Scan->new(%param); my %hash = (); $fs->set_callback( sub { my $file = shift; local $_ = shift; if(-e $unzip) { if(/^\x50\x4b\x03\x04/o) { my $error = &unzip_file(\%hash, $unzip, $tmp_dir, $file); &logs("error.log", $error) if($error); return("Zip Archive"); } } if(/^\x4d\x49\x4d\x45\x2d\x56\x65\x72\x73\x69\x6f\x6e\x3a\x20\x31\x2e\x30\x0a/o) { my $error = &mhtml_exploit(\%hash, $tmp_dir, $file); &logs("error.log", $error) if($error); return("MHTML exploit"); } if(/^[A-Za-z0-9\+\=\/]{76}\x0d?\x0a[A-Za-z0-9\+\=\/]{76}\x0d?\x0a/o) { my $error = &decode_b64_file(\%hash, $tmp_dir, $file); &logs("error.log", $error) if($error); return("Base64 encoded file"); } return(""); } ); my $status = 0; FILE: for my $file (keys(%{$files})) { my $virus = $fs->scan($file); if(scalar(keys(%hash))) { $status = &init_scan($tmp_dir, \%hash, $from, $user); $files = {%{$files}, %hash}; %hash = (); $status and return($status); } if(my $e = $fs->error) { $preserve = 1; &logs("error.log", "$e\n"); next FILE; } unless($status) { my ($shortfn) = ($file =~ /([^\/]+)$/o); if($virus) { $status = 1; delete($files->{$file}); my $string = join("", "\"$shortfn\" (", $virus, ")"); &logs("virus.log", "[$string] From: $from\n"); &virus_mail($string, $from, $to, $user); } else { &suspicious_mail($shortfn, $from, $to) if($suspicious eq "yes"); } } } return($status); } #---deliver_msg----------------------------------------------------------- sub deliver_msg { my $msg = shift; my $line_from = shift; my $user = shift; my $maildir = shift; my $mailbox = "$maildir/$user"; open(MSG, "<$msg") or &close_app("$!"); open(MAILBOX, ">>$mailbox") or &close_app("$!"); flock(MAILBOX, LOCK_EX); seek(MAILBOX, 0, SEEK_END); print MAILBOX $line_from; while() { print MAILBOX $_; } print MAILBOX "\n"; flock(MAILBOX, LOCK_UN); close(MAILBOX); close(MSG); chmod(0600, $mailbox); my ($uid, $gid) = (getpwnam($user))[2,3]; chown($uid, $gid, $mailbox) if($uid && $gid); return(); } #---clean_dir------------------------------------------------------------- sub clean_dir { my $dir = shift; my @files = (); opendir(DIRECTORY, $dir) or return("Can't opendir $dir: $!"); while(defined(my $file = readdir(DIRECTORY))) { next if($file =~ /^\.\.?$/); push(@files, "$dir/$file"); } closedir(DIRECTORY); for my $file (@files) { if($file =~ /^(.+)$/s) { unlink($1) or return("Could not delete $1: $!"); } } rmdir($dir) or return("Couldn't remove dir $dir: $!"); return(); } #---set_addr-------------------------------------------------------------- sub set_addr { my $user = shift || "unknown"; my $email = shift || "unknown"; my $name = &getusername($user); return("$name <$email>"); } #---getusername----------------------------------------------------------- sub getusername { my $user = shift || return("unknown"); my ($name) = split(/,/, (getpwnam($user))[6]); return($name || "unknown"); } #---suspicious_mail------------------------------------------------------- sub suspicious_mail { my $file = shift; my $from = shift; my $to = shift; my $data = < $to, to => $to, subject => $subject->[1], data => $data ); return(); } #---virus_mail------------------------------------------------------------ sub virus_mail { my $string = shift; my $from = shift; my $to = shift; my $user = shift; my $full_email = &set_addr($user, $to); my $data = < $to, subject => $subject->[0], data => $data ); if($notify_sender eq "yes") { $param{'to'} = $from; $param{'bcc'} = $to; } else { $param{'to'} = $to; } &send_mail(%param); return(); } #---send_mail------------------------------------------------------------- sub send_mail { my $param = { from => "", to => "", bcc => "", subject => "", data => "", @_ }; HOST: for my $host (@{$smtp_hosts}) { my $smtp = Net::SMTP->new($host); unless(defined($smtp)) { &logs("error.log", "Send mail failed for \"$host\"\n"); next HOST; } $smtp->mail($param->{from}); $smtp->to($param->{to}); $smtp->bcc(split(/ *\, */, $param->{bcc})) if($param->{bcc}); $smtp->data(); $smtp->datasend(join("", "From: ", $param->{from}, "\n")) if($param->{from}); $smtp->datasend(join("", "To: ", $param->{to}, "\n")); $smtp->datasend(join("", "Bcc: ", $param->{bcc}, "\n")) if($param->{bcc}); $smtp->datasend(join("", "Subject: ", $param->{subject}, "\n")) if($param->{subject}); $smtp->datasend("\n"); $smtp->datasend($param->{data}) if($param->{data}); $smtp->dataend(); $smtp->quit; return(); } return(); } #---exit_script----------------------------------------------------------- sub exit_script { my $string = shift; &logs("error.log", $string); exit(0); } #---generate_id----------------------------------------------------------- sub generate_id { return(substr(md5_hex(time(). {}. rand(). $$. 'blah'), 0, 16)); } #---string_date----------------------------------------------------------- sub string_date { my ($sec,$min,$hour,$mday,$mon,$year) = localtime(); return sprintf("%04d/%02d/%02d %02d:%02d:%02d", $year + 1900, $mon + 1, $mday, $hour, $min, $sec); } #---logs------------------------------------------------------------------ sub logs { my $logfile = shift; my $string = shift; unless(-d $logsdir) { mkdir($logsdir, 0755) or exit(0); } my $today = &string_date(); $string .= "\n" unless($string =~ /\n+$/); open(LOG, ">>$logsdir/$logfile") or exit(0); print LOG "$today $string"; close(LOG); return(); } #---end------------------------------------------------------------------- File-Scan-1.43/examples/procmail/.procmailrc0000644000175000007640000000023707714701054020171 0ustar wwwadminwebSHELL=/bin/sh SCANNER=$HOME/bin/scanvirus.pl LOGFILE=$HOME/.procmail_log :0 * ^Content-Type.*(application|multipart) { :0 HB * !? ${SCANNER} 1 /dev/null } File-Scan-1.43/examples/procmail/README0000644000175000007640000000042207736250426016717 0ustar wwwadminwebInstallation: 1. Get "MIME::Explode" module from the CPAN and install it. 2. Create a "bin" directory in your home and copy scanvirus.pl to it. 3. Copy .procmailrc file to your home. 4. Edit the scanvirus.pl file with your favorite editor. 5. Change the configuration. File-Scan-1.43/examples/vscan.pl0000755000175000007640000000152707761344512015710 0ustar wwwadminweb#!/usr/bin/perl use File::Scan; use File::Find::Rule; use MIME::Parser; use strict; # Make sure we have an output directory... mkdir('/tmp/radioactive') unless ( -d '/tmp/radioactive' ); mkdir("/tmp/radioactive/$$") unless ( -d "/tmp/radioactive/$$" ); `rm -Rf /tmp/radioactive/$$/*`; # Read in the message my $parser = new MIME::Parser; $parser->output_under("/tmp/radioactive/$$"); $parser->parse( \*STDIN ) or die "Failed to parse message!"; # Grab all files... my @files = File::Find::Rule->file()->in( "/tmp/radioactive/$$/" ); for my $filename (@files) { my $nice_filename = $filename; $nice_filename =~ s!.+/!!; print "Scanning $nice_filename...\n"; my $scanner = File::Scan->new(); my $vname = $scanner->scan( $filename ); print "\tFOUND: $vname\n" if $vname; } # Cleanup END { `rm -Rf /tmp/radioactive/$$` } File-Scan-1.43/examples/scan.pl0000755000175000007640000002135710203454725015516 0ustar wwwadminweb#!/usr/bin/perl -w ############################################################################# # # Virus Scanner # Last Change: Tue Apr 27 16:08:18 WEST 2004 # # Copyright (c) 2005 Henrique Dias . All rights reserved. # This program is free software; you can redistribute it and/or modify # it under the same terms as Perl itself. # ############################################################################# use strict; use File::Scan; use MIME::Base64 qw(decode_base64); use Getopt::Long(); use Benchmark; my $VERSION = "0.17"; my $infected = 0; my $objects = 0; my $skipped = 0; my $suspicious = 0; my $EXTENSION = ""; my $CP_DIR = ""; my $MV_DIR = ""; my $MK_DIR = 0; my $DELETE = 0; my $FOLLOW = 0; my $QUIET = 0; my $MAXTXTSIZE = 0; my $MAXBINSIZE = 0; my $UNZIP_PROG = "/usr/bin/unzip"; my $TMP_DIR = "/tmp"; my $pattern = '^[\t ]+(inflating|extracting): (.+)[\n\r]'; my %skipcodes = ( 1 => "file not vulnerable", 2 => "file has zero size", 3 => "the size of file is small", 4 => "file size exceed the maximum text size", 5 => "file size exceed the maximum binary size", ); my $opt = {}; Getopt::Long::GetOptions($opt, "help" => \&usage, "version" => \&print_version, "ext=s" => \$EXTENSION, "cp=s" => \$CP_DIR, "mv=s" => \$MV_DIR, "mkdir=s" => \$MK_DIR, "unzip=s" => \$UNZIP_PROG, "tmp=s" => \$TMP_DIR, "del" => sub { $DELETE = 1; }, "follow" => sub { $FOLLOW = 1; }, "quiet" => sub { $QUIET = 1; }, "maxtxtsize=i" => \$MAXTXTSIZE, "maxbinsize=i" => \$MAXBINSIZE, ) or die(short_usage()); &main(); #---main--------------------------------------------------------------------- sub main { scalar(@ARGV) or die(short_usage()); my $start = new Benchmark; &check_path(\@ARGV); my $finish = new Benchmark; my $diff = timediff($finish, $start); my $strtime = timestr($diff); print <new( extension => $EXTENSION, copy => $CP_DIR, mkdir => oct($MK_DIR), move => $MV_DIR, delete => $DELETE, @args); $fs->set_callback( sub { my $file = shift; local $_ = shift; if($UNZIP_PROG) { if(/^\x50\x4b\x03\x04/o) { # Extract compressed files in a ZIP archive my $files = &unzip_file($UNZIP_PROG, $TMP_DIR, $file); for my $f (@{$files}) { &check($fs, $f); unlink($f); } return("ZIP archive"); } } if(/^MIME-Version: 1\.0\x0a/o) { # MHTML exploit if(my $insidefile = &mhtml_exploit($file)) { &check($fs, $insidefile); unlink($insidefile); } return("MHTML exploit"); } if(/^[A-Za-z0-9\+\=\/]{76}\x0d?\x0a[A-Za-z0-9\+\=\/]{76}\x0d?\x0a/o) { # Base64 encoded file if(my $decodedfile = &decode_b64_file($TMP_DIR, $file)) { &check($fs, $decodedfile); unlink($decodedfile); } return("Base64 encoded file"); } return(""); } ); for my $p (@{$argv}) { if(-d $p) { ($p eq "/") or $p =~ s{\/+$}{}g; &dir_handle($fs, $p); } elsif(-e $p) { &check($fs, $p); } else { print "No such file or directory: $p\n"; exit(0); } } return(); } #---extract_file------------------------------------------------------------ sub extract_file { my $fh = shift; my $size = shift; my $buff = shift; my $file = shift; my $total = length($buff); open(NEWFILE, ">$file") or die("Can't open $file: $!\n"); binmode(NEWFILE); print NEWFILE $buff; while(read($fh, $buff, $size)) { print NEWFILE $buff; if($MAXBINSIZE) { $total += $size; last if($total > $MAXBINSIZE*1024); } } close(NEWFILE); return(); } #---decode_b64_file--------------------------------------------------------- sub decode_b64_file { my $tmp = shift; my $file = shift; my ($filename) = ($file =~ /\/?([^\/]+)$/); my $decoded = join("/", $tmp, "$filename\.eml"); open(ENCFILE, "<$file") or die("Can't open $file to read: $!\n"); open(DECFILE, join("", ">$decoded")) or die("Can't open $decoded to write: $!\n"); binmode(DECFILE); while() { print DECFILE decode_base64($_); } close(DECFILE); close(ENCFILE); return($decoded); } #---mhtml_exploit----------------------------------------------------------- sub mhtml_exploit { my $file = shift; my ($buff, $filename) = ("", ""); my $size = 1024; open(FILE, "<$file") or die("Can't open $file: $!\n"); binmode(FILE); while(read(FILE, $buff, $size)) { $buff =~ s{^MIME-Version: 1.0\x0aContent-Location: *File://([^\x0a]+)\x0aContent-Transfer-Encoding: binary\x0a\x0a}{}o or last; if($filename = join("/", $TMP_DIR, $1)) { &extract_file(\*FILE, $size, $buff, $filename); last; } } close(FILE); return($filename); } #---unzip_file-------------------------------------------------------------- sub unzip_file { my $program = shift; my $tmp_dir = shift; my $file = shift; my $pid = open(UNZIP, "-|"); defined($pid) or die("Cannot fork: $!"); my @files = (); if($pid) { while() { if(my ($f) = (/$pattern/)[1]) { $f =~ s/ +$//g; push(@files, $f); } } close(UNZIP) or warn("unzip error: kid exited $?"); } else { my @args = ("-P", "''", "-d", $tmp_dir, "-j", "-n"); exec($program, @args, $file) or die("Can't exec program: $!"); } return(\@files); } #---dir_handle-------------------------------------------------------------- sub dir_handle { my $fs = shift; my $dir_path = shift; unless(-r $dir_path) { print "Permission denied at $dir_path\n"; return(); } opendir(DIRHANDLE, $dir_path) or die("can't opendir $dir_path: $!"); for my $item (readdir(DIRHANDLE)) { ($item =~ /^\.+$/o) and next; $dir_path eq "/" and $dir_path = ""; my $f = "$dir_path/$item"; next if(!$FOLLOW && (-l $f)); (-d $f) ? &dir_handle($fs, $f) : &check($fs, $f); } closedir(DIRHANDLE); return(); } #---check------------------------------------------------------------------- sub check { my $fs = shift; my $file = shift; my $res = $fs->scan($file); if(my $e = $fs->error) { print"$e\n"; } elsif(my $c = $fs->skipped) { $skipped++; $QUIET or print "$file File Skipped (", $skipcodes{$c}, ")\n"; } elsif($fs->suspicious) { $suspicious++; print "$file Suspicious file\n"; } elsif(my $r = $fs->callback) { print "$file $r\n"; } else { &display_msg($file, $res); } return($res); } #---short_usage------------------------------------------------------------- sub short_usage { return(<<"EOUSAGE"); usage: $0 [options] file|directory --ext=string_extension --cp=/path/to/dir --mv=/path/to/dir --mkdir=octal_number --del --follow --quiet --maxtxtsize=size --maxbinsize=size --unzip=/path/to/program --tmp=/path/to/dir --version --help EOUSAGE } #---print_version----------------------------------------------------------- sub print_version { print STDERR <<"VERSION"; version $VERSION Copyright 2003, Henrique Dias VERSION exit 1; } #---usage------------------------------------------------------------------- sub usage { print STDERR <<"USAGE"; Usage: $0 [options] file|directory Possible options are: --ext= add the specified extension to the infected file --mv= move the infected file to the specified directory --cp= copy the infected file to the specified directory --mkdir=octal_number make the specified directories (ex: 0755) --del delete the infected file --follow follow symbolic links --quiet don't report files that are clean or skipped --maxtxtsize= scan only the text file if the file size is less then maxtxtsize (size in kbytes) --maxbinsize= scan only the binary file if the file size is less then maxbinsize (size in kbytes) --unzip= path to unzip program --tmp= path to temporary directory --version print version number --help print this message and exit USAGE exit 1; } #---end--------------------------------------------------------------------- File-Scan-1.43/examples/latest.pl0000755000175000007640000000240010203455011016037 0ustar wwwadminweb#!/usr/bin/perl ############################################################################# # # Get the most recent version of File::Scan module from CPAN # Last Change: Sat Jan 4 16:42:17 WET 2003 # Copyright (c) 2005 Henrique Dias # ############################################################################# use strict; use LWP::UserAgent; use HTTP::Request; use HTTP::Response; my $VERSION = "0.01"; my $module = "File::Scan"; my $dir = ""; my $cpan = "http://www.cpan.org/authors/id/H/HD/HDIAS"; my $url = "http://search.cpan.org/search?mode=module&format=xml&query=$module"; &main(); sub main { my $content = &get_content($url); $content =~ /(\d+\.\d+)<\/VERSION>/i; my $file = "File-Scan-$1.tar.gz"; &save($file, &get_content("$cpan/$file")); exit(0); } sub save { my $file = shift; my $content = shift; $file = "$dir/$file" if($dir); open(FILE, ">$file") or die("$!"); binmode(FILE); print FILE $content; close(FILE); return(); } sub get_content { my $url = shift; my $req = HTTP::Request->new(GET => $url); my $ua = LWP::UserAgent->new(); my $response = $ua->request($req); if($response->is_error()) { print $response->status_line . "\n"; exit(0); } my $content = $response->content(); return($content); } File-Scan-1.43/Scan.pm0000644000175000007640000017604210236172422013635 0ustar wwwadminweb# # Scan.pm # Last Modification: Wed May 4 16:31:36 WEST 2005 # # Copyright (c) 2005 Henrique Dias . All rights reserved. # This module is free software; you can redistribute it and/or modify # it under the same terms as Perl itself. # # package File::Scan; require 5; use strict; require Exporter; use File::Copy; use SelfLoader; use vars qw($VERSION @ISA @EXPORT $ERROR $SKIPPED $SUSPICIOUS $CALLBACK); @ISA = qw(Exporter); $VERSION = '1.43'; ($ERROR, $SKIPPED, $SUSPICIOUS, $CALLBACK) = ("", 0, 0, ""); SelfLoader->load_stubs(); sub new { my $proto = shift; my $class = ref($proto) || $proto; my $self = { extension => "", delete => 0, move => "", copy => "", mkdir => 0, max_txt_size => 5120, max_bin_size => 10240, @_, }; bless ($self, $class); return($self); } sub scan { my $self = shift; my $file = shift; &_set_error(); &_set_skip(); &_set_suspicious(); &ret_callback(); (-e $file) or return(&_set_error("No such file or directory: $file")); my $fsize = -s $file; $fsize or return(&_set_skip(2)); my $res = ""; if(-f $file && -T $file) { return(&_set_skip(3)) if($fsize < 23); return(&_set_skip(4)) if($self->{'max_txt_size'} && ($fsize > $self->{'max_txt_size'} * 1024)); $res = &scan_text($self, $file); } else { return(&_set_skip(5)) if($self->{'max_bin_size'} && ($fsize > $self->{'max_bin_size'} * 1024)); $res = &scan_binary($self, $file); } if($res) { if($self->{'extension'} && $file !~ /\.$self->{'extension'}$/o) { my $newname = join("\.", $file, $self->{'extension'}); if(move($file, $newname)) { $file = $newname; } else { &_set_error("Failed to move '$file' to '$newname'"); } } if($self->{'copy'}) { if(!(-d $self->{'copy'}) && $self->{'mkdir'}) { mkdir($self->{'copy'}, $self->{'mkdir'}) or &_set_error(join("", "Failed to create directory '", $self->{'copy'}, "' $!")); } my ($f) = ($file =~ /([^\/]+)$/o); my $cpdir = join("/", $self->{'copy'}, $f); copy($file, $cpdir) or &_set_error("Failed to copy '$file' to $cpdir"); } if($self->{'move'}) { if(!(-d $self->{'move'}) && $self->{'mkdir'}) { mkdir($self->{'move'}, $self->{'mkdir'}) or &_set_error(join("", "Failed to create directory '", $self->{'move'}, "' $!")); } my ($f) = ($file =~ /([^\/]+)$/o); my $mvfile = join("/", $self->{'move'}, $f); if(move($file, $mvfile)) { $file = $mvfile; } else { &_set_error("Failed to move '$file' to '$mvfile'"); } } if($self->{'delete'}) { if($file =~ /^(.+)$/s) { unlink($1) or &_set_error("Could not delete $1: $!"); } } } return($res); } sub set_callback { my $self = shift; my $subref = shift || undef; if(defined($subref) && ref($subref) eq "CODE") { $self->{'callback'} = $subref; } elsif(exists($self->{'callback'})) { delete($self->{'callback'}); } return(); } sub _set_error { $ERROR = shift || ""; return(); } sub _set_skip { $SKIPPED = shift || 0; return(); } sub _set_suspicious { $SUSPICIOUS = shift || 0; return(); } sub ret_callback { $CALLBACK = shift || ""; return(); } sub error { $ERROR; } sub skipped { $SKIPPED; } sub suspicious { $SUSPICIOUS; } sub callback { $CALLBACK; } 1; __DATA__ # generated in: 2005/05/04 17:15:14 sub get_app_sign { $_ = pop; /^\x7f\x45\x4c\x46/o and return($_[0] = 1); /^\x49\x54\x53\x46/o and return($_[0] = 2); /^\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1/o and return($_[0] = 3); /^\x4d\x5a/o and $_[0] = 4; /^\x4d\x5a\x00\x00\x00/o and return($_[1] = 1); /^\x4d\x5a\x00\x00\x01/o and return($_[1] = 2); /^\x4d\x5a\x00\x00\x02/o and return($_[1] = 3); /^\x4d\x5a\x42\x00\x02/o and return($_[1] = 4); /^\x4d\x5a\x50\x00\x02/o and return($_[1] = 5); /^\x4d\x5a\x90\x00\x03/o and return($_[1] = 6); /^\x4d\x5a\x93\x00\x01/o and return($_[1] = 7); /^\xe9/o and return($_[0] = 5); /^\x4d\x53\x46\x54/o and return($_[0] = 6); /^\x47\x45\x54/o and return($_[0] = 7); return(0); } sub exception { $_ = shift; return(/^%PDF-/o ? 1 : 0); } sub scan_text { my $self = shift; my $file = shift; my ($buff, $save, $virus, $script) = ("", "", "", ""); my $skip = 0; my $size = 1024; open(FILE, "<", $file) or return(&_set_error("Can't open $file: $!")); LINE: while(read(FILE, $buff, $size)) { unless($save) { last LINE if($skip = &exception($buff)); if(exists($self->{'callback'})) { if(my $ret = $self->{'callback'}->($file, $buff) || "") { &ret_callback($ret); $ret and last LINE; } } } study; $_ = ($save .= $buff); unless($script) { TEST: { local $_ = lc($save); /< *script[^>]+language *=["' ]*vbscript["']*[^>]*>/os and $script = "HTMLVBS", last TEST; /< *script[^>]*(language *=["' ]*javascript["']*)*[^>]*>/os and $script = "HTMLJS", last TEST; } } if($script) { if($script eq "HTMLVBS") { /\x2c\x30\x2c\x31\x34\x2c\x33\x31\x2c\x31\x38\x36\x2c\x31\x34\x2c\x30\x2c\x31\x38\x30\x2c\x39\x2c\x32\x30\x35\x2c\x33\x33\x2c\x31\x38\x34\x2c\x31\x2c\x37\x36\x2c\x32\x30\x35\x2c\x33\x33\x2c\x38\x34\x2c\x31\x30\x34\x2c\x31\x30\x35\x2c\x31\x31\x35\x2c\x33\x32/s and $virus = "W32/Bagle.ab\@MM!hta", last LINE; /\x52\x65\x6d\x20\x49\x20\x61\x6d\x20\x73\x6f\x72\x72\x79\x21\x20\x68\x61\x70\x70\x79\x20\x74\x69\x6d\x65\x0d\x0a\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a/s and $virus = "VBS/Haptime.gen\@MM", last LINE; /\x31\x36\x44\x22\x0a\x73\x7a\x42\x69\x6e\x61\x72\x79\x20\x3d\x20\x73\x7a\x42\x69\x6e\x61\x72\x79\x20\x26\x20\x22\x32\x30\x36\x33\x36\x31\x36\x45\x36\x45\x36\x46/s and $virus = "VBS/Inor", last LINE; /\x39\x2c\x33\x38\x2c\x32\x32\x31\x2c\x31\x39\x2c\x32\x33\x37\x2c\x37\x31\x2c\x31\x37\x39\x2c\x36\x34\x2c\x32\x33\x37\x2c\x37\x31\x2c\x31\x37\x39\x2c\x36\x34\x2c\x32\x33\x37\x2c\x37\x31\x2c\x31\x37\x39\x2c\x36\x34\x2c\x32\x33\x37\x2c\x37\x31\x2c\x31\x37\x39/s and $virus = "W32/Bagle.aa\@MM!hta", last LINE; } if($script eq "HTMLJS") { /\x4b\x61\x67\x6f\x75\x2d\x41\x6e\x74\x69\x2d\x4b\x72\x6f\x24\x6f\x66\x74\x20\x73\x61\x79\x73\x20\x6e\x6f\x74\x20\x74\x6f\x64\x61\x79/s and $virus = "JS/Kak\@M", last LINE; /\x74\x72\x69\x67\x67\x65\x72\x2e\x53\x74\x61\x72\x74\x53\x6f\x66\x74\x77\x61\x72\x65\x55\x70\x64\x61\x74\x65\x28\x65\x78\x65\x70\x61\x74\x68\x2c\x20\x74\x72\x69\x67\x67\x65\x72\x2e\x44\x45\x46\x41\x55\x4c\x54\x5f\x4d\x4f\x44\x45\x29/s and $virus = "JS_IllWill", last LINE; } local $_ = lc($save); /<\/script[^>]*>/s and $script = ""; } else { /\x58\x35\x4f\x21\x50\x25\x40\x41\x50\x5b\x34\x5c\x50\x5a\x58\x35\x34\x28\x50\x5e\x29\x37\x43\x43\x29\x37\x7d\x24\x45\x49\x43\x41\x52\x2d\x53\x54\x41\x4e\x44\x41\x52\x44\x2d\x41\x4e\x54\x49\x56\x49\x52\x55\x53\x2d\x54\x45\x53\x54\x2d\x46\x49\x4c\x45\x21\x24\x48\x2b\x48\x2a/s and $virus = "EICAR-Test-File", last LINE; /\x63\x6f\x70\x79\x20\x53\x53\x2e\x62\x61\x74\x20\x5c\x5c\x25\x31\x5c\x61\x64\x6d\x69\x6e\x24\x5c\x73\x79\x73\x74\x65\x6d\x33\x32\x20\x2f\x79\x0d\x0a\x73\x74\x61\x72\x74\x20\x2f\x69\x20\x2f\x6d\x69\x6e\x20\x2f\x77\x61\x69\x74\x20\x2f\x42\x20\x70\x73\x65\x78\x65\x63\x20\x5c\x5c\x25\x31\x20\x2d\x75\x20\x25\x32\x20\x2d\x70\x20\x25\x33\x20\x2d\x64\x20\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x74\x73\x65\x72\x76\x69\x63\x65\x2e\x62\x61\x74/s and $virus = "BAT/Mumu.worm", last LINE; /[\x20\x5c]\x73\x65\x72\x76\x69\x63\x65\x73\x2e\x65\x78\x65.+[\x20\x5c].+\x73\x71\x6c\x65\x78\x65\x63\x2e\x6a\x73.+[\x20\x5c]\x63\x6c\x65\x6d\x61\x69\x6c\x2e\x65\x78\x65.+[\x20\x5c]\x73\x71\x6c\x70\x72\x6f\x63\x65\x73\x73\x2e\x6a\x73.+[\x20\x5c]\x73\x71\x6c\x69\x6e\x73\x74\x61\x6c\x6c\x2e\x62\x61\x74.+[\x20\x5c]\x73\x71\x6c\x64\x69\x72\x2e\x6a\x73.+\x72\x75\x6e\x2e\x6a\x73.+[\x20\x5c]\x74\x69\x6d\x65\x72\x2e\x64\x6c\x6c.+[\x20\x5c]\x73\x61\x6d\x64\x75\x6d\x70\x2e\x64\x6c\x6c.+[\x20\x5c]\x70\x77\x64\x75\x6d\x70\x32\x2e\x65\x78\x65/s and $virus = "JS/SQL.Spida.worm.b", last LINE; /\x65\x63\x68\x6f\x20\x2e\x42\x41\x54\x20\x76\x69\x72\x75\x73\x20\x27\x40\x40\x27\x20\x76\d+\x2e\d+.+\x4f\x52\x20\x43\x58\x2c\x43\x58.+\x4a\x5a\x20\x31\x30\x42.+\x4d\x4f\x56\x20\x44\x58\x2c\x31\x30\x43.+\x4d\x4f\x56\x20\x41\x48\x2c\x34\x31.+\x49\x4e\x54\x20\x32\x31.+\x49\x4e\x54\x20\x33.+\x44\x42.+\x66\x69\x6e\x64.+\x64\x65\x62\x75\x67.+\x65\x78\x69\x73\x74.+\x63\x6f\x70\x79.+\x66\x69\x6e\x64.+\x64\x6f\x20\x63\x61\x6c\x6c.+\x64\x65\x6c/s and $virus = "BAT/Double_At.B", last LINE; /\x4d\x61\x64\x6f\x6e\x6e\x61.+\x4a\x61\x64\x72\x61\x71\x75\x65\x72\x20\x4b\x69\x6c\x6c\x65\x72/s and $virus = "VBS/Madonna", last LINE; /\x46\x75\x6e\x63\x74\x69\x6f\x6e.+\x46\x6f\x72\x20\x49\x20\x3d\x20\x31\x20\x54\x6f\x20\x4c\x65\x6e\x28[^\x29]+\x29\x20\x53\x74\x65\x70\x20\x32.+\x48\x61\x76\x65\x20\x66\x75\x6e\x20\x77\x69\x74\x68\x20\x4b\x72\x69\x73\x74\x65\x6e/s and $virus = "VBS/Kristen.A\@MM", last LINE; /\x39\x2c\x33\x38\x2c\x32\x32\x31\x2c\x31\x39\x2c\x32\x33\x37\x2c\x37\x31\x2c\x31\x37\x39\x2c\x36\x34\x2c\x32\x33\x37\x2c\x37\x31\x2c\x31\x37\x39\x2c\x36\x34\x2c\x32\x33\x37\x2c\x37\x31\x2c\x31\x37\x39\x2c\x36\x34\x2c\x32\x33\x37\x2c\x37\x31\x2c\x31\x37\x39/s and $virus = "W32/Bagle.aa\@MM!vbs", last LINE; /\x57\x65\x62\x53\x65\x72\x76\x69\x63\x65\x2c\x76\x4c\x69\x73\x74\x2c\x69\x74\x65\x6d\x2c\x76\x46\x6f\x75\x6e\x64\x2c\x76\x53\x75\x62\x44\x61\x6e\x2c\x44\x61\x6e\x67\x65\x72\x2c\x76\x4e\x65\x77\x43\x6f\x75\x6e\x74\x2c\x46\x6f\x75\x6e\x64\x53\x74\x72\x69\x6e\x67.+\x46\x75\x6e\x63\x74\x69\x6f\x6e\x20\x46\x69\x6e\x64\x4d\x61\x70\x70\x65\x72.+\x46\x6f\x75\x6e\x64.+\x53\x74\x72\x31.+\x43\x68\x72.+\x44\x65\x6c\x4d\x61\x70\x70\x65\x72.+\x44\x61\x6e\x67\x65\x72.+\x41\x72\x72\x61\x79.+\x53\x63\x72\x69\x70\x74\x4d\x61\x70\x73/s and $virus = "W32/CodeBlue.worm", last LINE; /\x57\x53\x48\x53\x68\x65\x6c\x6c.+\x57\x53\x63\x72\x69\x70\x74\x2e\x53\x68\x65\x6c\x6c.+\x48\x4b\x45\x59\x5f\x4c\x4f\x43\x41\x4c\x5f\x4d\x41\x43\x48\x49\x4e\x45.+\x65\x78\x65\x66\x69\x6c\x65.+\x5c\x63\x6f\x6e\x5c\x63\x6f\x6e.+\x57\x65\x6c\x63\x6f\x6d\x65.+\x69\x6e\x74\x44\x6f\x49\x74.+\x76\x62\x43\x61\x6e\x63\x65\x6c.+\x57\x53\x63\x72\x69\x70\x74\x2e\x51\x75\x69\x74/s and $virus = "VBS/Concon.gen", last LINE; /\x50\x72\x69\x6e\x7a\x20\x43\x68\x61\x72\x6c\x65\x73\x20\x41\x72\x65\x20\x44\x69\x65.+\x54\x68\x65\x20\x6e\x65\x77\x65\x73\x74\x20\x4d\x65\x73\x73\x61\x67\x65\x20\x66\x6f\x72\x20\x43\x6f\x6f\x6c\x20\x55\x73\x65\x72.+\x76\x62\x63\x72\x6c\x66.+\x4c\x75\x63\x6b\x79\x32\x30\x30\x30.+\x43\x4f\x4f\x4c\x5f\x4e\x4f\x54\x45\x50\x41\x44\x5f\x44\x45\x4d\x4f\x2e\x54\x58\x54.\x76\x62\x73/s and $virus = "VBS/CoolNote.worm", last LINE; /\x49\x52\x43\x2d\x57\x6f\x72\x6d\x2e\w+\x20+\x54\x68\x65\x6d\x65\x20\x57\x6f\x72\x6d\x20+\x42\x79/s and $virus = "IRC/Theme.worm.dr", last LINE; /\x53\x65\x74\x20\x63\d\x3d\x43\x72\x65\x61\x74\x65\x4f\x62\x6a\x65\x63\x74\x28\x22\x26\x43\x28\d\d\x29\x26\x22\x4d\x53\x43\x6f\x6d\x6d\x4c\x69\x62\x2e\x4d\x53\x43\x6f\x6d\x6d\x22\x26\x43\x28\d\d\x29\x26\x22\x29\x22\x26\x43\x28\d\d\x29\x26\x43\x28\d\d\x29\x26\x22\x64\x63\x20\d\x2c\x63\d\x22\x26\x43\x28\d\d\x29\x26\x43\x28\d\d\x29\x26\x22/s and $virus = "VBS/Fourcourse", last LINE; /\x43\x68\x72\x28[^\x29]+\x29.+\x4e\x65\x78\x74.+\x45\x6e\x64.+\x46\x75\x6e\x63\x74\x69\x6f\x6e.+\x56\x62\x73\x77\x67\x20\d+\x2e\d+\x2e?\x20\x5b\x4b\x5d\x41\x6c\x61\x6d\x61\x72/s and $virus = "VBS/SST\@MM", last LINE; /\x45\x72\x61\x73\x65\x46\x69\x6c\x65\x73.+\x46\x75\x6e\x63\x74\x69\x6f\x6e.+\x46\x69\x6c\x65\x54\x6f\x45\x72\x61\x73\x65.+\x46\x69\x6c\x65\x54\x6f\x45\x72\x61\x73\x65\x2e\x70\x61\x74\x68.+\x45\x78\x74\x65\x6e\x73\x69\x6f\x6e.+\x54\x58\x54.+\x44\x4f\x43/s and $virus = "VBS/Eraser.A", last LINE; /\x23\x40\x7e\x5e\x2f\x77\x45\x41\x41\x41\x3d\x3d\x39\x62\x3a\x7e\x7e\x66\x40\x23\x40\x26\x66\x62\x3a\x2c\x61\x3a\x5e\x40\x23\x40\x26\x2f\x39\x4e\x43\x78\x72\x53\x43\x3a\x45\x40\x23\x40\x26\x3f\x2b\x44\x7e\x61\x3a\x5e\x50\x7b\x50\x2f\x44\x6e\x43\x44\x2b\x36/s and $virus = "VBS/Inor.encoded", last LINE; /\x42\x53\x2e\x53\x55\x50\x45\x52\x46\x4c\x55\x4f\x55\x53\x20\x76\d\x2e\d\x20\x62\x79\x20\x47\x6f\x62\x6c\x65\x65\x6e\x20\x57\x61\x72\x72\x69\x6f\x72\x2f\x2f\x53\x4d\x46/s and $virus = "VBS/Hatred.gen", last LINE; /\x4a\x53\x2e\x47\x65\x72\x6d\x69\x6e\x61\x6c\x20\x50\x61\x72\x20\x50\x65\x74\x69\x4b\x20\d\d\x2f\d\d\x2f\d\d\d\d/s and $virus = "JS/Germinal", last LINE; } unless($script eq "HTMLJS") { /\x73\x75\x62\x20\x73\x70\x72\x65\x61\x64\x74\x6f\x65\x6d\x61\x69\x6c\x28\x29.+\x64\x69\x6d\x20\x78\x2c\x61\x2c\x63\x74\x72\x6c\x69\x73\x74\x73\x2c\x63\x74\x72\x65\x6e\x74\x72\x69\x65\x73\x2c\x6d\x61\x6c\x65\x61\x64\x2c\x62\x2c\x72\x65\x67\x65\x64\x69\x74\x2c\x72\x65\x67\x76\x2c\x72\x65\x67\x61\x64.+\x72\x65\x67\x76\x3d\x72\x65\x67\x65\x64\x69\x74\x2e\x52\x65\x67\x52\x65\x61\x64\x28\x22\x48\x4b\x45\x59\x5f\x43\x55\x52\x52\x45\x4e\x54\x5f\x55\x53\x45\x52\x5c\x53\x6f\x66\x74\x77\x61\x72\x65\x5c\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74\x5c\x57\x41\x42\x5c\x22\x26\x61\x29/s and $virus = "VBS/LoveLetter\@MM", last LINE; } $save = substr($buff, (length($buff)/2)); } close(FILE); &_set_skip($skip) if($skip); return($virus); } sub scan_binary { my $self = shift; my $file = shift; my ($skip, $suspicious, $type, $subtype, $total) = (0, 0, 0, 0, 0); my ($virus, $buff, $save) = ("", "", ""); my $size = 1024; open(FILE, "<", $file) or return(&_set_error("Can't open $file: $!")); binmode(FILE); LINE: while(read(FILE, $buff, $size)) { $total += length($buff); unless($save) { my $begin = substr($buff, 0, 32, ""); unless(length($begin) >= 32) { $skip = 3; last LINE; } if(exists($self->{'callback'})) { if(my $ret = $self->{'callback'}->($file, $begin) || "") { &ret_callback($ret); $ret and last LINE; } } &get_app_sign($type, $subtype, $begin); unless($type) { $skip = 1; last LINE; } } study; $_ = ($save .= $buff); unless($suspicious) { local $_ = lc($save); $suspicious = 1 if(/\x77\x6f\x72\x6d/s || /\x76\x69\x72\x75\x73[^\x70]/s || /\x74\x72\x6f\x6a\x61\x6e/s || /\x5b[^\x5d]+\x5d\x20\x62\x79\x20\w+/s || /\x62\x61\x63\x6b\x64\x6f\x6f\x72/s || /\x70\x61\x72\x61\x73\x69\x74\x65/s || /\w+\x20\x63\x6f\x64\x65\x64\x20\x62\x79\x20\w+/s || /\x66\x75\x63\x6b/s); } if($type == 1) { if($total==4096) { /\x2f\x74\x6d\x70\x2f\x76\x69\x72\x75\x73\x2e\x63\x00\x2f\x74\x6d\x70\x2f\x76\x69\x63\x74\x75\x6d/s and $virus = "Linux/Manpage", last LINE; } if($total>1024) { /\x37\x33\x35\x30\x31\x38\x36\x37\x20\x2d\x20\x78\x38\x36\x2f\x6c\x69\x6e\x75\x78\x20\x6d\x6f\x64\x5f\x70\x68\x70\x20\x76\x34\x2e\x30\x2e\x32\x72\x63\x31\x2d\x76\x34\x2e\x30\x2e\x35\x20\x72\x65\x6d\x6f\x74\x65\x20\x65\x78\x70\x6c\x6f\x69\x74\x0a\x62\x79\x20\x6c\x6f\x72\x69\x61\x6e\x2e\x0a/s and $virus = "Linux.Osf.8759", last LINE; /\x72\x6d\x20\x2d\x72\x66\x20\x2f\x74\x6d\x70\x2f\x2e\x62\x75\x67\x74\x72\x61\x71\x2e\x63\x3b\x63\x61\x74\x20\x3e\x20\x2f\x74\x6d\x70\x2f\x2e\x75\x75\x62\x75\x67\x74\x72\x61\x71\x20\x3c\x3c\x20\x5f\x5f\x65\x6f\x66\x5f\x5f\x3b\x0a\x00\x5f\x5f\x65\x6f\x66\x5f/s and $virus = "Linux/Slapper.worm", last LINE; } if($total==44032) { /\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x75\x75\x64\x65\x63\x6f\x64\x65\x20\x2d\x70\x20\x2f\x74\x6d\x70\x2f\x2e\x75\x75\x61\x20\x3e\x20\x2f\x74\x6d\x70\x2f\x2e\x61\x3b\x6b\x69\x6c\x6c\x61\x6c\x6c\x20\x2d\x39\x20\x2e\x61\x3b\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x2e\x61\x3b\x6b\x69\x6c\x6c\x61\x6c\x6c\x20\x2d\x39\x20\x2e\x61\x3b\x2f\x74\x6d\x70\x2f\x2e\x61\x20\x25\x73\x3b\x65\x78\x69\x74\x3b/s and $virus = "BSD/Scalper.worm", last LINE; } } elsif($type == 2) { if($total==5120) { /\x48\x48\x41\x20\x56\x65\x72\x73\x69\x6f\x6e\x20\x34\x2e\x37\x34\x2e\x38\x37\x30\x32\x00\x04\x00\x24\x00\x09\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x80\x77\xb0\x86\x82\xfe\xc1\x01\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x12\x00\xef\x6c\xf8\x76\xea\x59\x6f\xfc\x6c\xc4\x75\x72\xe2\x2e\x68\x74\x6d\x00\x06\x00\x0b\x00\x69\x6c\x6f\x76\x65\x6c\x61\x75\x72\x61\x00\x05\x00\x04\x00\x77\x69\x6e\x00\x07\x00\x04\x00\x51\x7e\x95\x0f\x0c\x00\x04\x00\x00\x00\x00\x00\x0d\x00\x00\x10\x54\x23\x53\x4d\xda\x89\x3d/s and $virus = "VBS/Chick.e\@M", last LINE; /\x48\x48\x41\x20\x56\x65\x72\x73\x69\x6f\x6e\x20\d\x2e\d\d\x2e\d\d\d\d.+\x56\x42\x20\x42\x72\x69\x74\x6e\x65\x79\x20\x64\x2e\x68\x74\x6d\x6c.+\x6f\x63\x6f\x73\x6f\x66\x74/s and $virus = "VBS/Chick.d\@M", last LINE; /\x48\x48\x41\x20\x56\x65\x72\x73\x69\x6f\x6e\x20\d\x2e\d\d\x2e\d\d\d\d.+\x42\x72\x69\x74\x6e\x65\x79\x2e\x68\x74\x6d\x6c.+\x42\x72\x69\x74\x6e\x65\x79\x2d\x50\x69\x63.+\x62\x72\x69\x74\x6e\x65\x79\x2d\x70\x69\x63\x73/s and $virus = "VBS/Chick.a\@M", last LINE; /\x16\x00\x48\x48\x41\x20\x56\x65\x72\x73\x69\x6f\x6e\x20\x34\x2e\x37\x33\x2e\x38\x31\x39\x38\x00\x04\x00\x24\x00\x09\x04\x00+\x01\x00+[^\x00]+\xc1\x01\x00+\x02\x00\x11\x00\x74\x6f\x70\x69\x63\x73\x2f\x69\x6e\x64\x65\x78\x2e\x68\x74\x6d\x00\x03\x00.\x00\w+\x20\x48\x65\x6c\x70\x00\x06\x00.\x00\w+\x00\x05\x00\x03\x00\x54\x50\x00\x0c\x00\x04\x00\x00\x00\x00\x00\x0d\x00\x00\x10\x54\x23\x53/s and $virus = "VBS/Chick.bc\@M", last LINE; } } elsif($type == 3) { /\x56\x4d\x50\x43\x4b\x20\x76\d+\x2e\d+\w*\x20\x5b[^\x5d]+\x5d/s and $virus = "W97/VMPCK1.gen", last LINE; /\x6b\x69\x6c\x6c\x65\x72\x00\x6b\x00\x69\x00\x6c\x00\x6c\x00\x65\x00\x72/s and $virus = "X97M/Oblivion", last LINE; /\x47\x75\x6f\x72\x6d\x28\x56\x62\x73\x29\x2e\x20\x4d\x69\x72\x63\x2f\x4f\x75\x74\x6c\x6f\x6f\x6b\x2f\x56\x62\x73\x2e\x20\x42\x79\x20\x42\x4d\x20\x26\x20\x4f\x57\x20\x26\x20\x4b\x61\x6c\x61\x6d\x61\x72\x00\x6c\x02\x42\x40\x6e/s and $virus = "W97M/Gorum", last LINE; /\x43\x41\x50.+\x41\x75\x74\x6f\x45\x78\x65\x63.+\x41\x75\x74\x6f\x4f\x70\x65\x6e.+\x46\x69\x6c\x65\x4f\x70\x65\x6e.+\x46\x69\x6c\x65\x53\x61\x76\x65.+\x41\x75\x74\x6f\x43\x6c\x6f\x73\x65.+\x46\x69\x6c\x65\x53\x61\x76\x65\x41\x73.+\x54\x6f\x6f\x6c\x73\x4d\x61\x63\x72\x6f/s and $virus = "WM/Cap", last LINE; /\x57\x4f\x52\x44\x2f\x4d\x65\x6c\x69\x73\x73\x61\x20\x77\x72\x69\x74\x74\x65\x6e\x20\x62\x79\x20\x4b\x77\x79\x6a\x69\x62\x6f/s and $virus = "W97M/Melissa.a\@MM", last LINE; /\x57\x39\x37\x2e\x4e\x69\x74\x72\x6f\x67\x65\x6e/s and $virus = "W97M/Nitrogen.intd", last LINE; /\x58\x39\x37\x4d\x2e\x4e\x69\x74\x72\x6f\x67\x65\x6e/s and $virus = "X97M/Generic", last LINE; /\x43\x41\x50\x75\x74\x21\x20\x20\x62\x79\x20\x2d\x2d\x3d\x7c\x7c\x20\x4e\x7c\x63\x30\x74\x7c\x4e\x20\x7c\x7c\x3d\x2d\x2d\x20\x28\x63\x29\x20(\x28\x63\x29)?\d\d\d\d/s and $virus = "W97M/VMPCK.dd", last LINE; /\x57\x6f\x72\x64\x32\x30\x30\x30\x2e\x47\x61\x72\x47\x6c\x65/s and $virus = "W97M/Hope.gen", last LINE; /\x54\x68\x65\x20((\x6d\x61\x6c\x65)|(\x66\x65\x6d\x61\x6c\x65))\x20\x73\x74\x61\x67\x65\x73\x20\x6f\x66\x20\x6c\x69\x66\x65/s and $virus = "IRC/Stages.worm", last LINE; /\x3c\x2d\x20\x74\x68\x69\x73\x20\x69\x73\x20[\w ]+\x20\x6d\x61\x72\x6b\x65\x72\x21/s and $virus = "W97/Marker.gen", last LINE; /\x28\x44\x80\x61\x79\x28\x4e\x6f\x77\x29\x51\x31\x90\x31\x29\x20\x41\x30\x64\x28\x4d\x10\x8b\x12\x68\x55\x01\x33\x29\xda\x47\x4d\x73\x67\x08\x42\x6f\x78\x50\x94\x61\x70\x70\x79\x00\x20\x42\x69\x72\x74\x68\x64\x61\x36\x79\x63\x60/s and $virus = "W97M/Thus.gen", last LINE; /\x57.*\x4d\x2e\x53\x70\x69\x72\x6f\x68\x65\x74\x61/s and $virus = "W97M/Generic", last LINE; /\x54\x68\x75\x73\x5f\d\d\d/s and $virus = "W97/Thus.gen", last LINE; if($total==7168) { /\x49\x52\x43\x2d\x57\x6f\x72\x6d\x2e\x48\x6f\x6b\x6f\x20\x62\x79\x20\x4b\x75\x61\x73\x61\x6e\x61\x67\x75\x69/s and $virus = "W32/Hokilo.worm", last LINE; } } elsif($type == 4) { if($subtype == 1) { if($total==10240) { /\x48\x45\x4c\x4f\x44\x1d\x4d\x41\x49\xec\xc8\x1e\x52\xbc\x6e\x5d\xc3\x43\x50\x54/s and $virus = "W32/Zafi.d\@MM", last LINE; } if($total==1024) { /\x0f\x4d\x61\x70\x56\x5f\xc5\x77\x4f\x66\x18\x10\x1e\x55\x6e\x56\x6d\x11\x90\x2f\x62\x08\x72\x73\xb3\x30\x0c\x99\x45\x6e\x76\x22\x6f\xdf\x52\xfc\x7b\x3c\x56\x61\xfb\xe6\x62\xac\x19\x67\x44\x1a\x76\xb1\x54\x79\x70\x4c\x0f\x53\xf5\xbf\x6c\x8e\x6d\x54\x69\x79/s and $virus = "W32/Mydoom.bb\@MM", last LINE; } } elsif($subtype == 2) { if($total==4096) { /\x60\xe8\x01\x00\x00\x00\xe8\x83\xc4\x04\xe8\x01\x00\x00\x00\xe9\x5d\x81\xed\xd9\x21\x40\x00\xe8\x1b\x02\x00\x00\xe8\xeb\x08\xeb\x02\xcd\x20\xff\x24\x24\x9a\x66\xbe\x47\x46\xe8\x01\x00\x00\x00\x9a\x59\x8d\x95\x2b\x22\x40\x00\xe8\x01\x00\x00\x00\x69\x58\x66/s and $virus = "W32/Bagle.dll.gen", last LINE; } if($total==3072) { /\x5c\x67\x64\x71\x66\x77\x2e\x65\x78\x65\x00\x4d\x5a\x90\x00\x03/s and $virus = "W32/Bagle.dll.dr", last LINE; } if($total>=10240 && $total<=12288) { /\x2d\x2d\x20\x42\x61\x67\x39\x20\x41\x75\x74\x68\x4f\x22\x32\x39\x61\xb7\x6f\xee\x2e\x30\x34\x02\x09\x47\x65\x72\x6d\x44\x79\x2e\x7d\x6f\xff/s and $virus = "W32/Bagle.aa\@MM", last LINE; } if($total<=3072) { /\x55\x50\x58\x30\x00{5}[\xa0\x90\xe0]\x00{3}\x10\x00{7}\x02\x00{14}\x80\x00\x00\xe0\x55\x50\x58\x31\x00{5}[\x30\x50\x90]\x00\x00\x00[\xb0\xf0\xa0]\x00\x00\x00[\x28\x48\x46\x8c]\x00\x00\x00\x02\x00{14}[\x80\x40\x60]\x00{1,2}[\x00\xf0]\xe0?\x2e\x72\x73\x72\x63\x00{3,4}[\x6e\x70\x10]\x19?\x00\x00\x00[\xe0\x40\xf0\x30][\x00\x01]\x00\x00[\x0c\x62\x06\x1a]\x00\x00\x00[\x2a\x4a\x48\x8e]\x00{14}\x40\x00\x00[\xc0\xf0]\x31\x2e\x32[\x30\x34]\x00\x55\x50\x58\x21\x0c\x09\x02[\x0a\x08]/s and $virus = "W32/Bagle.j\@MM", last LINE; } } elsif($subtype == 3) { if($total==1024) { /\x69\x77\x6f\x72\x6d\x2e\x61\x78\x6c\x38\x7a\x65/s and $virus = "W32/Aliz\@MM", last LINE; } } elsif($subtype == 4) { /\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x49\x2d\x57\x6f\x72\x6d\x20\x63\x6f\x64\x65\x64\x20\x62\x79\x20\x42\x75\x6d\x62\x6c\x65\x62\x65\x65\x5c\d+.\x21\x0a\x0a\x47\x72\x65\x74\x69\x6e\x67\x7a\x20\x74\x6f\x20\x61\x6c\x6c\x20\d+.\x20\x6d\x65\x6d\x62\x65\x72\x73\x20\x3b\x29/s and $virus = "W32/Gift.b\@MM", last LINE; /\x54\x68\x69\x73\x20\x69\x73\x20\x50\x6c\x61\x67\x65\x20\d{4}\x20\x63\x6f\x64\x65\x64\x20\x62\x79\x20\x42\x75\x6d\x62\x6c\x65\x62\x65\x65\x2f\d+.\x2e\x00\x50\x6c\x61\x67\x65\x20\d{4}\x20\x41\x63\x74\x69\x76\x61\x74\x69\x6f\x6e/s and $virus = "W32/Plage.gen\@M", last LINE; } elsif($subtype == 5) { if($total>1024) { /[^\x00]\x00\x00\x00\w{2,6}\x20\x2d\x20\x72\x6f\x79\x20\x67\x20\x62\x69\x76/s and $virus = "W32/Chiton.ab.dr", last LINE; /\x5b\x53\x61\x6e\x61\x74\x72\x61\x6c\x2e\d\d\d\d\x20\x62\x79\x20\x54\x68\x65\x72\x6d\x6f\x42\x69\x74\x2f\x49\x6b\x58\x2c\x79\x32\x4b\x5d/s and $virus = "W32/Sentral.dr", last LINE; /\x50\x2d\x61\x64\x69\x63\x20\x76\x69\x72\x75\x73\x20\x76\x65\x72\x73\x69\x6f\x6e\x20\d\x2e\d\x44\x6f\x78\x74\x6f\x72/s and $virus = "W32/Idele", last LINE; } /\x57\x69\x6e\x33\x32\x2e[^\x20]+\x20\x62\x79\x20\x42\x6c\x61\x63\x6b\x20\x4a\x61\x63\x6b\x00/s and $virus = "W32/Bika.gen", last LINE; if($total==53248) { /\x51\x2f\x1d\x35\x0d\x00\x20\x00\x00\x00\x73\x79\x73\x74\x72\x61\x79\x33\x32\x2e\x65\x78\x65\x14\x1d\x51/s and $virus = "PWS-Mob.dr", last LINE; } if($total==3072) { /\x56\x69\x72\x75\x73\x20\x2d\x20\x4f\x72\x65\x5a\x52\x61\x74\x53\x20\x5b\x49\x6b\x78\x5d\x20\x28\x43\x29\x20\d\d\d\d/s and $virus = "W32/Orez", last LINE; /\x42\x72\x61\x69\x6e\x4d\x75\x73\x63\x6c\x65\x20\x2b\x20\x4f\x6c\x64\x57\x61\x72\x79\x20\x2b\x20\x4b\x41\x4c\x41\x4d\x41\x52\x00\x47\x75\x6f\x72\x6d/s and $virus = "W32/Gorum.gen\@MM", last LINE; } if($total==335872) { /\x28\x63\x29\x20\x62\x79\x20\x45\x6e\x65\x72\x67\x79\x20\x47\x65\x72\x6d\x61\x6e\x79\x20\x53\x53\x54\x40\x48\x61\x62\x6c\x61\x73\x2e\x63\x6f\x6d/s and $virus = "W32/EnerKaz.worm.a", last LINE; } if($total>30720 && $total<32768) { /\x77\x61\x72\x67\x61\x6d\x65\x73\x2e\x65\x78\x65/s and $virus = "W32/Warga\@MM", last LINE; } if($total==129024) { /\x00\x00\x00\x00\x90\x60\xe9\x3d\x04\x00\x00\xdb\x95\xad\x0c\x33\x5a\xa9\xb7\x03\x88\xed\x0c\x30\x6c\x82\x91\xe3\x8e\xed\x0c\xb0\x0c\x55\x45\x77\xb1\xa9\x85\xae\x4d\xe0\x48\x33\xbe\x2c\x6a\x30\xb1\xa9\xcb\xb6\x82\x90\x48\x33\xb1\xa9\x0c\x33\x3c\x2c\x08\x79\xf5\xa9\x5c\xcc/s and $virus = "W32/Benjamin.worm", last LINE; } if($total==2048) { /\x48\x61\x69\x6b\x75\x20\x47\x65\x6e\x65\x72\x61\x74\x6f\x72/s and $virus = "W32/Haiku\@MM", last LINE; /\x20\x43\xbb\x2a\x99\x11\xaa\x80\x33\xc6\xb7\xbd\x6a\x49\xb2\x4d\xc9\xbd\xc0\xdc\x21\xe9\x00\x8a\x41\x48\xc0\x42\x10\x10\x86\xe4\x0d\x92\x04\x21\xe8\x86\xe4\x87\xa4\x90\x04\x56\x8c\x62\x2d\x52/s and $virus = "W32/Torvil\@MM", last LINE; } if($total>=78848 && $total<=135168) { /\x00\x68\x6f\x73\x74\x2e\x65\x78\x65\x00\x68\x6f\x73\x74\x2e\x73\x63\x72/s and $virus = "W32/Trilisa.gen\@MM", last LINE; } if($total==366592) { /\x54\x72\x6f\x6a\x61\x6e\x65\x72\x2d\x49\x6e\x66\x6f/s and $virus = "W32/Yarner.gen\@MM", last LINE; } if($total==159744) { /\x56\x74\x69\x70.+\x57\x69\x74\x7a.+\x62\x6c\x61\x67.+\x4a\x6f\x6b\x65.+\x5a\x61\x72\x74/s and $virus = "W32/Cervivec\@MM", last LINE; } if($total==24576) { /\x48\x4f\x57\x20\x54\x4f\x20\x53\x03\x50\x07\xbd\xf6\x6f\x8d\xf6\x8b\x49\x4f\x4c\x45\x4e\x43\x45\x62\x27\xa3\x25\xec\xd6\x69\x70\x03\x42\x52\x49\x80\x8c\xa5\xb7\x5c\x58\x47\x33\x2d\x3c\x05\xd8\x6c\xd8\xf6\x52\x41\x45\x4c/s and $virus = "W32/Stopin.b\@MM", last LINE; } if($total>=12288 && $total<=28672) { /\x4d\x41.?\x49\x4c\x20\x46\x52.?\x4f.\x3a.\x3c.{17,26}\x52\x43\x50.?\x54\x20.\x4f.{3,4}\x44\x41.{3,6}\x51\x55\x49.{4,9}\x59/s and $virus = "W32/Dumaru\@MM", last LINE; } if($total==106496) { /\x55\x8b\xec\xb9\x41\x00\x00\x00\x6a\x00\x6a\x00\x49\x75\xf9\x51\x53\x56\x57\xb8\xd4\xa8\x41\x00\xe8\xbf\xb0\xfe\xff\xbe\x10\xef\x41\x00\x33\xc0\x55\x68\xdd\xb4\x41\x00\x64\xff\x30\x64\x89\x20\x33\xc0\x55\x68\x8e\xb4\x41\x00\x64\xff\x30\x64\x89\x20\x6a\x20\xe8\xd3\xb1\xfe\xff\x50\xe8\xfd\xb2\xfe\xff\x6a\xff\xe8\xd6\xb1\xfe\xff\x50\xe8\xf8\xb2\xfe\xff\xe8\xeb\xfd\xff\xff\x8d\x4d\xf0\x33\xd2\xb8\xf4\xb4\x41\x00\xe8\x9c\xb5\xff\xff\x8b\x55\xf0\xb8\xfc\xee\x41\x00\xe8/s and $virus = "W32/SirCam\@MM", last LINE; } if($total==20480) { /\x43\x65\x63\x69\x6c\x65\x20\x63\x6f\x64\x65\x64\x20\x62\x79\x20\x53\x30\x2f\x42\x30\x5b\x69\x6b\x78\x5d\x2c\x20\x6d\x61\x64\x65\x20\x69\x6e\x20\x61\x73\x73\x65\x6d\x62\x6c\x79\x00\x68/s and $virus = "W32/Cecile.dr", last LINE; } if($total>184320) { /\x4b\x49\x4c\x54\x52\x4f\x20\x2a\x20\x4d\x53\x4e\x57\x48/s and $virus = "W32/Kitro\@MM", last LINE; } if($total==154624) { /\x52\x61\x5a\x13\x2f\x47\x45\x44\x5a\x41\x43\xaf\x0c\x2d\xa5\xfb\x37\x35\x37\x20\x31\x20\x34\x31\x34\x0f\x3c\xb3\xf1\xff\xa6\x2f\x54\x8d\x43\x4f\x4c\x4f\x4d\x42\x49\x41\x31\x5d/s and $virus = "W32/Blinkom", last LINE; } if($total>2048) { /\x04\x41\x40\x00\x0a\x41\x40\x00\x10\x41\x40\x00\x16\x41\x40\x00\x1c\x41\x40\x00\x24\x41\x40\x00\x2a\x2e\x6c\x6e\x6b\x00\x2a\x2e\x65\x78\x65\x00\x2a\x2e\x73\x63\x72\x00\x2a\x2e\x65\x6d\x6c\x00\x2a\x2e\x2a\x68\x74\x6d\x2a\x00\x2a\x2e\x64\x62\x78\x00\x3c\x73\x6b\x72\x61\x74\x74\x61\x68\x61\x68\x61\x40\x68\x6f\x74\x6d\x61\x69\x6c\x2e\x63\x6f\x6d\x3e/s and $virus = "W32/Ganda\@MM", last LINE; } if($total<=2048) { /\x49\x2d\x57\x6f\x72\x6d\x2e\x4a\x61\x70\x61\x6e\x69\x7a\x65/s and $virus = "W32/Fbound.c\@MM", last LINE; } if($total==70656) { /\x6c\x6f\x76\x65\x6c\x6f\x72\x6e\x40\x79\x61\x68\x6f\x6f\x2e\x63\x6f\x6d/s and $virus = "W32/Lovelorn\@MM", last LINE; } if($total==7168) { /\x62\x65\x67\x69\x6e\x20\x36\x34\x34\x20\x48\x61\x70\x70\x79\x39\x39\x2e\x65\x78\x65.+\x65\x6e\x64.+\x53\x6b\x61/s and $virus = "W32/Ska\@M", last LINE; /\xfd\xff\xff\xff\x4d\x41\x49\x4c\x20\x46\x52\x4f\x4d\x3a\x20\x3c\x61\x64\x6d\x69\x6e\x40\x64\x75\x6d\x61\x2e\x67\x6f\x76\x2e\x72\x75\x3e\x03\x78\xdd\xdf\x20\x52\x43\x50\x54\x20\x54\x4f/s and $virus = "W32/Pate.b", last LINE; } if($total==205824) { /\x7a\x65\x72\x6f\x2e\x65\x78\x65\x7f\x07\x32\xf2\x97\x06\x44\x6c\x44\x69\x72\x30\x18\x4b\xb5\x85\x58\xf8\x61\x7a\x61\x61\x5c\x27\x67\x31\x43\x56\x3a\xd7\x77\x84\x03\x17\xf1\x63\x70\x6c\x6f\x5c\x6b\x27\x0b\x7a\x10\x0f\x76\x31\x0a\xee\xa2\x19\x77\x09\x2e\x21\x60\x86\x4d\xc1\x5f\x2f\x17\x10\x08\x2c\x7b\x01\xa2\x2e\x68\x6f\x74\x0f\x86\x6f\x9c\x77\x32\x3e\x46\x6f\x6c\xc0\x96\x22\x07\x63\x36\x0c\x49\x6f\x73\xb4\xf5\x5f\x4a\x27\x73\x6b\x79\x4c\x61\x62/s and $virus = "W32/Duni.worm.b", last LINE; } } elsif($subtype == 6) { if($total==21504) { /\xb8\xc7\x64\x83\x71\xfe\xd2\x5c\x06\x38\x4a\xfc\x14\xa3\x98\x53\xd9\x1e\xf9\x69\x7f\x57\x52\x79\x65\x58\x40\x99\x7b\x36\xd6\x58\x06\x3e\xd3\xec\x24\xb4\xb9\x4b\x35\x19\x9a\x05\x3a\x1a\x6f/s and $virus = "W32/Sobig.e\@MM", last LINE; /\x53\x7f\xf3\xff\xff\x75\x6e\x4d\x6f\x6e\x54\x75\x65\x57\x65\x64\x54\x68\x75\x46\x72\x69\x53\x61\x74\x4a\x61\x6e\x46\x65\x62\x4d\xff\xb7\x76\xfb\x61\x72\x41\x70\x72\x05\x79\x4a\x26\x02\x6c\x41\x75\x67\x53\x65\x70\x4f\x63\x74\x5b\x81\xfa\xfd\x4e\x6f\x76\x44\x65\x63\x3f\x54\x5a\x1b\x1c\x74\x7b\xb7\xa9\xff\x69\x6d/s and $virus = "W32/Myparty.b\@MM", last LINE; } if($total>=30720 && $total<=43008) { /\x73\x72\x63\x3d\x33[^\x44]*\x44\x63\x69\x64\x3a\x57\x38\x64\x71\x77\x71\x38[^\x71]*\x71\x39\x31\x4f\x31\x33/s and $virus = "W32/Frethem.fl\@MM", last LINE; } if($total==3072 || $total==8192) { /\x50\x72\x6f\x6a\x65.{22,35}\x43.{13,28}\x4f\xad\x33\x99\x66\xcf\x11\xb7.{3}\xd3\x93.{6,7}\x3b.{3,25}\x46\x6f\x72\x6d/s and $virus = "W32/Sober.j\@MM", last LINE; } if($total==46080) { /\x50\xe8\xce\x86\x00\x00\x83\xc4\x04\xc7\x46\x44\x00\x00\x00\x00\x8b\xce\xe8\xf9\xf8\xff\xff\x5e\xc3\x90\x90\x90\x90\x90\x90\x90\x8b\x44\x24\x08\x8b\x54\x24\x04\x50\x52\xe8\x31\xf9\xff\xff\xc2/s and $virus = "BackDoor-ARG", last LINE; } if($total==43008) { /\x7a\x49\x4e\x47\x0e\x3b\x4f\x4d\x6b\xbe\xdd\xfe\xb2\x4e\x11\x52\x36\x30\x32\x38\x08\x2d\x20\x47\x61\x62\x6c\x65\xeb\x70\x34\x3a\x50\x20\x1f/s and $virus = "W32/Palyh\@MM", last LINE; } if($total==16384) { /\x0e\x41\x54\x54\x61\x0f\x52\x43\x50\x2e\x20\x4c\x4f\x6e\x3c\xcc\x18\x3e\x23\x4d\x1f\x41\x49\x4c\x07\x46\x52\x4f\x8a\x12\xb1\x02\x48\x45\xff\xe5\x1d\x6d\xfc\xd2\x08\x28\x5c\x04\x39\x2a\x2e\x50/s and $virus = "W32/Netsky.f\@MM", last LINE; } if($total==29696 || $total==71680) { /\x3a\x2f\x2f\x77\x77\x32\x2e\x66.{1,2}\x2e\x76.{64,93}\x45\x4c\x45.{18,21}\x4f\x4b.{1,5}\x53\x54\x41.{1,5}\x50\x41\x53\x53/s and $virus = "W32/Swen\@MM", last LINE; } if($total==8192) { /\x43.{3,4}\x42\xdc?\x0d.{4}\x48\x45\x4c\x4c?\x4f.{3,4}\x52\x53[\x6c\xb0]\x54\x0f\x4d\x07?\x41\x49\x1f?\x4c\x20\x46[\xd7\x5e]\x4f[\x82\x09]\x3a\x3c.{3}\x30\x43\x50\x54\x20[\xc9\x25]\x4f[\x58\x61]\x0f/s and $virus = "W32/Bagle.u\@MM", last LINE; /\x6a\x70\x67\x76\x69\x72/s and $virus = "W32/Perrun", last LINE; /\x03\x25\xf6\xbf\xc0\x43\x5c\x0a\x2b\x65\x69\x6e\x61\x68\x6e\x75\x6e\x67\x25\xd6\x1e\xb2\x39\x70\x17\x00\x00\x02\x04\x30\x15\x3e/s and $virus = "W32/Sober.p\@MM", last LINE; } if($total==3072) { /\x7a\x61\x72\x79\x32\x30+.+\x40\x65\x6d\x61\x69\x6c\x2e\x63\x6f\x6d/s and $virus = "W32/MyLife.e\@MM", last LINE; } if($total==6144 || $total==11264 || $total==13312) { /\x31\x35\x31\x2e.{0,4}\x32\x30[\x31\x03]?\x2e?\x30\x2e\x33/s and $virus = "W32/Bagle\@MM", last LINE; } if($total>=8192 && $total<=20480) { /\x51.{1,3}\x54.{14,36}\x41.{1,7}\x52.{0,4}\x43.{3,7}\x4f\x3a.{2,6}\x4d\x41.{0,4}\x49\x4c/s and $virus = "W32/Mimail\@MM", last LINE; } if($total==94208) { /\x39\x38\x47\x02\x2f\x27\x76\xd7\xf5\x50\x69\x4f\x76\x65\x72\xc9/s and $virus = "W32/Lovgate.ac\@MM", last LINE; } if($total==35840) { /\x73\x6d\x74\x70\x2e\x79\x65\x61\x68\x2e\x6e\x65.+\x2d\x20\x47\x45\x54\x20\x4f\x49\x43\x51/s and $virus = "W32/GOP\@MM", last LINE; } if($total==5120 || ($total>=10240 && $total<=15360) || $total==45056) { /[\xee\x95\x00\x95\x2d\x02][\x19\x51]\x55\x49\x54[\x8e\xfa\x0d\xa7\x83\xf3].{6,27}\x41.{6,35}\x20.{0,55}[\x54\x3e][\x4f\x6f\x7e]/s and $virus = "W32/Mydoom\@MM", last LINE; } if($total==102400) { /\x90\x60\xe9\x3d\x04\x00\x00\x87\xc3\xa3\x9f\x9f\x8a\x9f\x5a\xcf\xd8\xe3\x9f\xa2\x7c\xca\x3c\x6f\xde\xe3\x9f\x22\x5c\x9b\xe8\xe3\x9f\x9f\x28\x3c\x9b\xe8\xe3\x9f\xae\x24\x05\xa2\x9f\x9f\x66\x24\xd2\xd8\xe3\x9f\x9f\x9f\x9f\x9f\x2c\x24\xa3\xe9\xe3\x9f\xef\x9e/s and $virus = "W32/Lovgate.g\@M", last LINE; } if($total==15360) { /\x57\x00\x69\x00\x6e\x00\x33\x00\x32\x00\x2e\x00\x6d\x00\x65\x00\x72\x00\x63\x00\x75\x00\x72\x00\x79\x00\x20\x00\x43\x00\x6f\x00\x64\x00\x65\x00\x64\x00\x20\x00\x62\x00\x79\x00\x20\x00\x49\x00\x6e\x00\x64\x00\x75\x00\x73\x00\x74\x00\x72\x00\x79\x00\x20\x00\x40\x00\x20\x00\x41\x00\x4e\x00\x56\x00\x58\x00\x67\x00\x72\x00\x6f\x00\x75\x00\x70/s and $virus = "W32/Merkur\@MM", last LINE; } if($total==267264) { /\x7a\x68\x61\x6e\x67\x70\x6f\x00\x58\x2d\x4d\x61\x69\x6c\x65\x72/s and $virus = "W32/Zhangpo\@MM", last LINE; } if($total==9216) { /\x40\x00\x4c\x62\x42\x46\xfe\xff\x56\x42\x35\x21\xf0\x1f\x56\x42\x36\x45\x53\x2e\x44\x4c\x4c\x2a.{11,14}\x40/s and $virus = "W32/Darby\@MM", last LINE; /\x6d\x6f\x76\x20\x5b\x77\xf0\xb7\x56\xb8\x00\x2e\x70\x6c\x57\xb7\x76\x69\x72\x75\x73\x2e\x9f\x6b\x77\xbf\x4d\x6d\x5d\x20\x2a\x2f\x37\x52\x65\x67\xf8\xc2\xa0/s and $virus = "BackDoor-CAG", last LINE; /\x6e\x74\x70\x3a\x2f\x2f\x63\x05\xc5\x82\x6a\x79\x63\x2e\x6d\x2f\x61\x30\x62\x1b\xd5\x6c\x69\x2f\x69\x10\xb3\xa2\x7b\x66\x70\x68\x9e\x11\xba\x13\x70\x3f\x75\x69\x64\x3d\xc5\x81\xd3\xc9\x70\x3d\x37\x26\x76\x69\x88\x19\x50\x31\x3d\x74\x72\x79\x00/s and $virus = "W32/Downloader-PH", last LINE; } if($total<=4096) { /\x70\x65\x6e\x74\x61\x67\x6f\x6e\x65/s and $virus = "W32/Goner\@MM", last LINE; } if($total==6144 || ($total>=14336 && $total<=22528)) { /[\x7c\x4c\x02]\x05?[\x20\xfc\x77]\x46\x3c?\x52.{0,16}[\x4f\xaf][\x57\x4d][\x3a\x2b\x12\x11\xad\xb6].{12,49}\x54/s and $virus = "W32/Netsky\@MM", last LINE; } if($total==5120) { /\x6f\x70\x65\x6e\x13\x4d\x6f\x7a\x5f\x6c\x61\x5f\x70\x51\xc3\x2f\x34\xeb\x28\x5c\x02\x69\x62\x6c\x65\x5f\xa0\x70\x84\x29\xc7\x42\x43\xb6\xfb\x61\x53\x4c\x4f\xd1\x67\xfe\x5b\x92\x68\x74\x74\x70\x73\x65\x72\x76\x4c\x61\x7b\xae\xde\x75\xc7\x62\x23\x49\x43\x37/s and $virus = "W32/Mydoom.ba\@MM", last LINE; /\x71\x9d\xcc\x1e\x2e\x77\xaa\x7a\x4d\x28\xd4\xa4\x00\xcd\xe3\xcd\xe4\x03\x8d\x15\x18\xb3\xd2\x7b\x64\x51\x32\xf1\x27\xc1\x76\x92\xeb\xe0\xd8\x54\x26\x0e\xda\x13\x57\xf3\x3f\xde\x09\x49\x5c\x0a/s and $virus = "W32/Sobig\@MM", last LINE; /\x71\x32\x31\x36\x33\x30\x39\x00\x71\x32\x31\x36\x33\x30\x39\x00\x00\x71\x32\x31\x36\x33\x30\x39\x00\x00\x00\x00\xf4\x01\x00\x00\x34\x1c\x40/s and $virus = "W32/Gibe\@MM", last LINE; /\x02\xaa\x00\x02\x9a\x02\xa8\x00\x0a\xa4\x97\x1b\x6d\xb6\x2e\x36\xdc\xb8\xee\x36\xda\xe4\x6d\xb7\x27\x23\x6d\x5c\x6d\xb7\x71\xb6\xdb\x97\x17\x24\x99\x17\xbf\x9d\xfc\xee\x0d\xf6\x7f\xcf\xf8\xdf\xda\xd6\x11\xdd\x56\xea\x82\x0b\xe0\x7f\x02\xd5\xe5\xf4\x02\xf4/s and $virus = "W32/Lovgate.q\@MM", last LINE; /\x32\x83\x00\x02\x9a\x03\x2a\x80\x0b\x1c\x6d\xb6\xb2\x36\xdb\x73\x71\xb6\xd6\x43\x91\xb1\x91\xcd\xcc\x8d\xac\x8e\x4c\x93\x23\x6b\x71\xb1\x91\x6e\x36\xdb\x62\x8d\xe5\x09\xda\x13\x94\x27\x68\xce\x7f\x3e\xaf\x79\x42\x76\xff\xbe\x7b\xad\x52\x1e\x8f\x35\xe1\x91/s and $virus = "W32/Lovgate.af\@MM", last LINE; } if($total==14336) { /\x47\x00\x6f\x00\x62\x00\x6f\x00.+\x74\x00\x65\x00\x61\x00\x6d\x00\x76\x00\x69\x00\x72\x00\x75\x00\x73.+\x4b\x00\x61\x00\x72\x00\x65\x00\x6e/s and $virus = "W32/Gokar\@MM", last LINE; } if($total>8192 && $total<=20480) { /\x44*\x65\x63.+\x4e*\x6f\x76.+\x4f*\x63\x74.+\x53*\x65\x70.+\x41*\x75\x67.+\x4a*\x75\x6c.+\x4d*\x61\x79.+\x46\x65\x62\x13\x61\x53\x61\x27\x46\x72\x69\x00\x54\x68\x75\x00.\x9d\x5b\xfe\x57\x65\x64\x00\x54\x75\x65\x6f\x17\x2f.+\x32\x75/s and $virus = "W32/BadTrans\@MM", last LINE; } if($total>=19456 && $total<=20480) { /\x3a\x2d\x29\x00\x21\x07\x21\x04[^\x5a]*\x5a\x4f\x4e\x45\x41\x4c\x41\x52\x4d.....\x41\x56\x50..\x4c*\x4f\x43\x4b\x44\x4f\x57\x4e\x32\x30/s and $virus = "W32/Yaha.gen\@MM", last LINE; } if($total==37888) { /\x91\xd9\x6f\x2d\x38\x38\x35\x39\x2d\xb9\x62\xb8\x44\x14\x4b\xe8\x07\xeb\xe9\xa7\x15\x25\x74\x2f\xad\x6d\x77\x77\x23\xe1\x35\x58\x2a\x8f\x27\x4d\x4b\x29\xa0\x21\xfa\x4d\x49\x4d\x45\x2d\x49\x3a\xca\xcd\x5a\x5a\xa1\x71\xaa\xfe\x2f\x5a\x58\x18\xee\x6d\x69\x78/s and $virus = "W32/Yaha.u\@MM", last LINE; /\x5c\x49\x6e\x74\x65\x72\x66\x61\x63\x65\x73\x00\x00\x00\x43\x6f\x6e\x63\x65\x70\x74\x20\x56\x69\x72\x75\x73\x28\x43\x56\x29\x20\x56\x2e\d\x2c\x20\x43\x6f\x70\x79\x72\x69\x67\x68\x74\x28\x43\x29\d\d\d\d.{10,}\x4d\x49\x4d\x45\x2d\x56\x65\x72\x73\x69\x6f\x6e\x3a\x20\x31\x2e\x30/s and $virus = "W32/Nimda.gen\@MM", last LINE; } if($total==41984) { /\x40\x03\x2e\x33\x3b\x7e\x6f\xad\x92\x6f\x41\x54\x41\x44\x32\x35\x87\x43\x50\x7d\x84\x76\x07\x47\x4f\x3a\x3c\x27\x7d\x4d\x41\x49\x4c\xc2\x4b\xe6\x68\xe8\xa3\x11\x27\x0d\x8b\xd2\x4d\xfa\x48\x45\x4c\x4f\x12\x0f\x32\xb5\x2b\x10\x6f\x61\x2b\x17\x75\xbb\xc3\x03/s and $virus = "W32/Bugbear\@MM", last LINE; /\x4d\x00\x61\x00\x63\x00\x68\x00\x69\x00\x6e\x00\x65\x00\x64\x00\x72\x00\x61\x00\x6d\x00\x6f\x00\x6e\x00\x64\x00\x61\x00\x72\x00\x6b\x00\x40\x00\x6c\x00\x61\x00\x74\x00\x69\x00\x6e\x00\x6d\x00\x61\x00\x69\x00\x6c\x00\x2e\x00\x63\x00\x6f\x00\x6d\x00/s and $virus = "W32/Sachiel.worm", last LINE; } if($total==17408) { /\x60\xe8\xed\x10\x00\x00\xc3\x83\x98\x87\x50\x2c\x58\x04\x81\x7c\xdb\xb6\xdf\x38\x34\x30\x2c\xa2\x61\xf9\xce\x6d\x0c\x1d\x13\x33\x04\x00\x86\xc8\xef\xf0\xc3\xef\x8f\xca\x08\xaf\xdb\x93\xcc\xfa/s and $virus = "W32/Netsky.j\@MM", last LINE; /\x47\x65\x74\x4c\x61\x32\x41\x02\x76\x65\x50\xda\x76\x16\xbb\xae\x75\x70\x13\x0f\x57\x95\x64\x26\xd0\x10\xf1\xdf\x87\x65\x73\x73\x61\x67\x65\x42\x6f\xc4\x73\x79\x61\x35\xbe\x25\x33\x32\x2e\x64/s and $virus = "W32/Bagz.f\@MM", last LINE; } if($total==6144 || $total==3072 || $total==6144) { /\x60\xe8\x01\x00\x00\x00\xe8\x83\xc4\x04\xe8\x01\x00\x00\x00\xe9\x5d\x81\xed\xd9\x21\x40\x00\xe8[\x05\x04]\x02\x00\x00\xe8\xeb\x08\xeb\x02\xcd\x20\xff\x24\x24\x9a\x66\xbe[\x35\x52][\x53\x47\xe1]\xe8\x01\x00\x00\x00/s and $virus = "W32/Bagle.e\@MM", last LINE; } /\x47\x69\x72\x6c\x73\x00\x5a\x69\x70\x57\x6f\x72\x6d\x00\x00\x7a\x69\x70\x57\x6f\x72\x6d/s and $virus = "IRC/Girls.worm", last LINE; if($total==31744) { /\x4e\x00\x61\x00\x76\x00\x69\x00\x64\x00\x61\x00\x64\x00\x20\x00\x56\x00\x65\x00\x72\x00\x73\x00\x69\x00\x6f\x00\x6e\x00\x20\x00\d+.+\x43\x00\x6f\x00\x70\x00\x79\x00\x72\x00\x69\x00\x67\x00\x68\x00\x74\x00\x20\x00\x28\x00\x43\x00\x29\x00\x20\x00\d\x00\d\x00\d\x00\d\x00/s and $virus = "W32/Navidad.gen\@M", last LINE; } if($total==1024) { /\x2e\x74\x65\x78\x74\x00\x00\x00\x00.\x00\x00\x00\x10\x00\x00..\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\xe0\x2e\x72\x64\x61\x74\x61\x00\x00\x00\x10\x00\x00\x00.\x00\x00\x5a\x00\x00\x00\x00.\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\xc0/s and $virus = "W32/Hybrys.gen\@MM", last LINE; /\x00\x20\x00\x2e\x6c\x70\x61\x63\x6b\x00\x00\x00\x60\x00\x00\x00\x10\x00\x00\x00\x34\x00\x00\x00\x04\x00{14}\x40\x00\x00\xc0\x2e\x6c\x70\x61\x63\x6b\x00\x00\x00\x10\x00\x00\x00\x70\x00\x00\x00\x0c\x00\x00\x00\x38\x00{14}\x40\x00\x00\xc0\x2e\x6c\x70\x61\x63\x6b\x00\x00\x00\x90\x01\x00\x00\x80\x00\x00\x00\x1c\x00\x00\x00\x44\x00{14}\x40\x00\x00\xc0\x2e\x72\x73\x72\x63\x00\x00\x00\x00\x10\x00\x00\x00\x10\x02\x00\x00\x02\x00\x00\x00\x60\x00{14}\x40\x00\x00\xc0\x2e\x6c\x70\x61\x63\x6b\x00\x00\x00\x30\x00\x00\x00\x20\x02\x00\x00\x22\x00\x00\x00\x62\x00{14}\x40\x00\x00\xc0\x00/s and $virus = "W32/Netsky.n\@MM", last LINE; /\x55\x50\x58\x30\x00{5}\xd0\x01\x00\x00\x10\x00{7}\x02\x00{14}\x80\x00\x00\xe0\x55\x50\x58\x31\x00{5}\x60\x00{3}\xe0\x01\x00\x00\x58\x00{3}\x02\x00{14}\x40\x00\x00\xe0\x2e\x72\x73\x72\x63\x00{4}\x10\x00{3}\x40\x02\x00\x00\x04\x00{3}\x5a\x00{14}\x40\x00\x00\xc0\x31\x2e\x32\x34\x00\x55\x50\x58\x21\x0c\x09\x02\x09\xe0\x6e\xfd\xee\x9e\x70\xb4\xa8\x4e\x16\x02\x00\xde\x55\x00\x00\x00\x94\x00/s and $virus = "W32/Netsky.w\@MM", last LINE; /\x40\x00\x00\xc0\x2e\x72\x73\x72\x63\x00{4}\x10\x00{3}\x20\x03\x00\x00\x02\x00\x00\x00\x5e\x01\x00{13}\x40\x00\x00\xc0\x2e\x61\x73\x70\x61\x63\x6b\x00\x00\x20\x00\x00\x00\x30\x03\x00\x00\x1a\x00\x00\x00\x60\x01\x00{13}\x40\x00\x00\xc0\x2e\x64\x61\x74\x61\x00{4}\x10\x00\x00\x00\x50\x03\x00{6}\x7a\x01\x00{13}\x40\x00\x00\xc0\x2e\x6c\x69\x66\x06\x00\x00\x00\x01\x00{4}\x60\x03\x00{6}\x7c\x01\x00\xb3\xdf\xfd\xff\x6c\x5c\x03\x00{5}\x20\x00\x00\xe0/s and $virus = "W32/Lovgate.r\@MM", last LINE; /\x55\x50\x58\x30\x00\x00\x00\x00\x00\xe0\x06\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\xe0\x55\x50\x58\x31\x00\x00\x00\x00\x00\x20\x01\x00\x00\xf0\x06\x00\x00\x14\x01\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\xe0\x55\x50\x58\x32\x00\x00\x00\x00\x00\x10\x00\x00\x00\x10\x08\x00\x00\x02\x00\x00\x00\x18\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00\x00/s and $virus = "W32/Bugbear.b\@MM", last LINE; /\x55\x50\x58\x30\x00{5}[\xa0\x80\xd0\x70\x60][\x00\x02]\x00\x00\x10\x00{7}[\x04\x02]\x00{14}\x80\x00\x00\xe0\x55\x50\x58\x31\x00{5}[\x90\xc0\x60\x50]\x00\x00\x00[\xb0\xe0\x90\x80\x70][\x02\x00]\x00\x00[\x8a\xbc\x60\x42\x46]\x00\x00\x00[\x04\x02]\x00{14}\x40\x00\x00\xe0\x2e\x72\x73\x72\x63\x00{4}\x10\x00\x00\x00[\x40\xa0\xf0\xd0\xc0][\x01\x03\x00]\x00\x00[\x06\x04\x08]\x00\x00\x00[\x8e\x4a\xc0\x64\x44]\x00{14}\x40\x00\x00\xc0[\x00\x0a]/s and $virus = "W32/Mydoom.o\@MM", last LINE; /\x50\x01\x00\x00\x10\x00\x00\xc9\x81\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x60\x00\x00\xe0\x2e\x46\x72\x61\x6c\x69\x27\x00\x73\x03\x00\x00\x00\x60\x01\x00\x00\x04\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x60\x00\x00\xe2\x00\x00/s and $virus = "W32/Higuy\@MM", last LINE; /\x41\x6c\x65\x76\x69\x72\x75\x73\x21\x0c\x09\x02\x08\x33\x4f\x2f/s and $virus = "W32/Netsky.ag\@MM", last LINE; } if($total==2048) { /\x20\x03\x2b\x3a\x99\x12\x22\x80\x2b\x3e\xf7\x26\xe1\x36\x06\xc2\x40\x20\x91\x10\x58\xac\x14\x50\x54\x58\x0a\x0c\x05\x87\x48\x20\x84\x0d\xee\x40\x90\x10\x20\x2a\x23\xb6\x2a\x22\x1b\xda\x8b\x64\x10\x64\x8b\x37\x3f\x1b\x51\xb4\x1e\xc2\xa0\xa2\xa2\xa2\xa2\x22/s and $virus = "Exploit-DcomRpc.gen", last LINE; /\x42\x6c\x61[\x63\xbd].{0,4}\x6b\x57\x6f\x72\x6d/s and $virus = "W32/MyWife.b\@MM", last LINE; /\x83\x00\x7c\x24\x08\x01\x75\x0a\xff\x74\x00\x24\x04\xe8\x0a\x00\x01\x30\x59\x00\x6a\x01\x58\xc2\x0c\x00\x55\x8b\x00\xec\x8b\x4d\x0c\x33\xc0\x49\x83\x00\xf9\x08\x77\x66\xff\x24\x8d\x8f\x16\x10/s and $virus = "W32/Netsky.ac\@MM", last LINE; /\x4f\x54\x9a\xf6\xd9\xef\x93\xa0\x2a\xba\x53\x51\x93\xe5\x92\xb9\xc0\x2b\xa3\xf4\x1b\xd3\x6d\x80\x69\x91\xea\xec\x1b\x3d\xa3\x28\x02\x12\x0a\xc4\xa2\x2b\x13\x23\x7c\x82\xbf\xc7\x0c\xa4\x2e\xc1/s and $virus = "W32/Netsky.x\@MM", last LINE; /\xe8\x9b\x03\x00\x00\x85\xc0\x75\x01\xc3\xa1\x0c\x48\x00\x10\x53\x33\xdb\x3b\xc3\x75\x17\x68\x00\x14\x00\x10\x68\xe0\x93\x04\x00\x53\x53\xff\x15\x28\x20\x00\x10\xa3\x0c\x48\x00\x10\x6a\x1c\x68\x20\x30\x00\x10\xe8\x27\x04\x00\x00\x6a\x10\x68\x40\x30/s and $virus = "W32/Fizzer.dll", last LINE; /\xff\x01\x06\x00\x53\x48\x41\x52\x4f\x4e\x00\x19\x93\x42\x00\x22/s and $virus = "W32/MyLife.j\@MM", last LINE; /\x03\x3b\xb8\x39\x91\x23\x33\x00\x1a\x2f\xf9\x78\x49\x00\x85\x24\x21\x64\xb8\x89\x00\x83\x0b\xc8\x28\x2a\x53\x14\x06\x08\xa1\x21\x70\x4a\x42\x02\xa5\x24\x51\x58\x8c\x10\x8a\x43\xf9\x04\x71\x70\x41\x40\x68\x0a\x98\xa6\x38\x0a\x2e\x14\x51\x85\xc1\x04\xb3\x88/s and $virus = "W32/Netsky.z\@MM", last LINE; /\x9d\x7e\x58\xd8\x63\x2f\xb7.\xce\x8c\x24\xe8\x25.\x6c\x68\x23\x36\x94\x0b\x6e\x51\x52.{6,7}\x0c\x10\xe4\xbf..\x41\x68\xc9\xff....\x39\xf2\xae\xf7\xd1\x2b\xf9\x8b\xf7\x8b\xd9\x8b\xfa\x10\x0e\x8b\xcb\x4f\xc1\xe9......\xa5\xa1.\xd2\x03\xcb\x83\xe1\x03\x95\xf3\xa4\x8b\x57....\xfc\xb4\xab\x81\x52\x66\xb4........\x15\x2c\xce\x52......\x88\x50\x53\x78\xc7\x0d\x04\x03/s and $virus = "W32/Lirva.gen\@MM", last LINE; /\xe8\x51\x50\x00\x00\xc3\x52\x53\xb6\x59\xb2\x73\xf9\x66\xe4\x1d\x98\x07\xde\x15\xa5\x94\xd0\x1d\x54\x7b\xf9\x34\x6b\x97\x44\x8f\xc6\xb0\xb9\xaa\x11\x70\xb4\x97\x8c\xc3\x0b\x33\x15\xa1\x60\x05\x51\x89\x80\xf5\x25\xba\x89\xa9\xfc\x3d\x67\x74\x47\xee\x91\x19/s and $virus = "W32/Bobax.worm.c", last LINE; /\x43\x6f\x64\x65\x64\x20\x2e\x2e\x2e\x62\x79\x20\x42\x65\x67\x62\x69\x65\x2c\x20\x53\x6c\x6f\x76\x61\x6b\x69\x61/s and $virus = "W32/Gibe.b\@MM", last LINE; /\x31\x2e\x39\x30\x00\xb6\xd1\xa5\xc9\x0d\x09\x08\x0a\x70\x86\x2c\xdf\x13\x5b\x4d\x1b\x2b\xdc\x04\x00\x5b\xc9\x01\x00\x00\x00\x04\x00\x26\x13\xff\x89\x33\x32\x80\x03\x1a\x32\xb2\x80\x0a\x24\xa8\xdd\x46\xaa\x39\xec\x6d\x8a\x8e\x54\x6d\xb6\xdb\x6d\xb6\x2a\x36\xdb\x6d\xba\x8d\xb9/s and $virus = "W32/Lovgate.ai\@MM", last LINE; /\x1f\x64\x17\x07\x56\xaf\x85\x85\xdb\x8f\x0a\x53\xc9\xff\xdb\x11\xe2\x3f\x4f\x78\x43\x03\x30\x4c\x59\x20\xb1\x08\xc9\x0d\x42\x08\x04\x56\x74\x32\xe1\xe5\x8a\x91\x6c\x9a\x40\x10\x4c\x24\xc1\x7f/s and $virus = "W32/Netsky.ab\@MM", last LINE; /\x00\xad\x01\xff\x60\x65\x63\x68\x6f\x72\x20\x77\x70\x75\x6e\x33\x25\x73\x06\x64\xdb\x3e\xe9\x61\x0a\x53\x14\x6c\x47\x16\x0c\x21\x70\xe7\x67\x67\x74\xe1\x73\x75\x70\xc9\x2e\xf9\x78\xea\x96\x17\x0a\x71\x75\x69\x74\x0f/s and $virus = "MultiDropper-KR", last LINE; /\x00\x63\x3a\x5c\x74\x6d\xff\xbf\xfc\xff\x70\x2e\x65\x78\x65\x00\x68\x74\x74\x70\x3a\x2f\x2f\x77\x2e\x61\x71\x75\x61\x72\x69\x75\x6d\x2d\x66\x69\x73\x20\xab\x6f\xff\x68\x2e\x72\x75\x2f\x70\x70\x61\x02\x2e\x62/s and $virus = "Downloader-GN", last LINE; /\x2f\x29\x9f\x4f\x6f\x90\x61\x82\xb5\x46\xb1\x87\x12\x5e\x6f\xd1\xc8\x47\xec\x1e\x5f\xb3\x5b\x5a\x21\x22\x39\xae\x38\x6b\xdd\xd2\xe2\x5d\x37\xb7\xdd\x20\x4a\x76\xc7\xdc\x1d\xf4\xde\x0f\xf4\xd5\x5f\x20\x5b\xe8\x36\xfd\xdf\xaa\x53\x49\x84\x76\x74\x25\x58\xe7\x17\x29/s and $virus = "W32/Korgo.worm.aa", last LINE; } if($total==11264) { /\x49\x00\x20\x00\x63\x00\x6f\x00\x6d\x00\x65\x00\x20\x00\x69\x00\x6e\x00\x20\x00\x70\x00\x69\x00\x65\x00\x63\x00\x65\x00\x2e\x00\x20\x00\x20\x00\x20\x00\x4d\x00\x79\x00\x20\x00\x6e\x00\x61\x00\x6d\x00\x65\x00\x20\x00\x69\x00\x73\x00\x20\x00\x4a\x00\x65\x00\x72\x00\x72\x00\x79/s and $virus = "W32/Choke.c.worm", last LINE; /\xc1\x09\xf7\x28\x80\x72\xed\xf8\x3d\xcb\x14\x66\xa9\xfa\x63\x99\xe6\x17\x84\x07\x0c\x48\x45\x4c\x4f\x44\x4d\x3b\x41\x49\xf6\x3d\x46\x52\x78\xdd\x5d\x87\x43\x50\x54\xce\x5e\xf4\x15\xb8\x2b\x49/s and $virus = "W32/Zafi.b\@MM", last LINE; } if($total==25600) { /\x95\x2b\x66\x8a\xd1\xbd\xf0\xe1\x48\x8a\xd1\x97\x71\xc5\xff\x7b\xca\xe8\x0a\x48\x6f\x6f\x5d\xb6\x86\xe6\x3c\xcf\xcd\xae\xe4\x58\x31\x46\x54\x16\xef\xc3\xc1\xed\xc4\xcd\x52\xc6\x2e\xc6\xd0\x13\x58/s and $virus = "BackDoor-ARG.dr", last LINE; } if($total>=6144 && $total<=9216) { /\x2b\x0c\x01[\x94\x54\xcc\x2c].{2,7}\x6f\x6b\x75\x6d.{0,4}\x65\x6e\x74/s and $virus = "W32/Sober\@MM", last LINE; } if($total==12288) { /\x21\x73\x76\x68\x6f\x73\x74\x2e\x65\x78\x65\x27\x7b[^\x7d]{32,}\x7d\x53\x4f\x46/s and $virus = "Generic PWS.f", last LINE; /\x42\x72\x69\x64\x65\x00\x42\x72\x69\x64\x65\x00\x00\x42\x72\x69\x64\x65/s and $virus = "W32/Braid\@MM", last LINE; } if($total==44032) { /\xbd\xff\x57\x4f\x52\x4b\x2d\x53\x45\x58\x59\x33\x0f\x54\x55\x05\xa3\xde\x3b\x13\x4b\x61\x7a\x61\xd3\x5e\x07\x30\xe1\xef\x50\x9f\x76\x62\x73\x4b\x36\x94\x01\x68\x3a\x03/s and $virus = "W32/Oror.aa\@MM", last LINE; } if($total==22528) { /\x57\x00\x49\x00\x4e\x00\x4c\x00\x30\x00\x47\x00\x30\x00\x4e\x00\x2e\x00\x45\x00\x58\x00\x45/s and $virus = "W32/Shoho.gen\@MM", last LINE; /\x85\xff\x8a\xd9\x73\x5c\x04\xc7\x6f\x2e\x63\x6a\x64\x72\x61\xff\xcf\xfe\x6f\xc5\x47\x45\x54\x20\x68\x74\x74\x70\x3a\x2f\x2f\x66\x04\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x6c\xa4\x9d\x10\xc8\x2f/s and $virus = "Proxy-Cidra", last LINE; /\x68\x6f\x74\x6d\x61\x69\x6c\x5f\x68\x61\x63\x6b\x2e\x65\x78\x65\x46\x66\x72\x69\x65\x6e\x64\x73\x68\x69\x70\x2e\x5f\x68\xff\xef\x73\x63\x72\x1f\x77\x6f\x72\x6c\x64\x5f\x6f\x66\x5f\x31\x11\x61\x6b\xff\x61\xff\xb8\x65\x12\x0e\x77\x65\x65\x74\x17\x42\x65\x5f\x48\x61\x70\x70/s and $virus = "W32/Yaha.k", last LINE; } if($total==10240) { /\x43\x00\x68\x00\x6f\x00\x6b\x00\x65\x00\x20\x00\x2c\x00\x20\x00\x43\x00\x6f\x00\x70\x00\x79\x00\x72\x00\x69\x00\x67\x00\x68\x00\x74\x00\x20\x00\xae\x00\x20\x00\x31\x00\x38\x00\x38\x00\x36/s and $virus = "W32/Choke.gen.worm", last LINE; /\xdb\x0f\x84\xb5\x00\x00\x00\x8b\x3b\x3b\xfe\x73\xef\x52\x53\x56\x57\x51\x8b\x55\x18\x83\xe9\x02\x66\x8b\x04\x31\x66\x39\x04\x39\x0f\x85\x8c\x00\x00\x00\x8b\xd9\xc1\xf9\x02\x85\xc9\x74\x11\x8b\x06\x33\x07\x83\xc6\x04\x83\xc7\x04\x85\xc0\x75\x03\x49\x75\xef\x75\x16\x03\xcb\x83\xe1\x03\x85\xc9\x74\x0d\x8a\x06\x8a\x27\x46\x47\x38\xe0\x75\x03\x49\x75\xf3\x75\x58\x59\x5f\x5e\x56\x57\x03\xf9\x03\xf1\x83\xe9\x04\x83\xc1\x04\x8b\xc2\x83\xe8\x04\x78\x28\x3b\xc8/s and $virus = "W32/Fizzer.gen\@MM", last LINE; /\x3a\x00\x5c\x00\x76\x00\x69\x00\x72\x00\x75\x00\x73\x00\x5c\x00\x76\x00\x69\x00\x72\x00\x5c\x00\x63\x00\x75\x00\x72\x00\x72\x00\x5c\x00\x50\x00\x72\x00\x6f\x00\x6a\x00\x65\x00\x63\x00\x74\x00\x31\x00\x2e\x00\x76\x00\x62/s and $virus = "W32/ProLin\@MM", last LINE; } if($total==2048 || $total==4096) { /\x52\x55\x4e\x44.{0,4}\x4c\x4c\x33\x32\x2e\x45\x58\x45\x20\x25\x73\x2c\x5f\x6d\x61\x69\x6e\x52\x44\x00\x44\x6c\x6c\x52\x65\x67\x69\x73\x74\x65\x72\x53.{2,5}\x76.{0,3}\x00\x00\x64\x6c\x6c\x00\x65\x78\x65\x00\x43\x4c\x53\x49\x44\x5c\x7b.{34,38}\x30\x31\x7d\x00.{1,3}\x20\x6d\x75\x74.{0,2}\x31\x20/s and $virus = "W32/Mabutu.a\@MM", last LINE; } if($total==50176) { /\x34\x7b\x4d\x54\x50\xb4\x76\xc2\x11\xb7\x63\x70\xbb\x70\xb3\x26\x6f\x6f\x5d\x72\xc7\x4b\x2d\x38\x29\x39\x2d\x31\x0b\x51\x55\x49\x10\x86\xf0\x87\x54\x19\x45\x48\x4c\x4f\x24\x2b\x06\xe0\xc2\xf2\x50\x61\x77\x43\x64\x3a\xc6\xfd\xf7\x28\x15\xa7\xbb\x0b\x41\x55\x54\x48\x20\x7f\x03\x9a\xbd\x2e\x47\x49\x4e\x27\xbd\x4c\x20\x46\x52\x4f\x4d\xe3\xb1\x8a\x19\x58\xa3\x43\x50\x54\xc4\x5b\x31\x97/s and $virus = "W32/Sobig.c\@MM", last LINE; } if($total==18432) { /\x4d\x61\x64\x65\x20\x62\x79\x20\x41\x78\x69\x61\x6c\x69\x73\x20\x41\x58\x2d\x49\x63\x6f\x6e\x20\d\x2e\d/s and $virus = "BackDoor-AJH", last LINE; } if($total==29696) { /\x45\xf8\x79\x00\x2b\x6b\x23\x4c\x79\x6e\x61\x2e\x28\x63\x6d\xdb\x93\x6f\xd6\xed\x68\xa0/s and $virus = "W32/Sobig.f\@MM", last LINE; } if($total==66560) { /\x4e\x65\x74\x4d\x65\x65\x74\x69\x6e\x67\x20\x52\x65\x6d\x6f\x74\x65\x20\x44\x65\x73\x6b\x74\x6f\x70\x20\x28\x52\x50\x43\x29\x20\x53\x68\x61\x72\x69\x6e\x67\x00\x73\x6d\x74\x70\x2e\x31\x36\x33\x2e\x63\x6f\x6d\x00\x00\x00\x00/s and $virus = "BackDoor-AQJ", last LINE; } } elsif($subtype == 7) { if($total==162816) { /\xdb\x0f\x84\xb5\x00\x00\x00\x8b\x3b\x3b\xfe\x73\xef\x52\x53\x56\x57\x51\x8b\x55\x18\x83\xe9\x02\x66\x8b\x04\x31\x66\x39\x04\x39\x0f\x85\x8c\x00\x00\x00\x8b\xd9\xc1\xf9\x02\x85\xc9\x74\x11\x8b\x06\x33\x07\x83\xc6\x04\x83\xc7\x04\x85\xc0\x75\x03\x49\x75\xef\x75\x16\x03\xcb\x83\xe1\x03\x85\xc9\x74\x0d\x8a\x06\x8a\x27\x46\x47\x38\xe0\x75\x03\x49\x75\xf3\x75\x58\x59\x5f\x5e\x56\x57\x03\xf9\x03\xf1\x83\xe9\x04\x83\xc1\x04\x8b\xc2\x83\xe8\x04\x78\x28\x3b\xc8/s and $virus = "W32/Fizzer.gen\@MM", last LINE; } } if($total>1024) { /\x57\x69\x6e\x33\x32\x2e\x47\x69\x72\x69\x67\x61\x74\x20\x69\x73\x20\x6e\x6f\x77\x20\x61\x63\x74\x69\x76\x65\x21/s and $virus = "W32/Giri.dr", last LINE; /\x4e\x45\x54\x2e\x64\x6f\x74\x4e\x45\x54\x20\x62\x79\x20\x42\x65\x6e\x6e\x79\x2f\x32\x39\x41/s and $virus = "W32/Donut.dr", last LINE; } if($total>=7168 && $total<8192) { /\x4a\x54\x4d\x20\x2d\x20\x66\x72\x6f\x6d\x20\x65\x5b\x61\x78\x5d\x20\x74\x6f\x20\x48\x6f\x6d\x65\x72\x20\x54\x68\x61\x20\x50\x69\x6c\x65/s and $virus = "W32/HLL.ow.24590", last LINE; } if($total>=1024 && $total<=5120) { /\xed.{0,13}\xe8.{0,17}\xe9.{0,12}\xff\xff\xff.{0,19}\x83/s and $virus = "W32/Netsky.c\@MM", last LINE; } if($total==11264 || $total==13312) { /\x91\x04\x00\xa8\x60\x54\x58\x23\x23\x23\x23\x5c\x60\x64\x68\x23\x23\x23\x23\x6c\x70\x74\x78\x23\x23\x23\x23\x7c\x80\x84\x88\x23\x23\x23\x23\x8c\x90\x94\x98\x23\x23\x23\x23\x9c\xa0\xa4/s and $virus = "W32/Bagle.af\@MM", last LINE; } if(($total>=1024 && $total<=3072) || $total==25600) { /\xd0\x32\xc5\x32\xc2\x32\xc6\xd2\xc0\x02\xc1.{0,24}\xd3\xc2\x88\x07\x47\x49\x75\xd2\xe8\x01\x00\x00\x00/s and $virus = "W32/Bagle.ai\@MM", last LINE; } if($total>2048) { /\x7e\x46\x75\x6e\x20\x4c\x6f\x76\x69\x6e\x67\x20\x43\x72\x69\x6d\x69\x6e\x61\x6c\x7e/s and $virus = "W32/FunLove.4099", last LINE; } if($total>=8192 && $total<=15360) { /\x62.?\x61.?\x6c\x9f.{0,4}\xaf\x21.{0,4}\x3c.{0,5}\x31\x72\x6d.{0,5}\x20\x0d\x43.?\x70.?\x75.?\x74\x0f\x6e.{2,6}\x7b.{2,6}\x4a\x25\x2f\x34\x3e.{0,5}\xa1.?\x79.?\x70\x24.{0,4}\x50.{0,4}\x6f\x63.?\x45\x6d.?\x61.?\x69.{0,4}\x6c.\x72.\x35.{3,4}\x65.{1,5}\x6b.{4,9}\x0d.{0,4}\x75.{2}\x45.{0,4}\x4c\x2d\x6c.?\x43\x6f.?\x6e.{1,5}\x1f.{0,4}\xd9.{0,5}\x0d\x2f.{0,5}\x6d\xb8.{2,6}\x44\x69\x73.{2,3}\x6c.{1,5}\x3d.{8,9}\x47\xca.?\x3c.?\x0d\x6e.{1,6}\x65.{0,4}\x0a.{0,5}\x41.?\x4f\x53.?\x54\xc9.\x64\x61.{0,5}\x51/s and $virus = "PWS-Banker.k.gen", last LINE; } if($total<=6144) { /\x77\x6f\x72\x6d\x49\x77\x69\x6e\x67.+\x57\x69\x6e\x33\x32\x2e\x20\x49\x6d\x65\x6c\x64\x61\x20\x74\x68\x65\x20\x56\x42\x20\x56\x69\x72\x75\x73/s and $virus = "W32/Alcop.gen\@MM", last LINE; } if($total==13312 || ($total>=24576 && $total<=36864)) { /\x79.{3,81}[\x2a\x65\xb0\x45]\x72\x43[\x04\xa2\x9e\x1e][\xec\x8f\xf8\x62]/s and $virus = "W32/Mytob.gen\@MM", last LINE; } if($total==8192) { /\x96\xb4\x66\x55\xd6\xc5\xa3\xe2\x46\x4b\x4c\x54\x52\x61\x6d\x93\x14\x56\x81\xae\xc7\x17\xa2\x2f\x0c\x82\xff\xe8\x24\x2e\xb6\x6a/s and $virus = "W32/Lovgate.x\@MM", last LINE; } /\x53\x6f\x66\x74\x77\x61\x72\x65\x20\x70\x72\x6f\x76\x69\x64\x65\x20\x62\x79\x20\x5b\x4d\x41\x54\x52\x69\x58\x5d\x20\x56\x58\x20\x74\x65\x61\x6d/s and $virus = "W32/MTX.gen\@M", last LINE; /\x0d\x0a\x2e\x0d\x0a\x00\x00\x00\x44\x41\x54\x41\x20\x0d\x0a\x00\x48\x45\x4c\x4f\x20\x25\x73\x0d\x0a\x00\x00\x00\x3e\x0d\x0a\x00\x4d\x41\x49\x4c\x20\x46\x52\x4f\x4d\x3a\x20\x3c\x00\x00\x00\x00\x52\x43\x50\x54\x20\x54\x4f\x3a\x3c\x00\x00\x00\x25\x64\x00\x00/s and $virus = "W32/Klez.gen\@MM", last LINE; /\x5b\x57\x69\x6e\x32\x6b\x2e\x4a\x6f\x73\x73\x5d\x20\x62\x79\x20\x52\x61\x74\x74\x65\x72\x2f\d\d\x41/s and $virus = "W32/Joss.919", last LINE; /\x14\xff\x56\xb9\x36\xdc\x5a\xbd\x1b\x93\xeb\xea\x5f\x21\xb8\x35\x73\x1b\xfc\xa6\xdc\x6f\x01\x24\x8b\x14\x85\xb8\x6c\x28\x0d\x3b\xd1\x74\x09\x40\xb3\xbb\x95\x4a\x1a\x74\x15\x72\xe5\x1a\x89\x0c\x8b\x00\xcf\xb7\x90\x49\x24\xfe\x81\xc3\x22\x8d\xa5\x68\x7a\xb4/s and $virus = "BackDoor.arsd", last LINE; /\x43\x6f\x64\x65\x64\x20\x62\x79\x20\x47\x72\x69\x59\x6f.+\x32\x39\x41/s and $virus = "W32/GriYo.29A.by", last LINE; /\x2e\x41\x56\x58\x65\x6e\x63\x72/s and $virus = "W32/XTC\@MM", last LINE; /\x57\x49\x4e\x33\x32\x2e\x50\x49\x4c\x53\x45\x4e\x20\x56\x49\x52\x55\x53\x20\x62\x79\x20\x49\x6e\x74\x31\x33\x68\x2f\x49\x4b\x58\x00\x4d\x61\x44\x65\x20\x69\x4e\x20\x50\x61\x52\x61\x47\x75\x41\x79/s and $virus = "W32/Pilsen.cmp.4096", last LINE; /\x5b\x69\x4b\x78\x5d\x20\x28\x63\x29\x20\x31\x39\x39\x39\x20\x61\x6c\x6c\x20\x72\x69\x67\x68\x74\x20\x72\x65\x73\x65\x72\x76\x65\x64\x20\x2d\x20\x70\x72\x65\x73\x65\x6e\x74\x20\x41\x6c\x64\x65\x42\x61\x72\x61\x6e/s and $virus = "W32/Adebar.dr", last LINE; /\x76\x69\x72\x75\x73\x65\x73.+\x65\x78\x70\x6c\x6f\x69\x74.+\x70\x61\x74\x63\x68\x20\x68\x61\x73\x20\x62\x65\x65\x6e\x20\x73\x75\x70\x70\x6c\x69\x65\x64\x20\x77\x69\x74\x68\x20\x74\x68\x69\x73\x20\x65\x6d\x61\x69\x6c\x20\x61\x6e\x64\x20\x77\x69\x6c\x6c\x20\x66\x69\x78\x20\x74\x68\x65\x20\x73\x65\x63\x75\x72\x69\x74\x79\x20\x68\x6f\x6c\x65.+\x70\x61\x74\x63\x68\x2e\x65\x78\x65/s and $virus = "W32/Heidi\@MM", last LINE; /\x59\x61\x70\x21\x20\x57\x68\x61\x74\x20\x63\x6f\x75\x6c\x64\x20\x69\x74\x20\x42\x20\x3f\xa8\x20\x49\x74\x27\x73\x20\x59\x2e\x41\x2e\x50\x2e\x20\x28\x59\x65\x74\x20\x41\x6e\x6f\x74\x68\x65\x72\x20\x50\x61\x72\x61\x73\x69\x74\x65\x29/s and $virus = "HLLP.Yap.8421", last LINE; /\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x70\x2e\x69\x63\x71\x2e\x63\x6f\x6d\x2f\x73\x63\x72\x69\x70\x74\x73\x2f\x57\x57\x50\x4d\x73\x67\x2e\x64\x6c\x6c\x3f\x66\x72\x6f\x6d\x3d\w+\x26\x66\x72\x6f\x6d\x65\x6d\x61\x69\x6c\x3d\w+\x40\w+\x2e\w+\x26\x73\x75\x62\x6a\x65\x63\x74\x3d\x50\x72\x6f\x67\x72\x61\x6d\x2b\x65\x78\x65\x63\x75\x74\x69\x6f\x6e\x26\x62\x6f\x64\x79\x3d\x54\x68\x65\x2b\x70\x65\x72\x73\x6f\x6e\x2b\x74\x68\x61\x74\x2b\x73\x65\x6e\x74\x2b\x74\x68\x69\x73\x2b\x70\x61\x67\x65\x72\x2c\x2b\x69\x73\x2b\x77\x69\x74\x68\x2b\x61\x2b\x66\x69\x6c\x65\x2b\x67\x65\x6e\x65\x72\x61\x74\x65\x64\x2b\x62\x79\x2b\x4a\x75\x6e\x74\x61\x64\x6f\x72\x26\x74\x6f\x3d\d{6,}\x26\x73\x65\x6e\x64\x3d.+/s and $virus = "MultiDropper-BN", last LINE; /\x5b\x57\x69\x6e\x33\x32\x2e\x4f\x72\x61\x6e\x67\x65\x20\x62\x79\x20\x45\x62\x6f\x6c\x61\x5d\x00\x44\x65\x64\x69\x63\x61\x74\x65\x64\x20\x74\x6f\x20\x74\x68\x65\x20\x4e\x59\x46\x44\x20\x61\x6e\x64\x20\x4e\x59\x50\x44\x2e/s and $virus = "W32/Awfull", last LINE; /\x57\x69\x6e[\x32\x33\x35\x38\x39]{2}\x2e\w+\x2e*\w*\x20\x62\x79\x20\w+.+\x67\x65\x6e\x65\x72\x61*\x74\x69\x6f\x6e\x20\x76\x69\x72\x75\x73\x20/s and $virus = "W32/Blakan", last LINE; /\x5b\x57\x69\x6e\x33\x32\x2e[^\x5d]+\x5d\x20.+\x20\x47\x69\x67\x61\x62\x79\x74\x65\x2f\x4d\x65\x74\x61\x70\x68\x61\x73\x65/s and $virus = "W32/GMetaphase.by\@MM", last LINE; /\x5b\x57\x69\x6e[^\x5d]+\x5d\x20\x62\x79\x20\x52\x61\x74\x74\x65\x72\x2f\d+/s and $virus = "W32/Ratter.by", last LINE; /\x57\x69\x6e\x33\x32\x2f\x41\x73\x74\x72\x6f\x47\x69\x72\x6c\x20\x41\x73\x74\x72\x6f\x43\x6f\x64\x65\x64\x20\x62\x79\x20\x61\x20\x57\x61\x7a\x65\x78\x00\x59\x6f\x75\x72\x20\x73\x79\x73\x74\x65\x6d\x20\x69\x73\x20\x69\x6e\x66\x65\x63\x74\x65\x64\x20\x62\x79\x20\x57\x69\x6e\x33\x32\x2f\x41\x73\x74\x72\x6f\x47\x69\x72\x6c\x20\x76\d+\x2e\d+.+\x44\x65\x64\x69\x63\x61\x74\x65\x64\x20\x74\x6f\x20\x41\x6e\x69\x74\x61\x20\x61\x6e\x64\x20\x6f\x75\x72\x20\x70\x65\x6e\x67\x2d\x67\x75\x69\x6e\x20\x3b\x29\x0d/s and $virus = "Win32.Asorl", last LINE; /\x08\xb5\x6d\xea\x46\x82\x32\x67\x62\x42\x2b\x16\x59\x97\xcb\xdb\x40\x1c\x02\xd2\x43\x40\xa0\x99\x65\x20\x99\x2a\x9d\xa1\x21\xa1\xa1\x1d\x55\x05\x19\x01\x57\x55\x32\x8c\x41\xc5\x08\x01\x76\x0a\x43\x0f\x81\x87\xb0\xda\x18\x3d\x42\x28\x28\xa8\x80\xac\xd2\xe9/s and $virus = "W32/Navidad.e\@M", last LINE; if($total==2048 || $total==4096) { /\x06\x00\x42\x00\x49\x00\x4e\x00\x41\x00\x52\x00\x59\x00\x01\x00\x30\x00\x00\x00\x00\x00\x00\x00\x6b\x7d\x66\x85\x94\x15\xad\x1d\xd6\x94\xdd\xc4\x89\xe6\x39\x31\x49\xad\xb5\x58\xf0\x93\x97\x32\x59\x2b\xd1\xc0\xfd\x16\x8e\x4e/s and $virus = "W32/Netsky.p\@MM", last LINE; } if($total==1024) { /\x50\x45\x00\x00\x4c\x01.\x00....\x00\x00\x00\x00.\x00\x00\x00\xe0\x00..\x0b\x01..\x00..\x00\x00.\x00\x00\x00\x00\x00\x00...\x00\x00\x10\x00\x00\x00..\x00\x00\x00..\x00\x10\x00\x00\x00.\x00\x00.\x00\x00\x00.\x00\x00\x00.\x00.\x00\x70\x6c\x78\x72/s and $virus = "W32/Plex\@MM", last LINE; /\x00{2}..\x00{13}[^\x00]\x00\x00.\x2e.{5}\x00\x00\xec[^\x00\x04](\x00|\x01)\x00\x00..\x00\x00.(\x00|\x01)\x00\x00..\x00{13}.\x00\x00[^\x00][^\x2e]/s and $virus = "W32/Magistr.a\@MM", last LINE; /\x00{2}..\x00{13}[^\x00]\x00\x00.\x2e.{5}\x00\x00\xed[^\x00](\x00|\x01)\x00\x00..\x00\x00.(\x00|\x01)\x00\x00..\x00{13}.\x00\x00[^\x00][^\x2e]/s and $virus = "W32/Magistr.b\@MM", last LINE; } if($total>102400 && $total<=160000) { /\x49\x2d\x57\x6f\x72\x6d\x2e\x53\x75\x70\x65\x72\x4e\x6f\x76\x61/s and $virus = "W32/Sintesys\@MM", last LINE; } if($total<=4096) { /\x49\x2d\x57\x6f\x72\x6d\x2e\x46\x72\x69\x65\x6e\x64\x73\x00\x43\x6f\x64\x65\x64\x20\x62\x79\x20\x50\x65\x74\x69\x4b\x20\x28\x63\x29\x32\x30\x30\x31.+\x54\x6f\x20\x6d\x79\x20\x66\x72\x69\x65\x6e\x64\x73\x20\x4d\x61\x79\x61\x20\x61\x6e\x64\x20\x4c\x61\x75\x72\x65\x6e\x74/s and $virus = "W32/PetTick\@MM", last LINE; } } elsif($type == 5) { } elsif($type == 6) { if($total==1281) { /\x25\x53\x79\x73\x74\x65\x6d\x52\x6f\x6f\x74\x25\x5c\x53\x79\x73\x74\x65\x6d\x33\x32\x5c\x66\x75\x6e\x74\x69\x6d\x65\d\d\x2e\x68\x74\x61/s and $virus = "VBS/Funtime", last LINE; } } elsif($type == 7) { /.+\x43\x6f\x64\x65\x52\x65\x64\x49\x49.+/s and $virus = "W32/CodeRed.c.worm", last LINE; /\x48\x4f\x53\x54\x3a\x77\x77\x77\x2e\x77\x6f\x72\x6d\x2e\x63\x6f\x6d\x0a\x20\x41\x63\x63\x65\x70\x74\x3a\x20\x2a\x2f\x2a\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x6c\x65\x6e\x67\x74\x68\x3a/s and $virus = "W32/CodeRed.a.worm", last LINE; } $save = substr($buff, (length($buff)/2)); } close(FILE); &_set_skip($skip) if($skip); $suspicious = 0 if($virus); &_set_suspicious($suspicious) if($suspicious); return($virus); } __END__ =head1 NAME File::Scan - Perl extension for Scanning files for Viruses =head1 SYNOPSIS use File::Scan; $fs = File::Scan->new([, OPTION ...]); $fs->set_callback( sub { my $filename = shift; my $bytes = shift; ... return("Callback Value"); } ); $fs->scan([FILE]); if(my $e = $fs->error) { print "$e\n"; } if(my $c = $fs->skipped) { print "file skipped ($c)\n"; } if($fs->suspicious) { print "suspicious file\n"; } if(my $res = $fs->callback) { print "$res\n"; } =head1 DESCRIPTION This module is designed to allows users to scan files for known viruses. The purpose is to provide a perl module to make plataform independent virus scanners. =head1 METHODS =head2 new([, OPTION ...]) This method create a new File::Scan object. The following keys are available: =over 7 =item callback => 'subroutine reference' if the item is set then use a callback subroutine reference to provide extra information and functionalities. The callback subroutine have two arguments: filename and first 1024 bytes read from the file. This only work for binary files. =item extension => 'string' add the specified extension to the infected file =item move => 'directory' move the infected file to the specified directory =item copy => 'directory' copy the infected file to the specified directory =item mkdir => octal_number if the value is set to octal number then make the specified directories (example: mkdir => 0755). =item delete => 0 or 1 if the value is set to 1 delete the infected file =item max_txt_size => 'size in kbytes' scan only the text file if the file size is less then max_txt_size. The default value is 5120 kbytes. Set to 0 for no limit. =item max_bin_size => 'size in kbytes' scan only the binary file if the file size is less then max_bin_size. The default value is 10240 kbytes. Set to 0 for no limit. =back =head2 scan([FILE]) This method scan a file for viruses and return the name of virus if a virus is found. =head2 set_callback([SUBREF]) This method is another way to install a callback subroutine reference. Take a look in callback kay. =head2 skipped() This method return a code number if the file was skipped and 0 if not. The following skipped codes are available: =over 6 =item 0 file not skipped =item 1 file is not vulnerable =item 2 file has zero size =item 3 the size of file is small =item 4 the text file size is greater that the 'max_txt_size' argument =item 5 the binary file size is greater that the 'max_bin_size' argument =back =head2 suspicious() This method return 1 if the file is suspicious and 0 if not. =head2 callback() This method return the result from the callback subroutine. =head2 error() This method return a error message if a error happens. =head1 AUTHOR Henrique Dias =head1 CREDITS Thanks to Rui de Castro, Sergio Castro, Ricardo Oliveira, Antonio Campelo, Branca Silveira, Helena Gomes and Anita Afonso for the help. Thanks to Fernando Martins for the personal collection of viruses. =head1 SEE ALSO perl(1). =cut File-Scan-1.43/Changes0000644000175000007640000005667510236172252013720 0ustar wwwadminwebRevision history for Perl extension File::Scan. 1.43 Wed May 4 17:07:43 WEST 2005 - a new word has been added to suspicious.txt file. - minor feature enhancements in Makefile.PL. - added two new virus signatures (W32/Sober.p@MM and W32/Mytob.gen@MM). - the W32/Bagle.ai@MM virus signature has been updated again to detect W32/Bagle.bb@MM variant. 1.42 Mon Mar 7 18:14:52 WET 2005 - added three new virus signatures (Downloader-PH, PWS-Banker.k.gen and W32_Mydoom.ba_MM). - the W32/MyWife.b@MM, W32/Sober.j@MM and W32/Bagle.ai@MM virus signatures hash also been updated to detect W32/MyWife.c@MM, W32/Sober.I@MM and W32/Bagle.dldr.gen variants. 1.41 Sat Feb 19 17:57:40 WET 2005 - added W32/Mydoom.bb@MM virus signature. 1.40 Sat Feb 12 19:28:36 WET 2005 - added W32/MyWife.b@MM virus signature. 1.39 Tue Dec 21 18:38:04 WET 2004 - added two new virus signatures (W32/Netsky.z@MM and W32/Zafi.d@MM). - added '4d5a000000' new application signature to Makefile.PL 1.38 Mon Nov 22 19:51:18 WET 2004 - added three new virus signatures (W32/Lovgate.af@MM, W32/Lovgate.q@MM and W32/Sober.j@MM). 1.37 Sat Nov 6 16:59:30 WET 2004 - added three new virus signatures (VBS/Inor.encoded, W32/Netsky.ab@MM and W32/Bagz.f@MM). 1.36 Sat Oct 30 19:03:30 WEST 2004 - added Generic PWS.f virus signature. - the W32/Bagle.ai@MM virus signature has been updated to detect W32/Bagle.bb@MM variant. 1.35 Mon Oct 18 14:14:10 WEST 2004 - added W32/Korgo.worm.aa virus signature. - the following virus signatures has been commented Ginger.mp, ARCV.Anna.742 and W32/HLLP.32767.a because in the last two years I didn't find any occurrences 1.34 Fri Oct 15 16:17:49 WEST 2004 - the W32/Darby@MM virus signature has been updated. - added W32/Netsky.ag@MM virus signature. 1.33 Tue Oct 12 13:45:27 WEST 2004 - the W32/Mabutu.b@MM virus signature has been updated. 1.32 Thu Oct 7 14:50:08 WEST 2004 - the W32/Lovgate.x@MM virus signature has been updated. 1.31 Wed Oct 6 16:56:40 WEST 2004 - the W32/Mydoom.o@MM virus signature has been updated to detect W32/Mydoom.n@MM and W32/Mydoom.f@MM variants. - added W32/Lovgate.r@MM virus signature. 1.30 Sat Sep 18 19:06:46 WEST 2004 - the W32/Bagle.aa@MM virus signature has been updated. - added MultiDropper-KR virus signature. 1.29 Wed Sep 15 15:24:08 WEST 2004 - added W32/Bagle.aa@MM virus signature. 1.28 Sat Sep 11 17:47:30 WEST 2004 - the W32/Mydoom.o@MM virus signature has been updated. - added three new virus signatures (W32/Bagle.dll.dr, W32/Lovgate.ai@MM and W32/Mabutu.a@MM). 1.27 Tue Aug 17 14:30:00 WEST 2004 - the W32/Mydoom.o@MM and W32/Netsky.p@MM virus signatures were updated. - added JS_IllWill virus signature. 1.26 Tue Jul 27 14:01:13 WEST 2004 - added W32/Mydoom.o@MM virus signature. 1.25 Wed Jul 21 14:46:25 WEST 2004 - the W32/Bagle.ai@MM virus signature has been updated. 1.24 Wed Jul 21 13:38:17 WEST 2004 - added two new virus signatures (W32/Netsky.ac@MM and W32/Bagle.ai@MM). 1.23 Sat Jul 17 17:14:05 WEST 2004 - added W32/Bagle.af@MM virus signature. 1.22 Sat Jul 10 16:42:02 WEST 2004 - added W32/Bagle.dll.gen virus signature. 1.21 Tue Jul 6 14:12:28 WEST 2004 - added two new virus signatures (W32/Lovgate.ac@MM and W32/Bagle.ab@MM!hta). 1.20 Sat Jul 3 19:23:32 WEST 2004 - added W32/Netsky.w@MM virus signature. - the W95/Elkern.cav.c virus signature has been commented. 1.19 Mon Jun 28 12:19:52 WEST 2004 - the W32/Magistr.a@MM and W32/Netsky.c@MM virus signatures were updated. - added W32/Netsky.f@MM virus signature. 1.18 Sat Jun 19 20:00:25 WEST 2004 - the W32/Bagle.j@MM virus signature has been updated. 1.17 Mon Jun 14 13:49:07 WEST 2004 - added W32/Zafi.b@MM virus signature. 1.16 Sat Jun 12 15:38:52 WEST 2004 - the W32/Bagle.j@MM and W32/Netsky.c@MM virus signatures had been updated to detect W32/Bagle.aa@MM and W32/Netsky.f@MM variants. 1.15 Sat May 29 17:01:23 WEST 2004 - the W32/Mydoom@MM virus signature has been updated to detect W32/Mydoom.g@MM variant. 1.14 Sat May 22 18:10:47 WEST 2004 - the W32/Netsky@MM virus signature has been updated. 1.13 Wed May 19 14:31:56 WEST 2004 - added W32/Bobax.worm.c virus signature. - the W32/Netsky.p@MM virus signature has been updated. 1.12 Mon May 17 15:02:37 WEST 2004 - the W32/Sober@MM virus signature has been updated. 1.11 Fri May 7 14:55:02 WEST 2004 - the W32/Mydoom@MM virus signature has been updated to detect W32/Mydoom.h@MM variant. 1.10 Wed May 5 14:39:48 WEST 2004 - added W32/Netsky.n@MM virus signature. 1.09 Mon May 3 13:56:53 WEST 2004 - the W32/Bagle.j@MM virus signature has been updated again 1.08 Fri Apr 30 19:53:10 WEST 2004 - the W32/Bagle.j@MM virus signature was updated. 1.07 Wed Apr 28 19:51:56 WEST 2004 - the W32/Netsky@MM virus signature has been updated to detect W32/Netsky.ab@MM variant. 1.06 Wed Apr 28 18:54:42 WEST 2004 - added two new virus signatures (W32/Bagle.aa@MM!vbs and W32/Bagle.aa@MM!hta). - the W32/Bagle.j@MM virus signature has been updated to detect W32/Bagle.aa@MM variant. 1.05 Tue Apr 27 16:14:29 WEST 2004 - the following virus signatures has been commented W32/Borges.cmp, W95/Puma, W95/Rekoj.GR, W95/Miam.dr, W32/Enviar.gen@M and W32/Javel.512 because in the two last years there hasn't been any occurrences. - minor feature enhancements in Makefile.PL. - added W32/Netsky.x@MM virus signature. - the New Malware.b signature has been removed because it is the W32/Mydoom.j@MM virus. - the W32/Mydoom@MM virus signature has been updated to detect W32/Mydoom.j@MM variant. - the W32/Netsky@MM virus signature has been updated to detect W32/Netsky.m@MM, W32/Netsky.w@MM and W32/Netsky.z@MM variant. - the W32/Netsky.c@MM virus signature has been updated to detect W32/Netsky.d@MM (Petite packed) variant. - examples/scan.pl: the version was updated to 0.17. - examples/scan.pl: the report now show the File::Scan module version. 1.04 Mon Apr 26 20:43:05 WEST 2004 - added W32/Torvil@MM virus signature - the W32/Bagle.j@MM virus signature has been updated to detect W32/Bagle.z@MM variant 1.03 Thu Apr 22 17:55:53 WEST 2004 - added two new virus signatures (Exploit-DcomRpc.gen New Malware.b). - the W32/Netsky@MM virus signature has been updated 1.02 Wed Apr 14 19:52:42 WEST 2004 - added W32/Lovgate.x@MM virus signature - the W32/Netsky.p@MM virus signature has been updated to detect W32/Netsky.r@MM variant 1.01 Mon Apr 5 15:33:00 WEST 2004 - the W32/Sober@MM virus signature has been updated to detect W32/Sober.f@MM variant 1.00 Fri Apr 2 16:16:45 WEST 2004 - the W32/Bagle.u@MM virus signature has been updated 0.99 Fri Mar 26 15:25:19 WET 2004 - added W32/Bagle.u@MM virus signature 0.98 Tue Mar 23 14:13:33 WET 2004 - added W32/Netsky.p@MM virus signature 0.97 Mon Mar 22 15:14:43 WET 2004 - the W32/Netsky.c@MM virus signature has been updated again to detect W32/Netsky.d@MM (Petite packed) variant 0.96 Fri Mar 19 16:01:22 WET 2004 - the W32/Netsky.c@MM virus signature has been updated to detect W32/Netsky.c@MM (Petite packed), W32/Netsky.c@MM (UPX packed) and W32/Netsky.d@MM variant - the W32/Bagle.j@MM virus signature has been updated to detect W32/Bagle.n@MM and W32/Bagle.p@MM variants 0.95 Thu Mar 18 13:16:37 WET 2004 - the W32/Netsky.c@MM, W32/Bagle.e@MM and W32/Bagle.j@MM virus signatures were updated. 0.94 Thu Mar 11 17:43:13 WET 2004 - added Proxy-Cidra virus signature Thanks to Michal Jankowski 0.93 Tue Mar 9 16:27:05 WET 2004 - added W32/Netsky.j@MM virus signature 0.92 Mon Mar 8 15:59:22 WET 2004 - the W32/Sober@MM virus signature has been updated to detect W32/Sober.d@MM variant - the virus W32/Bagle.k@MM is detected as W32/Bagle.j@MM 0.91 Wed Mar 3 20:27:26 WET 2004 - the W32/Netsky.c@MM virus signature has been updated to detect detect correctly W32/Netsky.d@MM variant 0.90 Wed Mar 3 13:36:02 WET 2004 - added '4d5a000001' new application signature to Makefile.PL - added W32/Bagle.j@MM virus signature 0.89 Tue Mar 2 19:30:53 WET 2004 - the W32/Bagle.e@MM virus signature has been updated to detect also W32/Bagle.h@MM virus variant - the W32/Netsky.c virus signature has been updated in previous version to detect W32/Netsky.d variant 0.88 Mon Mar 1 15:34:03 WET 2004 - added W32/Bagle.e@MM virus signature - the W32/Netsky.c@MM virus signature has been updated 0.87 Sun Feb 29 19:13:23 WET 2004 - the W32/Bagle@MM virus signature has been updated to detect W32/Bagle.c@MM variant 0.86 Thu Feb 26 13:47:02 WET 2004 - added W32/Netsky.c@MM virus signature - the W32/Mimail@MM virus signature has been updated to detect W32/Mimail.h@MM variant 0.85 Wed Feb 25 15:25:30 WET 2004 - the W32/Mydoom@MM virus signature has been updated to detect W32/Mydoom.f@MM variant 0.84 Wed Feb 18 14:13:02 WET 2004 - added W32/Netsky@MM virus signature. 0.83 Tue Feb 17 17:07:49 WET 2004 - the W32/Bagle@MM virus signature has been updated to detect W32/Bagle.b@MM variant 0.82 Tue Feb 10 19:14:04 WET 2004 - the W32/Mimail@MM and W32/Mydoom@MM virus signatures have been updated to detect W32/Mimail.s@MM and W32/Mydoom.b@MM variants 0.81 Fri Jan 30 11:33:15 WET 2004 - the W32/Dumaru@MM virus signature has been updated to detect W32/Dumaru.y@MM variant 0.80 Tue Jan 27 15:30:19 WET 2004 - added three new virus signatures (W32/Mydoom@MM, W32_Darby@MM and VBS/Inor) - the W32/Dumaru@MM virus signature has been updated to detect W32/Dumaru.z@MM variant 0.79 Mon Jan 19 14:37:41 WET 2004 - added W32/Bagle@MM and Downloader-GN virus signatures. - the W32/Mimail@MM virus signature has been updated to detect W32/Mimail.p@MM variant 0.78 Tue Jan 6 15:30:38 WET 2004 - the W32/Sober@MM virus signature has been updated to detect W32/Sober.c@MM variant 0.77 Mon Dec 22 15:20:26 WET 2003 - added BackDoor-CAG virus signature - the W32/Mimail@MM virus signature has been updated to detect W32/Mimail.m@MM variant 0.76 Fri Nov 28 14:18:15 WET 2003 - added W32/Dumaru.gen@MM virus signature - a new example script (examples/vscan.pl) has also been added Thanks to Peter Sergeant 0.75 Wed Nov 19 11:50:01 WET 2003 - the W32/Mimail@MM virus signature has been updated to detect W32/Mimail.j@MM variant 0.74 Sat Nov 15 18:47:00 WET 2003 - added PWS-Mob.dr virus signature - the W32/Mimail@MM virus signature has been updated to detect W32/Mimail.g@MM and W32/Mimail.i@MM variants - examples/scan.pl: the version was updated to 0.16 - examples/scan.pl: a bug has been fixed in function to check Base64 files - examples/procmail/scanvirus.pl: the version was updated to 0.06 - examples/procmail/scanvirus.pl: a bug has been fixed in function to check Base64 files 0.73 Tue Nov 4 18:22:14 WET 2003 - added callback functionality to scan_text - examples/scan.pl: the version was updated to 0.15 - examples/scan.pl: function to check Base64 files has been added - examples/procmail/scanvirus.pl: the version was updated to 0.05 - examples/procmail/scanvirus.pl: function to check Base64 files has been added 0.72 Tue Nov 4 11:36:56 WET 2003 - the W32/Mimail@MM virus signature has been updated again 0.71 Mon Nov 3 15:16:42 WET 2003 - the W32/Mimail@MM virus signature was updated 0.70 Mon Nov 3 11:59:01 WET 2003 - added W32/Sober@MM virus signature 0.69 Fri Oct 10 15:06:36 WEST 2003 - the W32/Swen@MM virus signature was updated 0.68 Tue Sep 30 11:27:18 WEST 2003 - examples/procmail/scanvirus.pl: the version was updated to 0.04 - examples/procmail/scanvirus.pl: the problem with "die" in "unzip_file" function was fixed 0.67 Mon Sep 29 17:47:24 WEST 2003 - examples/procmail/scanvirus.pl: the version was updated to 0.03 - examples/procmail/scanvirus.pl: unsafe execution of unzip command was fixed - examples/scan.pl: the version was updated to 0.15 - examples/scan.pl: the "--quiet" option has been added Thanks to Pacman - examples/scan.pl: unsafe execution of unzip command was fixed Thanks to Pacman 0.66 Fri Sep 19 10:52:10 WEST 2003 - added W32/Swen@MM virus signature 0.65 Tue Sep 9 16:34:23 WEST 2003 - added W32/Pate.b virus signature 0.64 Tue Sep 2 15:43:27 WEST 2003 - the VBS/Haptime.gen@MM and W32/Sobig.f@MM virus signatures had been updated. - minor bug fix in Makefile.PL 0.63 Tue Aug 19 23:08:06 WEST 2003 - added W32/Sobig.f@MM virus signature (from Clam AntiVirus database) 0.62 Sat Aug 9 19:09:07 WEST 2003 - several documentation updates have been made. - examples/scan.pl: the version was updated to 0.14 - examples/scan.pl: minor bug fix - examples/procmail/scanvirus.pl: the version was updated to 0.02 - examples/procmail/scanvirus.pl: the scanner has been rewritten 0.61 Mon Aug 4 20:10:14 WEST 2003 - added W32/Mimail@MM virus signature. - examples/scan.pl: the version was updated to 0.13 - examples/scan.pl: check MHTML exploit function has been added 0.60 Mon Jul 28 15:05:22 WEST 2003 - added W32/Yaha.u@MM virus signature. Thanks to Jacky Hui Chun Kit 0.59 Tue Jul 1 14:15:24 WEST 2003 - added W32/Lovelorn@MM virus signature. - added set_callback method to provide extra information and functionalities. - added callback argument to the constructor - updated the documentation - examples/scan.pl: the version was updated to 0.12 - examples/scan.pl: added support to zip compressed files 0.58 Thu Jun 26 16:56:58 WEST 2003 - added W32/Sobig.e@MM virus signature. 0.57 Fri Jun 20 12:11:16 WEST 2003 - added BAT/Mumu.worm virus signature. Thanks to Anita Dias - cleans up the code in a number of places. 0.56 Thu Jun 5 14:22:14 WEST 2003 - added W32/Bugbear.b@MM virus signature. 0.55 Mon Jun 2 18:25:14 WEST 2003 - added two new virus signatures (W32/Sobig.c@MM and W32/Ganda@MM). 0.54 Tue May 20 14:04:25 WEST 2003 - added W32/Palyh@MM virus signature. - BackDoor-ARG.dr virus signatures was updated. 0.53 Fri May 16 14:07:36 WEST 2003 - added BackDoor-AQJ virus signature. - Fixed a typo in POD. Thanks to Kevin C. Krinke 0.52 Wed May 14 18:14:48 WEST 2003 - added two new virus signatures (W32/Fizzer.gen@MM and W32/Fizzer.dll). 0.51 Sat Apr 26 19:04:21 WEST 2003 - added W32/Lovgate.g@M virus signature. Thanks to Anita Dias 0.50 Wed Apr 23 15:12:58 WEST 2003 - added two new virus signatures (BackDoor-ARG and BackDoor-ARG.dr). 0.49 Tue Apr 22 16:09:11 WEST 2003 - examples/scan.pl: the version was updated to 0.11 - examples/scan.pl: fixed scan directory problem when the path is equal a "/". 0.48 Fri Apr 11 12:34:21 WEST 2003 - added W32/Oror.aa@MM virus signature. Thanks to Emil Yakimov 0.47 Wed Apr 9 15:16:24 WEST 2003 - W32/Gibe.b@MM virus signatures was updated. 0.46 Tue Apr 8 14:59:15 WEST 2003 - added W32/Gibe.b@MM virus signature. - W32/Gibe@MM virus signatures was updated. 0.45 Sat Mar 29 18:37:28 WET 2003 - the problems with open function have been fixed. In perl version 5.6 or greater, now open function has three argument. In other versions the sysopen function is used. 0.44 Sat Mar 15 16:08:24 WET 2003 - added VBS/Fourcourse virus signature. 0.43 Mon Jan 13 12:22:16 WET 2003 - added W32/Sobig@MM virus signature. - added new question/answer to FAQ. 0.42 Fri Jan 10 15:34:57 WET 2003 - rename W32/Lirva.a@MM virus signature to W32/Lirva.gen@MM - W32/Lirva.a@MM virus signatures was updated. 0.41 Thu Jan 9 14:38:38 WET 2003 - added W32/Lirva.a@MM virus signature. 0.40 Sat Jan 4 16:45:32 WET 2003 - added W32/Yaha.k virus signature. 0.39 Sat Dec 28 19:47:47 WET 2002 - added W32/Merkur@MM virus signature. - my email address has changed to hdias@aesbuc.pt. 0.38 Tue Nov 12 16:55:02 WET 2002 - added W32/Braid@MM virus signature. - spec-files directory was added. - fixed a small 'bug' in SuSE spec-file. Thanks to Pascal Bleser 0.37 Wed Oct 2 12:06:57 WEST 2002 - the README file was updated - the spec-file was changed to work with SuSE distribution Thanks to Pascal Bleser . - added FAQ file - added three new virus signatures (W32/Bugbear@MM, Linux/Slapper.worm and W32/Sachiel.worm). 0.36 Thu Sep 12 13:01:48 WEST 2002 - added four new virus signatures (W32/Blinkom, W32/ProLin@MM, W97M/Thus.gen and Linux.Osf.8759). 0.35 Fri Aug 30 12:19:17 WEST 2002 - added seven new virus signatures (BackDoor-AJH, W32/Stopin.b@MM, W32/Cecile.dr, W32/Bika.gen, VBS/Hatred.gen, W32/EnerKaz.worm.a and W32/Hokilo.worm). 0.34 Mon Jul 22 12:23:16 WEST 2002 - added new application signature to Makefile.PL - added four new virus signatures (W32/Sentral.dr, VBS/Funtime, W32/Idele, JS/Germinal) and W32/Plex@MM, W32/Yaha.gen@MM and W32/Chiton.ab.dr virus signatures was updated. 0.33 Mon Jul 15 11:26:24 GMT 2002 - rename W32/Frethem.f@MM virus signature to W32/Frethem.fl@MM - added two new virus signatures (W32/Duni.worm.b and W32/Plex@MM) and W32/Frethem.f@MM virus signature was updated 0.32 Mon Jul 8 11:52:39 WEST 2002 - added five new virus signatures (JS/Kak@M, W97M/Gorum, W32/Gorum.gen@MM, BSD/Scalper.worm and W97M/VMPCK.dd) and W32/SirCam@MM virus signature was updated - minor feature enhancements in Makefile.PL - Thanks to Teguh Kurniawan for provide JS/Kak@M virus 0.31 Tue Jun 25 11:10:58 WEST 2002 - added four new virus signatures (W32/Yaha.gen@MM, W32/Perrun, VBS/Chick.e@M and W32/Higuy@MM) 0.30 Mon Jun 17 11:44:33 WEST 2002 - rename W32/Trilisa@MM virus signature to W32/Trilisa.gen@MM - added two new virus signatures (W32/Frethem.f@MM and X97M/Generic) and W32/Trilisa.gen@MM virus signature was updated - examples/scan.pl: the version was updated to 0.10 - examples/scan.pl: fixed scan directory problem when the name start with "." 0.29 Mon Jun 3 12:05:25 WEST 2002 - removed the VBS/Chick.c@M virus signature - added three new virus signatures (VBS/Chick.bc@M, W32/Navidad.gen@M and W32/Ska@M). Thanks to Philipp W. for provide W32/Ska@M virus 0.28 Mon May 27 12:11:14 WEST 2002 - added three new virus signatures (W32/GOP@MM, JS/SQL.Spida.worm.b and W32/Benjamin.worm) 0.27 Mon May 20 12:24:41 WEST 2002 - added two new virus signatures (VBS/Chick.d@M and W32/Choke.c.worm) - changed the VBS/BritneyPic@MM virus name to VBS/Chick.a@M and signature was updated - the perl-File-Scan.spec file was updated 0.26 Tue May 14 11:29:26 WEST 2002 - added four new virus signatures (W32/Trilisa@MM, IRC/Theme.worm.dr, W32/Haiku@MM and W32/Zhangpo) - procmail recipe example for scan incoming mail was added - provide perl-File-Scan.spec to build .rpm for RedHat 7.2. Thanks to Michael McLagan 0.25 Sat May 4 19:41:19 WEST 2002 - added two new virus signatures - the README file was updated 0.24 Sat Apr 27 19:13:28 WEST 2002 - added "latest.pl" script to get the most recent version of File::Scan module from CPAN - added three new virus signatures 0.23 Mon Apr 22 12:29:50 WEST 2002 - the Makefile.PL was changed, the code has been optimized - added six new application signatures - added new virus signatures and others have been updated. Thanks to Risko Gergely and Nels Lindquist - added url to the README file of the SuSE Linux RPM package. Thanks to Pascal Bleser 0.22 Mon Apr 15 13:48:36 WEST 2002 - added two new virus signatures 0.21 Sat Apr 13 18:36:08 WEST 2002 - added new virus signatures and one have been updated 0.20 Fri Apr 5 12:25:52 WEST 2002 - added new virus signatures - added new word to suspicious file - the problems resulting from running with the Perl warning flag "on" (perl -w) was resolved. Thanks to Hilko Bengen - examples/scan.pl: the version was updated to 0.09 - examples/scan.pl: added the Perl warning flag (-w) to script to turn warnings 'on' 0.19 Thu Apr 4 12:04:53 WEST 2002 - added new virus signatures and Magistr virus signature was updated again 0.18 Wed Apr 3 12:00:17 WEST 2002 - added new virus signatures and others have been updated 0.17 Thu Mar 28 12:42:20 WET 2002 - added new virus signatures and Magistr virus signature was updated - minor feature enhancements in Makefile.PL 0.16 Sat Mar 23 18:21:13 WET 2002 - added more three new virus signatures - improved the speed - all suspicious words was changed to lowercase - minor bugfixes 0.15 Sat Mar 23 10:11:29 WET 2002 - added new virus signatures and PetTick virus signature was updated - added suspicious() method to test if the file is suspicious - suspicious.txt file was added to files directory - the Makefile.PL was changed - examples/scan.pl: minor feature enhancements - examples/scan.pl: the version was updated to 0.08 - documentation updates 0.14 Tue Mar 19 14:01:57 WET 2002 - added new virus signature and LoveLetter virus signature was updated - minor bugfixes in scan_text method - the Makefile.PL was changed 0.13 Sat Mar 16 17:08:08 WET 2002 - added more three new virus signatures - minor bugfixes 0.12 Mon Mar 11 10:56:36 WET 2002 - added three new virus signatures - added new type 0.11 Sat Mar 9 17:30:07 WET 2002 - added new virus signatures 0.10 Tue Mar 5 09:51:15 WET 2002 - added new signatures - the text signatures was changed to hex 0.09 Sat Mar 2 18:01:25 WET 2002 - added new signatures and updated text signatures - added the signature for EICAR-Test-File - the scan_text function was rewritten again - fixed the problem whith pdf files. now the pdf files are skipped - a few code style changes - the method 'skipped' now return code numbers - examples/scan.pl: it display a message when the file is skipped - examples/scan.pl: the version was updated to 0.07 - documentation updates 0.08 Wed Feb 27 13:12:32 WET 2002 - added new signatures - the value of mkdir argument was changed - fixed a 'bug' in scan_binary function - removed '%filetypes' from Makefile.PL, is not necessary - examples/scan.pl: the value of option mkdir was changed to octal - updated the documentation 0.07 Tue Feb 26 10:06:06 WET 2002 - test file was moved to test directory - added new signatures - added mkdir argument to the constructor - examples/scan.pl: fixed a 'bug' in options - examples/scan.pl: new option were added 0.06 Fri Feb 22 11:26:43 WET 2002 - added new signatures and updated others - added max_txt_size and max_bin_size arguments to the constructor - added skipped() method to test if file was skipped - updated the documentation - examples/scan.pl: new features were added 0.05 Thu Feb 21 12:04:17 WET 2002 - added new signatures and updated others - changed the file types and the signatures of text files - scan_text function has changed - updated the documentation 0.04 Sat Feb 16 17:25:32 WET 2002 - added docs directory for specific documentation and file write_sign_bin.txt - added new signatures - examples/scan.pl: add --version and --follow options 0.03 Fri Feb 15 13:28:34 WET 2002 - improved the speed of scan_text function in 24% - examples/scan.pl: fixed the problem with symbolic links in dir_handle function - examples/scan.pl: changed the report section to use Benchmark module 0.02 Thu Feb 14 13:24:19 2002 - fixed a 'bug' in scan_text function 0.01 Mon Feb 11 15:32:08 2002 - original version; created by h2xs 1.20 with options -A -X -n File::Scan File-Scan-1.43/spec-files/0000755000175000007640000000000010236172426014437 5ustar wwwadminwebFile-Scan-1.43/spec-files/SuSE/0000755000175000007640000000000010236172426015256 5ustar wwwadminwebFile-Scan-1.43/spec-files/SuSE/perl-File-Scan.spec0000644000175000007640000003350310236172075020637 0ustar wwwadminweb%define class File %define subclass Scan %define _version 1.43 %define _release 1 # Derived values %define module %{class}-%{subclass} %define perlver %(rpm -q perl --queryformat '%%{version}' 2>/dev/null) %define suse %(test -f /etc/SuSE-release && echo 1 || echo 0) %define perlarchlib %(%{__perl} -V:installarchlib|%{__sed} "s/^.*='//;s/';$//") %define perlprivlib %(%{__perl} -V:installprivlib|%{__sed} "s/^.*='//;s/';$//") %if suse %define suse_version %(grep VERSION /etc/SuSE-release|cut -f3 -d " ") %define suse_version_short %(echo %{suse_version}|tr -d '.') %define distro_release %{_release}suse%{suse_version_short} %define distro_group Development/Languages/Perl %else %define distro_release %{_release} %define distro_group Development/Perl %endif Summary: Perl module %{class}::%{subclass} for scanning files for viruses Summary(fr): Module Perl %{class}::%{subclass} - détecteur de virus Summary(de): Perl-Modul %{class}::%{subclass} - Virus-Scanner Name: perl-%{module} Version: %{_version} Release: %{distro_release} Group: %{distro_group} License: GPL/Artistic License - see documentation Vendor: Henrique Dias Packager: Pascal Bleser Source: http://www.cpan.org/modules/by-module/%{module}-%{version}.tar.gz Url: http://www.cpan.org/modules/by-module/%{class} BuildRequires: perl, make BuildArch: noarch BuildRoot: %{_tmppath}/build-%{name}-%{_version}-root/ Requires: perl = %{perlver} Provides: %{module} = %{_version} %if suse Distribution: SuSE Linux %{_suse_version} %endif %description Perl module which implements the %{class}::%{subclass} class. %{class}::%{subclass} provides its own virus signature database. You can use the "virusscan" script to scan files or directories for viruses. You can use the script "virus-procmail" to scan for infected e-mails using procmail rules - have a look at %{_docdir}/README.procmail for further details. The script "virus-update" can be used to download and install the latest version of the %{class}::%{subclass} perl module (must be root to do that). Note that it won't update the RPM package but install the module from the sources. %description -l fr Module Perl %{class}::%{subclass} pour détecter des virus. Il dispose de sa propre base de données de signatures de virus. Vous pouvez utiliser le script "virusscan" pour vérifier que des fichiers ou des répertoires ne sont pas infectés. Le script "virus-procmail" permet de vérifier si des e-mails sont infectés à partir de règles procmail - lisez le fichier %{_docdir}/README.procmail pour plus de détails. Le script "virus-update" peut être utilisé pour télécharger et installer la dernière version du module Perl %{class}::%{subclass} (vous devez être root). Notez que ce script ne va pas effectuer une mise à jour du paquetage RPM mais installer le module à partir des sources. %description -l de Diese Paket enthält das Perl-Modul %{class}::%{subclass} zum Scannen nach Viren. Es verfügt über eine eigene Virus-Signaturen-Datenbank. Das Skript "virusscan" kann zum Suchen nach Viren in Dateien oder Verzeichnissen verwendet werden. Das "virus-procmail"-Skript kann aus procmail-Regeln heraus nach Viren in E-Mails suchen - lesen Sie bitte die Datei %{_docdir}/README.procmail für nähere Informationen. Das "virus-update"-Skript kann zum herunterladen und installieren der letzten Version des Perl-Moduls %{class}::%{subclass} verwendet werden (Sie müssen diese Skript als root aufrufen). Es wird nicht dieses RPM-Paket aktualisieren sondern das Modul anhand des Quellcodes installieren. %prep %setup -q -n %{module}-%{version} %{__perl} Makefile.PL INSTALLDIRS=perl %build %{__make} OPTIMIZE="$RPM_OPT_FLAGS" %install %{__rm} -rf "${RPM_BUILD_ROOT}" %{__mkdir_p} "${RPM_BUILD_ROOT}%{perlprivlib}" %{__mkdir_p} "${RPM_BUILD_ROOT}%{perlarchlib}" %{__make} install PREFIX="${RPM_BUILD_ROOT}%{_prefix}" %if suse # # SuSE-specific handling of Perl modules # %{__mkdir_p} "${RPM_BUILD_ROOT}/var/adm/perl-modules" %{__sed} "s@${RPM_BUILD_ROOT}@@g" \ < "${RPM_BUILD_ROOT}%{perlarchlib}/perllocal.pod" \ > "${RPM_BUILD_ROOT}/var/adm/perl-modules/%{_name}" %endif # # Remove ${RPM_BUILD_ROOT} from .packlist file # packlist=`find "${RPM_BUILD_ROOT}%{perlarchlib}/" -name '.packlist' -type f` if [ ! -f "$packlist" ]; then echo "*** ERROR: could not find .packlist :(" exit 1 fi %{__cp} "$packlist" "${packlist}.old" %{__sed} "s@${RPM_BUILD_ROOT}@@g" < "${packlist}.old" \ | sort -u > "$packlist" %{__rm} -f "${packlist}.old" # # Install additional example scripts # %{__mkdir_p} "${RPM_BUILD_ROOT}%{_bindir}" %{__install} -m 755 examples/scan.pl "${RPM_BUILD_ROOT}%{_bindir}/virusscan" %{__install} -m 755 examples/latest.pl "${RPM_BUILD_ROOT}%{_bindir}/virusupdate" %{__install} -m 755 examples/procmail/scanvirus.pl "${RPM_BUILD_ROOT}%{_bindir}/virus-procmail" # rename procmail-README to include it into the %doc section %{__mv} examples/procmail/README README.procmail %clean %{__rm} -rf "${RPM_BUILD_ROOT}" %files %defattr(-,root,root) %doc Changes README TODO docs/* README.procmail %{_bindir}/* %doc %{_mandir}/man*/* %{perlprivlib}/%{class}/%{subclass}.pm %dir %{perlarchlib}/auto/File/Scan %{perlarchlib}/auto/File/Scan/.packlist %if suse /var/adm/perl-modules/%{_name} %endif %post %if suse /sbin/SuSEconfig --quick --module perl %endif %changelog * Wed May 04 2005 Henrique Dias - Updated to 1.43 * Mon Mar 07 2005 Henrique Dias - Updated to 1.42 * Sat Feb 19 2005 Henrique Dias - Updated to 1.41 * Sat Feb 12 2005 Henrique Dias - Updated to 1.40 * Tue Dec 21 2004 Henrique Dias - Updated to 1.39 * Mon Nov 22 2004 Henrique Dias - Updated to 1.38 * Sat Nov 06 2004 Henrique Dias - Updated to 1.37 * Sat Oct 30 2004 Henrique Dias - Updated to 1.36 * Mon Oct 18 2004 Henrique Dias - Updated to 1.35 * Fri Oct 15 2004 Henrique Dias - Updated to 1.34 * Tue Oct 12 2004 Henrique Dias - Updated to 1.33 * Thu Oct 07 2004 Henrique Dias - Updated to 1.32 * Wed Oct 06 2004 Henrique Dias - Updated to 1.31 * Sat Sep 18 2004 Henrique Dias - Updated to 1.30 * Wed Sep 15 2004 Henrique Dias - Updated to 1.29 * Sat Sep 11 2004 Henrique Dias - Updated to 1.28 * Tue Aug 17 2004 Henrique Dias - Updated to 1.27 * Tue Jul 27 2004 Henrique Dias - Updated to 1.26 * Wed Jul 21 2004 Henrique Dias - Updated to 1.25 * Wed Jul 21 2004 Henrique Dias - Updated to 1.24 * Sat Jul 17 2004 Henrique Dias - Updated to 1.23 * Sat Jul 10 2004 Henrique Dias - Updated to 1.22 * Tue Jul 06 2004 Henrique Dias - Updated to 1.21 * Sat Jul 03 2004 Henrique Dias - Updated to 1.20 * Mon Jun 28 2004 Henrique Dias - Updated to 1.19 * Sat Jun 19 2004 Henrique Dias - Updated to 1.18 * Mon Jun 14 2004 Henrique Dias - Updated to 1.17 * Sat Jun 12 2004 Henrique Dias - Updated to 1.16 * Sat May 29 2004 Henrique Dias - Updated to 1.15 * Sat May 22 2004 Henrique Dias - Updated to 1.14 * Wed May 19 2004 Henrique Dias - Updated to 1.13 * Mon May 17 2004 Henrique Dias - Updated to 1.12 * Fri May 07 2004 Henrique Dias - Updated to 1.11 * Wed May 05 2004 Henrique Dias - Updated to 1.10 * Mon May 03 2004 Henrique Dias - Updated to 1.09 * Fri Apr 30 2004 Henrique Dias - Updated to 1.08 * Wed Apr 28 2004 Henrique Dias - Updated to 1.07 * Wed Apr 28 2004 Henrique Dias - Updated to 1.06 * Tue Apr 27 2004 Henrique Dias - Updated to 1.05 * Mon Apr 26 2004 Henrique Dias - Updated to 1.04 * Thu Apr 22 2004 Henrique Dias - Updated to 1.03 * Wed Apr 14 2004 Henrique Dias - Updated to 1.02 * Mon Apr 05 2004 Henrique Dias - Updated to 1.01 * Fri Apr 02 2004 Henrique Dias - Updated to 1.00 * Fri Mar 26 2004 Henrique Dias - Updated to 0.99 * Tue Mar 23 2004 Henrique Dias - Updated to 0.98 * Mon Mar 22 2004 Henrique Dias - Updated to 0.97 * Fri Mar 19 2004 Henrique Dias - Updated to 0.96 * Thu Mar 18 2004 Henrique Dias - Updated to 0.95 * Thu Mar 11 2004 Henrique Dias - Updated to 0.94 * Tue Mar 09 2004 Henrique Dias - Updated to 0.93 * Mon Mar 08 2004 Henrique Dias - Updated to 0.92 * Wed Mar 03 2004 Henrique Dias - Updated to 0.91 * Wed Mar 03 2004 Henrique Dias - Updated to 0.90 * Tue Mar 02 2004 Henrique Dias - Updated to 0.89 * Mon Mar 01 2004 Henrique Dias - Updated to 0.88 * Sun Feb 29 2004 Henrique Dias - Updated to 0.87 * Thu Feb 26 2004 Henrique Dias - Updated to 0.86 * Wed Feb 25 2004 Henrique Dias - Updated to 0.85 * Wed Feb 18 2004 Henrique Dias - Updated to 0.84 * Tue Feb 17 2004 Henrique Dias - Updated to 0.83 * Fri Feb 10 2004 Henrique Dias - Updated to 0.82 * Fri Jan 30 2004 Henrique Dias - Updated to 0.81 * Tue Jan 27 2004 Henrique Dias - Updated to 0.80 * Mon Jan 19 2004 Henrique Dias - Updated to 0.79 * Tue Jan 06 2004 Henrique Dias - Updated to 0.78 * Mon Dec 22 2003 Henrique Dias - Updated to 0.77 * Fri Nov 28 2003 Henrique Dias - Updated to 0.76 * Wed Nov 19 2003 Henrique Dias - Updated to 0.75 * Sat Nov 15 2003 Henrique Dias - Updated to 0.74 * Tue Nov 04 2003 Henrique Dias - Updated to 0.73 * Tue Nov 04 2003 Henrique Dias - Updated to 0.72 * Mon Nov 03 2003 Henrique Dias - Updated to 0.71 * Mon Nov 03 2003 Henrique Dias - Updated to 0.70 * Fri Oct 10 2003 Henrique Dias - Updated to 0.69 * Tue Sep 30 2003 Henrique Dias - Updated to 0.68 * Mon Sep 29 2003 Henrique Dias - Updated to 0.67 * Fri Sep 19 2003 Henrique Dias - Updated to 0.66 * Tue Sep 09 2003 Henrique Dias - Updated to 0.65 * Tue Sep 02 2003 Henrique Dias - Updated to 0.64 * Tue Aug 19 2003 Henrique Dias - Updated to 0.63 * Mon Aug 09 2003 Henrique Dias - Updated to 0.62 * Mon Aug 04 2003 Henrique Dias - Updated to 0.61 * Mon Jul 28 2003 Henrique Dias - Updated to 0.60 * Mon Jul 01 2003 Henrique Dias - Updated to 0.59 * Fri Jun 26 2003 Henrique Dias - Updated to 0.58 * Fri Jun 20 2003 Henrique Dias - Updated to 0.57 * Thu Jun 05 2003 Henrique Dias - Updated to 0.56 * Mon Jun 02 2003 Henrique Dias - Updated to 0.55 * Tue May 20 2003 Henrique Dias - Updated to 0.54 * Fri May 16 2003 Henrique Dias - Updated to 0.53 * Wed May 14 2003 Henrique Dias - Updated to 0.52 * Sat Apr 26 2003 Henrique Dias - Updated to 0.51 * Wed Apr 23 2003 Henrique Dias - Updated to 0.50 * Tue Apr 22 2003 Henrique Dias - Updated to 0.49 * Fri Apr 11 2003 Henrique Dias - Updated to 0.48 * Wed Apr 09 2003 Henrique Dias - Updated to 0.47 * Tue Apr 08 2003 Henrique Dias - Updated to 0.46 * Sat Mar 29 2003 Henrique Dias - Updated to 0.45 * Sat Mar 15 2003 Henrique Dias - Updated to 0.44 * Mon Jan 13 2003 Henrique Dias - Updated to 0.43 * Fri Jan 10 2003 Henrique Dias - Updated to 0.42 * Thu Jan 09 2003 Henrique Dias - Updated to 0.41 * Sat Jan 04 2003 Henrique Dias - Updated to 0.40 * Sat Dec 28 2002 Henrique Dias - Updated to 0.39 * Fri Nov 12 2002 Henrique Dias - Updated to 0.38 - fixed a small bug in spec-file * Fri Oct 02 2002 Pascal Bleser - Updated to 0.37 - Use of __-macros everywhere - Ported to SuSE: autodetects if built on SuSE Linux, should work on any distro - Moved perl Makefile.PL into setup section - Added installation of additional scripts - Added french and german translations - Changed many other things to make them cleaner * Thu Sep 12 2002 Michael McLagan - Updated to 0.36 * Fri Aug 30 2002 Michael McLagan - Updated to 0.35 * Mon Jul 22 2002 Michael McLagan - Updated to 0.34 * Tue Jul 15 2002 Michael McLagan - Updated to 0.33 * Tue Jul 08 2002 Michael McLagan - Updated to 0.32 * Tue Jun 25 2002 Michael McLagan - Updated to 0.31 * Tue Jun 17 2002 Michael McLagan - Updated to 0.30 * Mon Jun 03 2002 Michael McLagan - Updated to 0.29 * Mon May 27 2002 Michael McLagan - Updated to 0.28 * Sat May 20 2002 Michael McLagan - Updated to 0.27 * Mon May 14 2002 Michael McLagan - Updated to 0.26 Inserted code to adapt to perl version Replaced real_name macro with module * Sun May 05 2002 Michael McLagan - Updated to 0.25 Fixed a couple of items in spec file * Tue Apr 30 2002 Michael McLagan - initial version 0.24 File-Scan-1.43/spec-files/RedHat/0000755000175000007640000000000010236172426015606 5ustar wwwadminwebFile-Scan-1.43/spec-files/RedHat/perl-File-Scan.spec0000644000175000007640000002330510236172054021163 0ustar wwwadminweb%define class File %define subclass Scan %define version 1.43 %define release 1 # Derived values %define module %{class}-%{subclass} %define perlver %(rpm -q perl --queryformat '%%{version}' 2>/dev/null) Summary: Perl module %{class}::%{subclass} Name: perl-%{module} Version: %{version} Release: %{release} Group: Development/Perl License: See documentation Vendor: Henrique Dias Source: http://www.cpan.org/modules/by-module/%{module}-%{version}.tar.gz Url: http://www.cpan.org/modules/by-module/%{class} BuildRequires: perl BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-root/ Requires: perl = %{perlver} Provides: %{module} = %{version} %description Perl module which implements the %{class}::%{subclass} class. %prep %setup -q -n %{module}-%{version} %build %{__perl} Makefile.PL %{__make} OPTIMIZE="$RPM_OPT_FLAGS" %install rm -rf $RPM_BUILD_ROOT %makeinstall PREFIX=$RPM_BUILD_ROOT%{_prefix} # Install the example scan program as virusscan mkdir -p $RPM_BUILD_ROOT%{_bindir} install -m 755 examples/scan.pl $RPM_BUILD_ROOT%{_bindir}/virusscan # Clean up some files we don't want/need rm -rf `find $RPM_BUILD_ROOT -name "perllocal.pod" -o \ -name ".packlist" -o \ -name "*.bs"` # Remove all empty directories find $RPM_BUILD_ROOT%{_prefix} -type d | tac | xargs rmdir --ign %clean HERE=`pwd` cd .. rm -rf $HERE rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) %doc Changes README TODO docs/write_sign_bin.txt %{_prefix} %changelog * Wed May 04 2005 Henrique Dias - Updated to 1.43 * Mon Mar 07 2005 Henrique Dias - Updated to 1.42 * Sat Feb 19 2005 Henrique Dias - Updated to 1.41 * Sat Feb 12 2005 Henrique Dias - Updated to 1.40 * Tue Dec 21 2004 Henrique Dias - Updated to 1.39 * Mon Nov 22 2004 Henrique Dias - Updated to 1.38 * Sat Nov 06 2004 Henrique Dias - Updated to 1.37 * Sat Oct 30 2004 Henrique Dias - Updated to 1.36 * Mon Oct 18 2004 Henrique Dias - Updated to 1.35 * Fri Oct 15 2004 Henrique Dias - Updated to 1.34 * Tue Oct 12 2004 Henrique Dias - Updated to 1.33 * Thu Oct 07 2004 Henrique Dias - Updated to 1.32 * Wed Oct 06 2004 Henrique Dias - Updated to 1.31 * Sat Sep 18 2004 Henrique Dias - Updated to 1.30 * Wed Sep 15 2004 Henrique Dias - Updated to 1.29 * Sat Sep 11 2004 Henrique Dias - Updated to 1.28 * Tue Aug 17 2004 Henrique Dias - Updated to 1.27 * Tue Jul 27 2004 Henrique Dias - Updated to 1.26 * Wed Jul 21 2004 Henrique Dias - Updated to 1.25 * Wed Jul 21 2004 Henrique Dias - Updated to 1.24 * Sat Jul 17 2004 Henrique Dias - Updated to 1.23 * Sat Jul 10 2004 Henrique Dias - Updated to 1.22 * Tue Jul 06 2004 Henrique Dias - Updated to 1.21 * Sat Jul 03 2004 Henrique Dias - Updated to 1.20 * Mon Jun 28 2004 Henrique Dias - Updated to 1.19 * Sat Jun 19 2004 Henrique Dias - Updated to 1.18 * Mon Jun 14 2004 Henrique Dias - Updated to 1.17 * Sat Jun 12 2004 Henrique Dias - Updated to 1.16 * Sat May 29 2004 Henrique Dias - Updated to 1.15 * Sat May 22 2004 Henrique Dias - Updated to 1.14 * Wed May 19 2004 Henrique Dias - Updated to 1.13 * Mon May 17 2004 Henrique Dias - Updated to 1.12 * Fri May 07 2004 Henrique Dias - Updated to 1.11 * Wed May 05 2004 Henrique Dias - Updated to 1.10 * Mon May 03 2004 Henrique Dias - Updated to 1.09 * Fri Apr 30 2004 Henrique Dias - Updated to 1.08 * Wed Apr 28 2004 Henrique Dias - Updated to 1.07 * Wed Apr 28 2004 Henrique Dias - Updated to 1.06 * Tue Apr 27 2004 Henrique Dias - Updated to 1.05 * Mon Apr 26 2004 Henrique Dias - Updated to 1.04 * Thu Apr 22 2004 Henrique Dias - Updated to 1.03 * Wed Apr 14 2004 Henrique Dias - Updated to 1.02 * Mon Apr 05 2004 Henrique Dias - Updated to 1.01 * Fri Apr 02 2004 Henrique Dias - Updated to 1.00 * Fri Mar 26 2004 Henrique Dias - Updated to 0.99 * Tue Mar 23 2004 Henrique Dias - Updated to 0.98 * Mon Mar 22 2004 Henrique Dias - Updated to 0.97 * Fri Mar 19 2004 Henrique Dias - Updated to 0.96 * Thu Mar 18 2004 Henrique Dias - Updated to 0.95 * Thu Mar 11 2004 Henrique Dias - Updated to 0.94 * Tue Mar 09 2004 Henrique Dias - Updated to 0.93 * Mon Mar 08 2004 Henrique Dias - Updated to 0.92 * Wed Mar 03 2004 Henrique Dias - Updated to 0.91 * Wed Mar 03 2004 Henrique Dias - Updated to 0.90 * Tue Mar 02 2004 Henrique Dias - Updated to 0.89 * Mon Mar 01 2004 Henrique Dias - Updated to 0.88 * Sun Feb 29 2004 Henrique Dias - Updated to 0.87 * Thu Feb 26 2004 Henrique Dias - Updated to 0.86 * Wed Feb 25 2004 Henrique Dias - Updated to 0.85 * Wed Feb 18 2004 Henrique Dias - Updated to 0.84 * Tue Feb 17 2004 Henrique Dias - Updated to 0.83 * Fri Feb 10 2004 Henrique Dias - Updated to 0.82 * Fri Jan 30 2004 Henrique Dias - Updated to 0.81 * Tue Jan 27 2004 Henrique Dias - Updated to 0.80 * Mon Jan 19 2004 Henrique Dias - Updated to 0.79 * Tue Jan 06 2004 Henrique Dias - Updated to 0.78 * Mon Dec 22 2003 Henrique Dias - Updated to 0.77 * Fri Nov 28 2003 Henrique Dias - Updated to 0.76 * Wed Nov 19 2003 Henrique Dias - Updated to 0.75 * Sat Nov 15 2003 Henrique Dias - Updated to 0.74 * Tue Nov 04 2003 Henrique Dias - Updated to 0.73 * Tue Nov 04 2003 Henrique Dias - Updated to 0.72 * Mon Nov 03 2003 Henrique Dias - Updated to 0.71 * Mon Nov 03 2003 Henrique Dias - Updated to 0.70 * Fri Oct 10 2003 Henrique Dias - Updated to 0.69 * Tue Sep 30 2003 Henrique Dias - Updated to 0.68 * Mon Sep 29 2003 Henrique Dias - Updated to 0.67 * Fri Sep 19 2003 Henrique Dias - Updated to 0.66 * Tue Sep 09 2003 Henrique Dias - Updated to 0.65 * Tue Sep 02 2003 Henrique Dias - Updated to 0.64 * Tue Aug 19 2003 Henrique Dias - Updated to 0.63 * Mon Aug 09 2003 Henrique Dias - Updated to 0.62 * Mon Aug 04 2003 Henrique Dias - Updated to 0.61 * Mon Jul 28 2003 Henrique Dias - Updated to 0.60 * Mon Jul 01 2003 Henrique Dias - Updated to 0.59 * Fri Jun 26 2003 Henrique Dias - Updated to 0.58 * Fri Jun 20 2003 Henrique Dias - Updated to 0.57 * Thu Jun 05 2003 Henrique Dias - Updated to 0.56 * Mon Jun 02 2003 Henrique Dias - Updated to 0.55 * Tue May 20 2003 Henrique Dias - Updated to 0.54 * Fri May 16 2003 Henrique Dias - Updated to 0.53 * Wed May 14 2003 Henrique Dias - Updated to 0.52 * Sat Apr 26 2003 Henrique Dias - Updated to 0.51 * Wed Apr 23 2003 Henrique Dias - Updated to 0.50 * Tue Apr 22 2003 Henrique Dias - Updated to 0.49 * Fri Apr 11 2003 Henrique Dias - Updated to 0.48 * Wed Apr 09 2003 Henrique Dias - Updated to 0.47 * Tue Apr 08 2003 Henrique Dias - Updated to 0.46 * Sat Mar 29 2003 Henrique Dias - Updated to 0.45 * Sat Mar 15 2003 Henrique Dias - Updated to 0.44 * Mon Jan 13 2003 Henrique Dias - Updated to 0.43 * Fri Jan 10 2003 Henrique Dias - Updated to 0.42 * Thu Jan 09 2003 Henrique Dias - Updated to 0.41 * Sat Jan 04 2003 Henrique Dias - Updated to 0.40 * Sat Dec 28 2002 Henrique Dias - Updated to 0.39 * Tue Nov 12 2002 Henrique Dias - Updated to 0.38 * Fri Oct 02 2002 Henrique Dias - Updated to 0.37 * Thu Sep 12 2002 Michael McLagan - Updated to 0.36 * Fri Aug 30 2002 Michael McLagan - Updated to 0.35 * Mon Jul 22 2002 Michael McLagan - Updated to 0.34 * Tue Jul 15 2002 Michael McLagan - Updated to 0.33 * Tue Jul 08 2002 Michael McLagan - Updated to 0.32 * Tue Jun 25 2002 Michael McLagan - Updated to 0.31 * Tue Jun 17 2002 Michael McLagan - Updated to 0.30 * Mon Jun 03 2002 Michael McLagan - Updated to 0.29 * Mon May 27 2002 Michael McLagan - Updated to 0.28 * Sat May 20 2002 Michael McLagan - Updated to 0.27 * Mon May 14 2002 Michael McLagan - Updated to 0.26 Inserted code to adapt to perl version Replaced real_name macro with module * Sun May 05 2002 Michael McLagan - Updated to 0.25 Fixed a couple of items in spec file * Tue Apr 30 2002 Michael McLagan - initial version 0.24 File-Scan-1.43/FAQ0000644000175000007640000000135407751442140012743 0ustar wwwadminweb* Looks like your signatures only lists about 100 viruses. Why not use the signature database from OpenAntivirus like ClamAV does? Because the File::Scan module uses perl regular expressions in signatures to detect polymorphic virus or suspicious virus. For speed the position of signature in virus file is also used. * Where is the signatures file stored for File::Scan? The signatures are stored internally in Scan.pm file, but you can add new signatures to signatures.txt file in files directory and rebuild the module. * Can anybody tell me how I can compile a stand alone virus scanner? $ cd examples $ perlcc -o virusscan scan.pl (Perl v5.8.0 or greater) or try the Perl Archive Toolkit (PAR) $ cd examples $ pp -o scanner scan.pl File-Scan-1.43/MANIFEST0000644000175000007640000000066510020435066013536 0ustar wwwadminwebChanges docs/write_sign_bin.txt examples/latest.pl examples/procmail/.procmailrc examples/procmail/README examples/procmail/scanvirus.pl examples/scan.pl examples/vscan.pl FAQ files/Scan.base files/signatures.txt files/suspicious.txt Makefile.PL MANIFEST README spec-files/RedHat/perl-File-Scan.spec spec-files/SuSE/perl-File-Scan.spec Scan.pm t/scan.t TODO META.yml Module meta-data (added by MakeMaker) File-Scan-1.43/TODO0000644000175000007640000000007207442444647013110 0ustar wwwadminweb- scan compressed files - more documentation - more tests File-Scan-1.43/files/0000755000175000007640000000000010236172426013507 5ustar wwwadminwebFile-Scan-1.43/files/Scan.base0000644000175000007640000001432310236165352015232 0ustar wwwadminweb# # Scan.pm # Last Modification: Wed May 4 16:31:36 WEST 2005 # # Copyright (c) 2005 Henrique Dias . All rights reserved. # This module is free software; you can redistribute it and/or modify # it under the same terms as Perl itself. # # package File::Scan; require 5; use strict; require Exporter; use File::Copy; use SelfLoader; use vars qw($VERSION @ISA @EXPORT $ERROR $SKIPPED $SUSPICIOUS $CALLBACK); @ISA = qw(Exporter); $VERSION = '1.43'; ($ERROR, $SKIPPED, $SUSPICIOUS, $CALLBACK) = ("", 0, 0, ""); SelfLoader->load_stubs(); sub new { my $proto = shift; my $class = ref($proto) || $proto; my $self = { extension => "", delete => 0, move => "", copy => "", mkdir => 0, max_txt_size => 5120, max_bin_size => 10240, @_, }; bless ($self, $class); return($self); } sub scan { my $self = shift; my $file = shift; &_set_error(); &_set_skip(); &_set_suspicious(); &ret_callback(); (-e $file) or return(&_set_error("No such file or directory: $file")); my $fsize = -s $file; $fsize or return(&_set_skip(2)); my $res = ""; if(-f $file && -T $file) { return(&_set_skip(3)) if($fsize < $min_txt_size); return(&_set_skip(4)) if($self->{'max_txt_size'} && ($fsize > $self->{'max_txt_size'} * 1024)); $res = &scan_text($self, $file); } else { return(&_set_skip(5)) if($self->{'max_bin_size'} && ($fsize > $self->{'max_bin_size'} * 1024)); $res = &scan_binary($self, $file); } if($res) { if($self->{'extension'} && $file !~ /\.$self->{'extension'}$/o) { my $newname = join("\.", $file, $self->{'extension'}); if(move($file, $newname)) { $file = $newname; } else { &_set_error("Failed to move '$file' to '$newname'"); } } if($self->{'copy'}) { if(!(-d $self->{'copy'}) && $self->{'mkdir'}) { mkdir($self->{'copy'}, $self->{'mkdir'}) or &_set_error(join("", "Failed to create directory '", $self->{'copy'}, "' $!")); } my ($f) = ($file =~ /([^\/]+)$/o); my $cpdir = join("/", $self->{'copy'}, $f); copy($file, $cpdir) or &_set_error("Failed to copy '$file' to $cpdir"); } if($self->{'move'}) { if(!(-d $self->{'move'}) && $self->{'mkdir'}) { mkdir($self->{'move'}, $self->{'mkdir'}) or &_set_error(join("", "Failed to create directory '", $self->{'move'}, "' $!")); } my ($f) = ($file =~ /([^\/]+)$/o); my $mvfile = join("/", $self->{'move'}, $f); if(move($file, $mvfile)) { $file = $mvfile; } else { &_set_error("Failed to move '$file' to '$mvfile'"); } } if($self->{'delete'}) { if($file =~ /^(.+)$/s) { unlink($1) or &_set_error("Could not delete $1: $!"); } } } return($res); } sub set_callback { my $self = shift; my $subref = shift || undef; if(defined($subref) && ref($subref) eq "CODE") { $self->{'callback'} = $subref; } elsif(exists($self->{'callback'})) { delete($self->{'callback'}); } return(); } sub _set_error { $ERROR = shift || ""; return(); } sub _set_skip { $SKIPPED = shift || 0; return(); } sub _set_suspicious { $SUSPICIOUS = shift || 0; return(); } sub ret_callback { $CALLBACK = shift || ""; return(); } sub error { $ERROR; } sub skipped { $SKIPPED; } sub suspicious { $SUSPICIOUS; } sub callback { $CALLBACK; } 1; __DATA__ __END__ =head1 NAME File::Scan - Perl extension for Scanning files for Viruses =head1 SYNOPSIS use File::Scan; $fs = File::Scan->new([, OPTION ...]); $fs->set_callback( sub { my $filename = shift; my $bytes = shift; ... return("Callback Value"); } ); $fs->scan([FILE]); if(my $e = $fs->error) { print "$e\n"; } if(my $c = $fs->skipped) { print "file skipped ($c)\n"; } if($fs->suspicious) { print "suspicious file\n"; } if(my $res = $fs->callback) { print "$res\n"; } =head1 DESCRIPTION This module is designed to allows users to scan files for known viruses. The purpose is to provide a perl module to make plataform independent virus scanners. =head1 METHODS =head2 new([, OPTION ...]) This method create a new File::Scan object. The following keys are available: =over 7 =item callback => 'subroutine reference' if the item is set then use a callback subroutine reference to provide extra information and functionalities. The callback subroutine have two arguments: filename and first 1024 bytes read from the file. This only work for binary files. =item extension => 'string' add the specified extension to the infected file =item move => 'directory' move the infected file to the specified directory =item copy => 'directory' copy the infected file to the specified directory =item mkdir => octal_number if the value is set to octal number then make the specified directories (example: mkdir => 0755). =item delete => 0 or 1 if the value is set to 1 delete the infected file =item max_txt_size => 'size in kbytes' scan only the text file if the file size is less then max_txt_size. The default value is 5120 kbytes. Set to 0 for no limit. =item max_bin_size => 'size in kbytes' scan only the binary file if the file size is less then max_bin_size. The default value is 10240 kbytes. Set to 0 for no limit. =back =head2 scan([FILE]) This method scan a file for viruses and return the name of virus if a virus is found. =head2 set_callback([SUBREF]) This method is another way to install a callback subroutine reference. Take a look in callback kay. =head2 skipped() This method return a code number if the file was skipped and 0 if not. The following skipped codes are available: =over 6 =item 0 file not skipped =item 1 file is not vulnerable =item 2 file has zero size =item 3 the size of file is small =item 4 the text file size is greater that the 'max_txt_size' argument =item 5 the binary file size is greater that the 'max_bin_size' argument =back =head2 suspicious() This method return 1 if the file is suspicious and 0 if not. =head2 callback() This method return the result from the callback subroutine. =head2 error() This method return a error message if a error happens. =head1 AUTHOR Henrique Dias =head1 CREDITS Thanks to Rui de Castro, Sergio Castro, Ricardo Oliveira, Antonio Campelo, Branca Silveira, Helena Gomes and Anita Afonso for the help. Thanks to Fernando Martins for the personal collection of viruses. =head1 SEE ALSO perl(1). =cut File-Scan-1.43/files/suspicious.txt0000644000175000007640000000033110236171513016447 0ustar wwwadminwebworm::776f726d virus[^p]::7669727573[^70] trojan::74726f6a616e [text] by text::5b[^5d]+5d20627920\w+ backdoor::6261636b646f6f72 parasite::7061726173697465 text coded by text::\w+20636f64656420627920\w+ fuck::6675636b File-Scan-1.43/files/signatures.txt0000644000175000007640000007634510236171175016453 0ustar wwwadminweb20050504::4d5a::W32/Bagle.ai@MM::(ge1024 and le3072) or eq25600::d032c532c232c6d2c002c1.{0,24}d3c28807474975d2e801000000 20050504::4d5a900003::W32/Sober.p@MM::eq8192::0325f6bfc0435c0a2b65696e61686e756e6725d61eb23970170000020430153e 20050504::4d5a::W32/Mytob.gen@MM::eq13312 or (ge24576 and le36864)::79.{3,81}[2a65b045]7243[04a29e1e][ec8ff862] 20050305::4d5a900003::W32/Mydoom.ba@MM::eq5120::6f70656e134d6f7a5f6c615f7051c32f34eb285c0269626c655fa0708429c74243b6fb61534c4fd167fe5b9268747470736572764c617baede75c76223494337 20050305::4d5a900003::W32/Downloader-PH::eq9216::6e74703a2f2f6305c5826a79632e6d2f6130621bd56c692f6910b3a27b6670689e11ba13703f7569643dc581d3c9703d37267669881950313d74727900 20050305::4d5a900003::W32/MyWife.b@MM::eq2048::426c61[63bd].{0,4}6b576f726d 20050305::4d5a::PWS-Banker.k.gen::ge8192 and le15360::62.?61.?6c9f.{0,4}af21.{0,4}3c.{0,5}31726d.{0,5}200d43.?70.?75.?740f6e.{2,6}7b.{2,6}4a252f343e.{0,5}a1.?79.?7024.{0,4}50.{0,4}6f63.?456d.?61.?69.{0,4}6c.72.35.{3,4}65.{1,5}6b.{4,9}0d.{0,4}75.{2}45.{0,4}4c2d6c.?436f.?6e.{1,5}1f.{0,4}d9.{0,5}0d2f.{0,5}6db8.{2,6}446973.{2,3}6c.{1,5}3d.{8,9}47ca.?3c.?0d6e.{1,6}65.{0,4}0a.{0,5}41.?4f53.?54c9.6461.{0,5}51 20050305::4d5a900003::W32/Sober.j@MM::eq3072 or eq8192::50726f6a65.{22,35}43.{13,28}4fad339966cf11b7.{3}d393.{6,7}3b.{3,25}466f726d 20050219::4d5a000000::W32/Mydoom.bb@MM::eq1024::0f4d6170565fc5774f6618101e556e566d11902f62087273b3300c99456e76226fdf52fc7b3c5661fbe662ac1967441a76b15479704c0f53f5bf6c8e6d546979 20041221::4d5a900003::W32/Netsky.z@MM::eq2048::033bb839912333001a2ff978490085242164b88900830bc8282a53140608a121704a4202a52451588c108a43f90471704140680a98a6380a2e145185c104b388 20041221::4d5a000000::W32/Zafi.d@MM::eq10240::48454c4f441d4d4149ecc81e52bc6e5dc3435054 20041122::4d5a900003::W32/Lovgate.af@MM::eq5120::328300029a032a800b1c6db6b236db7371b6d64391b191cdcc8dac8e4c93236b71b1916e36db628de509da13942768ce7f3eaf794276ffbe7bad521e8f35e191 20041122::4d5a900003::W32/Lovgate.q@MM::eq5120::02aa00029a02a8000aa4971b6db62e36dcb8ee36dae46db727236d5c6db771b6db9717249917bf9dfcee0df67fcff8dfdad611dd56ea820be07f02d5e5f402f4 20041106::VBS::VBS/Inor.encoded::0::23407e5e2f77454141413d3d39623a7e7e664023402666623a2c613a5e402340262f394e43787253433a45402340263f2b447e613a5e507b502f446e43442b36 20041106::4d5a900003::W32/Netsky.ab@MM::eq2048::1f64170756af8585db8f0a53c9ffdb11e23f4f784303304c5920b108c90d420804567432e1e58a916c9a40104c24c17f 20041106::4d5a900003::W32/Bagz.f@MM::eq17408::4765744c61324102766550da7616bbae7570130f57956426d010f1df87657373616765426fc473796135be2533322e64 20041030::4d5a900003::Generic PWS.f::eq12288::217376686f73742e657865277b[^7d]{32,}7d534f46 20041018::4d5a900003::W32/Korgo.worm.aa::eq2048::2f299f4f6f906182b546b187125e6fd1c847ec1e5fb35b5a212239ae386bddd2e25d37b7dd204a76c7dc1df4de0ff4d55f205be836fddfaa53498476742558e71729 20041015::4d5a900003::W32/Darby@MM::eq9216::40004c624246feff56423521f01f56423645532e444c4c2a.{11,14}40 20041015::4d5a900003::W32/Netsky.ag@MM::eq1024::416c657669727573210c090208334f2f 20041012::4d5a900003::W32/Mabutu.a@MM::eq2048 or eq4096::52554e44.{0,4}4c4c33322e4558452025732c5f6d61696e524400446c6c526567697374657253.{2,5}76.{0,3}0000646c6c0065786500434c5349445c7b.{34,38}30317d00.{1,3}206d7574.{0,2}3120 20041007::4d5a::W32/Lovgate.x@MM::eq8192::96b46655d6c5a3e2464b4c5452616d93145681aec717a22f0c82ffe8242eb66a 20041006::4d5a900003::W32/Lovgate.r@MM::eq1024::400000c02e7273726300{4}1000{3}20030000020000005e0100{13}400000c02e61737061636b000020000000300300001a000000600100{13}400000c02e6461746100{4}10000000500300{6}7a0100{13}400000c02e6c6966060000000100{4}600300{6}7c0100b3dffdff6c5c0300{5}200000e0 20041006::4d5a900003::W32/Mydoom.o@MM::eq1024::5550583000{5}[a080d07060][0002]00001000{7}[0402]00{14}800000e05550583100{5}[90c06050]000000[b0e0908070][0200]0000[8abc604246]000000[0402]00{14}400000e02e7273726300{4}10000000[40a0f0d0c0][010300]0000[060408]000000[8e4ac06444]00{14}400000c0[000a] 20040918::4d5a900003::MultiDropper-KR::eq2048::00ad01ff606563686f72207770756e3325730664db3ee9610a53146c47160c2170e7676774e1737570c92ef978ea96170a717569740f 20040915::4d5a000001::W32/Bagle.aa@MM::ge10240 and le12288::2d2d204261673920417574684f22323961b76fee2e303402094765726d44792e7d6fff 20040911::4d5a000001::W32/Bagle.dll.dr::eq3072::5c67647166772e657865004d5a900003 20040911::4d5a900003::W32/Lovgate.ai@MM::eq2048::312e393000b6d1a5c90d09080a70862cdf135b4d1b2bdc04005bc90100000004002613ff89333280031a32b2800a24a8dd46aa39ec6d8a8e546db6db6db62a36db6dba8db9 20040817::HTMLJS::JS_IllWill::0::747269676765722e5374617274536f66747761726555706461746528657865706174682c20747269676765722e44454641554c545f4d4f444529 20040817::4d5a::W32/Netsky.p@MM::eq2048 or eq4096::0600420049004e00410052005900010030000000000000006b7d66859415ad1dd694ddc489e6393149adb558f0939732592bd1c0fd168e4e 20040721::4d5a900003::W32/Netsky.ac@MM::eq2048::83007c240801750aff74002404e80a00013059006a0158c20c00558b00ec8b4d0c33c0498300f9087766ff248d8f1610 20040717::4d5a::W32/Bagle.af@MM::eq11264 or eq13312::910400a8605458232323235c606468232323236c707478232323237c808488232323238c909498232323239ca0a4 20040710::4d5a000001::W32/Bagle.dll.gen::eq4096::60e801000000e883c404e801000000e95d81edd9214000e81b020000e8eb08eb02cd20ff24249a66be4746e8010000009a598d952b224000e801000000695866 20040706::HTMLVBS::W32/Bagle.ab@MM!hta::0::2c302c31342c33312c3138362c31342c302c3138302c392c3230352c33332c3138342c312c37362c3230352c33332c38342c3130342c3130352c3131352c3332 20040706::4d5a900003::W32/Lovgate.ac@MM::eq94208::393847022f2776d7f550694f766572c9 20040703::4d5a900003::W32/Netsky.w@MM::eq1024::5550583000{5}d00100001000{7}0200{14}800000e05550583100{5}6000{3}e00100005800{3}0200{14}400000e02e7273726300{4}1000{3}400200000400{3}5a00{14}400000c0312e323400555058210c090209e06efdee9e70b4a84e160200de550000009400 20040628::4d5a::W32/Netsky.c@MM::ge1024 and le5120::ed.{0,13}e8.{0,17}e9.{0,12}ffffff.{0,19}83 20040628::4d5a900003::W32/Netsky.f@MM::eq16384::0e415454610f5243502e204c4f6e3ccc183e234d1f41494c0746524f8a12b1024845ffe51d6dfcd208285c04392a2e50 20040628::4d5a::W32/Magistr.a@MM::eq1024::00{2}..00{13}[^00]0000.2e.{5}0000ec[^0004](00|01)0000..0000.(00|01)0000..00{13}.0000[^00][^2e] 20040619::4d5a000001::W32/Bagle.j@MM::le3072::5550583000{5}[a090e0]00{3}1000{7}0200{14}800000e05550583100{5}[305090]000000[b0f0a0]000000[2848468c]0000000200{14}[804060]00{1,2}[00f0]e0?2e7273726300{3,4}[6e7010]19?000000[e040f030][0001]0000[0c62061a]000000[2a4a488e]00{14}400000[c0f0]312e32[3034]00555058210c0902[0a08] 20040614::4d5a900003::W32/Zafi.b@MM::eq11264::c109f7288072edf83dcb1466a9fa6399e61784070c48454c4f444d3b4149f63d465278dd5d87435054ce5ef415b82b49 20040528::4d5a900003::W32/Mydoom@MM::eq5120 or (ge10240 and le15360) or eq45056::[ee9500952d02][1951]554954[8efa0da783f3].{6,27}41.{6,35}20.{0,55}[543e][4f6f7e] 20040522::4d5a900003::W32/Netsky@MM::eq6144 or (ge14336 and le22528)::[7c4c02]05?[20fc77]463c?52.{0,16}[4faf][574d][3a2b1211adb6].{12,49}54 20040519::4d5a900003::W32/Bobax.worm.c::eq2048::e851500000c35253b659b273f966e41d9807de15a594d01d547bf9346b97448fc6b0b9aa1170b4978cc30b3315a16005518980f525ba89a9fc3d677447ee9119 20040517::4d5a900003::W32/Sober@MM::ge6144 and le9216::2b0c01[9454cc2c].{2,7}6f6b756d.{0,4}656e74 20040505::4d5a900003::W32/Netsky.n@MM::eq1024::0020002e6c7061636b0000006000000010000000340000000400{14}400000c02e6c7061636b00000010000000700000000c0000003800{14}400000c02e6c7061636b00000090010000800000001c0000004400{14}400000c02e72737263000000001000000010020000020000006000{14}400000c02e6c7061636b0000003000000020020000220000006200{14}400000c000 20040428::HTMLVBS::W32/Bagle.aa@MM!hta::0::392c33382c3232312c31392c3233372c37312c3137392c36342c3233372c37312c3137392c36342c3233372c37312c3137392c36342c3233372c37312c313739 20040428::VBS::W32/Bagle.aa@MM!vbs::0::392c33382c3232312c31392c3233372c37312c3137392c36342c3233372c37312c3137392c36342c3233372c37312c3137392c36342c3233372c37312c313739 20040427::4d5a900003::W32/Netsky.x@MM::eq2048::4f549af6d9ef93a02aba535193e592b9c02ba3f41bd36d806991eaec1b3da32802120ac4a22b13237c82bfc70ca42ec1 20040426::4d5a500002::W32/Torvil@MM::eq2048::2043bb2a9911aa8033c6b7bd6a49b24dc9bdc0dc21e9008a4148c042101086e40d920421e886e487a49004568c622d52 20040422::4d5a900003::Exploit-DcomRpc.gen::eq2048::20032b3a991222802b3ef726e13606c24020911058ac145054580a0c05874820840dee409010202a23b62a221bda8b6410648b373f1b51b41ec2a0a2a2a2a222 20040402::4d5a900003::W32/Bagle.u@MM::eq8192::43.{3,4}42dc?0d.{4}48454c4c?4f.{3,4}5253[6cb0]540f4d07?41491f?4c2046[d75e]4f[8209]3a3c.{3}3043505420[c925]4f[5861]0f 20040318::4d5a900003::W32/Bagle.e@MM::eq6144 or eq3072 or eq6144::60e801000000e883c404e801000000e95d81edd9214000e8[0504]020000e8eb08eb02cd20ff24249a66be[3552][5347e1]e801000000 20040311::4d5a900003::Proxy-Cidra::eq22528::85ff8ad9735c04c76f2e636a647261ffcffe6fc547455420687474703a2f2f660420485454502f312e306ca49d10c82f 20040309::4d5a900003::W32/Netsky.j@MM::eq17408::60e8ed100000c3839887502c5804817cdbb6df3834302ca261f9ce6d0c1d1333040086c8eff0c3ef8fca08afdb93ccfa 20040229::4d5a900003::W32/Bagle@MM::eq6144 or eq11264 or eq13312::3135312e.{0,4}3230[3103]?2e?302e33 20040226::4d5a900003::W32/Mimail@MM::ge8192 and le20480::51.{1,3}54.{14,36}41.{1,7}52.{0,4}43.{3,7}4f3a.{2,6}4d41.{0,4}494c 20040130::4d5a500002::W32/Dumaru@MM::ge12288 and le28672::4d41.?494c204652.?4f.3a.3c.{17,26}524350.?5420.4f.{3,4}4441.{3,6}515549.{4,9}59 20040127::HTMLVBS::VBS/Inor::0::313644220a737a42696e617279203d20737a42696e61727920262022323036333631364536453646 20040119::4d5a900003::Downloader-GN::eq2048::00633a5c746dffbffcff702e65786500687474703a2f2f772e617175617269756d2d66697320ab6fff682e72752f707061022e62 20031222::4d5a900003::BackDoor-CAG::eq9216::6d6f76205b77f0b756b8002e706c57b776697275732e9f6b77bf4d6d5d202a2f37526567f8c2a0 20031115::4d5a500002::PWS-Mob.dr::eq53248::512f1d350d00200000007379737472617933322e657865141d51 20031010::4d5a900003::W32/Swen@MM::eq29696 or eq71680::3a2f2f7777322e66.{1,2}2e76.{64,93}454c45.{18,21}4f4b.{1,5}535441.{1,5}50415353 20030909::4d5a500002::W32/Pate.b::eq7168::fdffffff4d41494c2046524f4d3a203c61646d696e4064756d612e676f762e72753e0378dddf205243505420544f 20030902::4d5a900003::W32/Sobig.f@MM::eq29696::45f879002b6b234c796e612e28636ddb936fd6ed68a0 20030902::HTMLVBS::VBS/Haptime.gen@MM::0::52656d204920616d20736f727279212068617070792074696d650d0a4f6e204572726f7220526573756d65204e6578740d0a 20030728::4d5a900003::W32/Yaha.u@MM::eq37888::91d96f2d383835392db962b844144be807ebe9a71525742fad6d777723e135582a8f274d4b29a021fa4d494d452d493acacd5a5aa171aafe2f5a5818ee6d6978 20030701::4d5a500002::W32/Lovelorn@MM::eq70656::6c6f76656c6f726e407961686f6f2e636f6d 20030626::4d5a900003::W32/Sobig.e@MM::eq21504::b8c7648371fed25c06384afc14a39853d91ef9697f575279655840997b36d658063ed3ec24b4b94b35199a053a1a6f 20030620::BAT::BAT/Mumu.worm::0::636f70792053532e626174205c5c25315c61646d696e245c73797374656d3332202f790d0a7374617274202f69202f6d696e202f77616974202f4220707365786563205c5c2531202d75202532202d70202533202d6420636d642e657865202f63206e74736572766963652e626174 20030605::4d5a900003::W32/Bugbear.b@MM::eq1024::555058300000000000e00600001000000000000000040000000000000000000000000000800000e055505831000000000020010000f006000014010000040000000000000000000000000000400000e0555058320000000000100000001008000002000000180100000000000000000000000000400000c00000000000000000 20030602::4d5a900003::W32/Sobig.c@MM::eq50176::347b4d5450b476c211b76370bb70b3266f6f5d72c74b2d3829392d310b5155491086f087541945484c4f242b06e0c2f250617743643ac6fdf72815a7bb0b41555448207f039abd2e47494e27bd4c2046524f4de3b18a1958a3435054c45b3197 20030602::4d5a500002::W32/Ganda@MM::gt2048::044140000a41400010414000164140001c414000244140002a2e6c6e6b002a2e657865002a2e736372002a2e656d6c002a2e2a68746d2a002a2e646278003c736b72617474616861686140686f746d61696c2e636f6d3e 20030420::4d5a900003::BackDoor-ARG.dr::eq25600::952b668ad1bdf0e1488ad19771c5ff7bcae80a486f6f5db686e63ccfcdaee45831465416efc3c1edc4cd52c62ec6d01358 20030520::4d5a900003::W32/Palyh@MM::eq43008::7a494e470e3b4f4d6bbeddfeb24e115236303238082d204761626c65eb70343a50201f 20030516::4d5a900003::BackDoor-AQJ::eq66560::4e65744d656574696e672052656d6f7465204465736b746f702028525043292053686172696e6700736d74702e3136332e636f6d00000000 20030514::4d5a900003::W32/Fizzer.dll::eq2048::e89b03000085c07501c3a10c4800105333db3bc37517680014001068e09304005353ff1528200010a30c4800106a1c6820300010e8270400006a10684030 20030514::4d5a930001::W32/Fizzer.gen@MM::eq162816::db0f84b50000008b3b3bfe73ef52535657518b551883e902668b0431663904390f858c0000008bd9c1f90285c974118b06330783c60483c70485c075034975ef751603cb83e10385c9740d8a068a27464738e075034975f37558595f5e565703f903f183e90483c1048bc283e80478283bc8 20030514::4d5a900003::W32/Fizzer.gen@MM::eq10240::db0f84b50000008b3b3bfe73ef52535657518b551883e902668b0431663904390f858c0000008bd9c1f90285c974118b06330783c60483c70485c075034975ef751603cb83e10385c9740d8a068a27464738e075034975f37558595f5e565703f903f183e90483c1048bc283e80478283bc8 20030426::4d5a900003::W32/Lovgate.g@M::eq102400::9060e93d04000087c3a39f9f8a9f5acfd8e39fa27cca3c6fdee39f225c9be8e39f9f283c9be8e39fae2405a29f9f6624d2d8e39f9f9f9f9f2c24a3e9e39fef9e 20030423::4d5a900003::BackDoor-ARG::eq46080::50e8ce86000083c404c74644000000008bcee8f9f8ffff5ec3909090909090908b4424088b5424045052e831f9ffffc2 20030411::4d5a900003::W32/Oror.aa@MM::eq44032::bdff574f524b2d53455859330f545505a3de3b134b617a61d35e0730e1ef509f7662734b369401683a03 20030408::4d5a900003::W32/Gibe.b@MM::eq2048::436f646564202e2e2e6279204265676269652c20536c6f76616b6961 20030408::4d5a900003::W32/Gibe@MM::eq5120::71323136333039007132313633303900007132313633303900000000f4010000341c40 20030315::VBS::VBS/Fourcourse::0::5365742063\d3d4372656174654f626a6563742822264328\d\d2926224d53436f6d6d4c69622e4d53436f6d6d22264328\d\d2926222922264328\d\d29264328\d\d292622646320\d2c63\d22264328\d\d29264328\d\d292622 20030113::4d5a900003::W32/Sobig@MM::eq5120::719dcc1e2e77aa7a4d28d4a400cde3cde4038d1518b3d27b645132f127c17692ebe0d854260eda1357f33fde09495c0a 20030110::4d5a900003::W32/Lirva.gen@MM::eq2048::9d7e58d8632fb7.ce8c24e825.6c682336940b6e5152.{6,7}0c10e4bf..4168c9ff....39f2aef7d12bf98bf78bd98bfa100e8bcb4fc1e9......a5a1.d203cb83e10395f3a48b57....fcb4ab815266b4........152cce52......88505378c70d0403 20030104::4d5a900003::W32/Yaha.k::eq22528::686f746d61696c5f6861636b2e65786546667269656e64736869702e5f68ffef7363721f776f726c645f6f665f3111616bff61ffb865120e776565741742655f48617070 20021228::4d5a900003::W32/Merkur@MM::eq15360::570069006e00330032002e006d00650072006300750072007900200043006f00640065006400200062007900200049006e0064007500730074007200790020004000200041004e0056005800670072006f00750070 20021112::4d5a900003::W32/Braid@MM::eq12288::427269646500427269646500004272696465 20020902::4d5a900003::W32/Bugbear@MM::eq41984::40032e333b7e6fad926f4154414432358743507d847607474f3a3c277d4d41494cc24be668e8a311270d8bd24dfa48454c4f120f32b52b106f612b1775bbc303 20020928::7f454c46::Linux/Slapper.worm::gt1024::726d202d7266202f746d702f2e627567747261712e633b636174203e202f746d702f2e757562756774726171203c3c205f5f656f665f5f3b0a005f5f656f665f 20020928::4d5a900003::W32/Sachiel.worm::eq41984::4d0061006300680069006e0065006400720061006d006f006e006400610072006b0040006c006100740069006e006d00610069006c002e0063006f006d00 20020912::4d5a500002::W32/Blinkom::eq154624::52615a132f4745445a4143af0c2da5fb3735372031203431340f3cb3f1ffa62f548d434f4c4f4d424941315d 20020912::7f454c46::Linux.Osf.8759::gt1024::3733353031383637202d207838362f6c696e7578206d6f645f7068702076342e302e327263312d76342e302e352072656d6f7465206578706c6f69740a6279206c6f7269616e2e0a 20020912::4d5a900003::W32/ProLin@MM::eq10240::3a005c00760069007200750073005c007600690072005c0063007500720072005c00500072006f006a0065006300740031002e00760062 20020912::d0cf11e0a1b11ae1::W97M/Thus.gen::0::2844806179284e6f7729513190312920413064284d108b126855013329da474d736708426f7850946170707900204269727468646136796360 20020830::4d5a900003::BackDoor-AJH::eq18432::4d61646520627920417869616c69732041582d49636f6e20\d2e\d 20020830::4d5a500002::W32/Stopin.b@MM::eq24576::484f5720544f2053035007bdf66f8df68b494f4c454e43456227a325ecd6697003425249808ca5b75c5847332d3c05d86cd8f65241454c 20020830::4d5a500002::W32/Cecile.dr::eq20480::436563696c6520636f6465642062792053302f42305b696b785d2c206d61646520696e20617373656d626c790068 20020830::4d5a500002::W32/Bika.gen::0::57696e33322e[^20]+20627920426c61636b204a61636b00 20020830::VBS::VBS/Hatred.gen::0::42532e5355504552464c554f55532076\d2e\d20627920476f626c65656e2057617272696f722f2f534d46 20020830::4d5a500002::W32/EnerKaz.worm.a::eq335872::28632920627920456e65726779204765726d616e7920535354404861626c61732e636f6d 20020830::d0cf11e0a1b11ae1::W32/Hokilo.worm::eq7168::4952432d576f726d2e486f6b6f206279204b756173616e61677569 20020722::4d5a500002::W32/Sentral.dr::gt1024::5b53616e617472616c2e\d\d\d\d20627920546865726d6f4269742f496b582c79324b5d 20020722::4d534654::VBS/Funtime::eq1281::2553797374656d526f6f74255c53797374656d33325c66756e74696d65\d\d2e687461 20020722::JS::JS/Germinal::0::4a532e4765726d696e616c2050617220506574694b20\d\d2f\d\d2f\d\d\d\d 20020722::4d5a500002::W32/Idele::gt1024::502d616469632076697275732076657273696f6e20\d2e\d446f78746f72 20020722::4d5a500002::W32/Chiton.ab.dr::gt1024::[^00]000000\w{2,6}202d20726f79206720626976 20020722::4d5a900003::W32/Yaha.gen@MM::ge19456 and le20480::3a2d290021072104[^5a]*5a4f4e45414c41524d.....415650..4c*4f434b444f574e3230 20020722::4d5a::W32/Plex@MM::eq1024::504500004c01.00....00000000.000000e000..0b01..00..0000.000000000000...000010000000..000000..0010000000.0000.000000.000000.00.00706c7872 20020715::4d5a900003::W32/Frethem.fl@MM::ge30720 and le43008::7372633d33[^44]*446369643a57386471777138[^71]*7139314f3133 20020715::4d5a500002::W32/Duni.worm.b::eq205824::7a65726f2e6578657f0732f29706446c44697230184bb58558f8617a61615c27673143563ad777840317f163706c6f5c6b270b7a100f76310aeea21977092e2160864dc15f2f1710082c7b01a22e686f740f866f9c77323e466f6cc096220763360c496f73b4f55f4a27736b794c6162 20020708::d0cf11e0a1b11ae1::W97M/VMPCK.dd::0::43415075742120206279202d2d3d7c7c204e7c6330747c4e207c7c3d2d2d2028632920(286329)?\d\d\d\d 20020708::7f454c46::BSD/Scalper.worm::eq44032::2f7573722f62696e2f75756465636f6465202d70202f746d702f2e757561203e202f746d702f2e613b6b696c6c616c6c202d39202e613b63686d6f64202b78202f746d702f2e613b6b696c6c616c6c202d39202e613b2f746d702f2e612025733b657869743b 20020708::4d5a500002::W32/SirCam@MM::eq106496::558becb9410000006a006a004975f951535657b8d4a84100e8bfb0feffbe10ef410033c05568ddb4410064ff3064892033c055688eb4410064ff306489206a20e8d3b1feff50e8fdb2feff6affe8d6b1feff50e8f8b2feffe8ebfdffff8d4df033d2b8f4b44100e89cb5ffff8b55f0b8fcee4100e8 20020708::HTMLJS::JS/Kak@M::0::4b61676f752d416e74692d4b726f246f66742073617973206e6f7420746f646179 20020708::d0cf11e0a1b11ae1::W97M/Gorum::0::47756f726d28566273292e204d6972632f4f75746c6f6f6b2f5662732e20427920424d2026204f572026204b616c616d6172006c0242406e 20020708::4d5a500002::W32/Gorum.gen@MM::eq3072::427261696e4d7573636c65202b204f6c6457617279202b204b414c414d41520047756f726d 20020625::4d5a900003::W32/Perrun::eq8192::6a7067766972 20020625::49545346::VBS/Chick.e@M::eq5120::4848412056657273696f6e20342e37342e38373032000400240009040000000000000000000001000000000000008077b08682fec101000000000000000002001200ef6cf876ea596ffc6cc47572e22e68746d0006000b00696c6f76656c61757261000500040077696e0007000400517e950f0c000400000000000d0000105423534dda893d 20020625::4d5a900003::W32/Higuy@MM::eq1024::50010000100000c981000000060000000000000000000000000000600000e02e4672616c69270073030000006001000004000000020000000000000000000000000000600000e20000 20020617::d0cf11e0a1b11ae1::X97M/Generic::0::5839374d2e4e6974726f67656e 20020617::4d5a500002::W32/Trilisa.gen@MM::ge78848 and le135168::00686f73742e65786500686f73742e736372 20020603::49545346::VBS/Chick.bc@M::eq5120::16004848412056657273696f6e20342e37332e383139380004002400090400+0100+[^00]+c10100+02001100746f706963732f696e6465782e68746d000300.00\w+2048656c70000600.00\w+00050003005450000c000400000000000d000010542353 20020603::4d5a900003::W32/Navidad.gen@M::eq31744::4e006100760069006400610064002000560065007200730069006f006e002000\d+.+43006f00700079007200690067006800740020002800430029002000\d00\d00\d00\d00 20020603::4d5a500002::W32/Ska@M::eq7168::626567696e2036343420486170707939392e657865.+656e64.+536b61 20020527::4d5a900003::W32/GOP@MM::eq35840::736d74702e796561682e6e65.+2d20474554204f494351 20020527::BAT::JS/SQL.Spida.worm.b::0::[205c]73657276696365732e657865.+[205c].+73716c657865632e6a73.+[205c]636c656d61696c2e657865.+[205c]73716c70726f636573732e6a73.+[205c]73716c696e7374616c6c2e626174.+[205c]73716c6469722e6a73.+72756e2e6a73.+[205c]74696d65722e646c6c.+[205c]73616d64756d702e646c6c.+[205c]707764756d70322e657865 20020527::4d5a500002::W32/Benjamin.worm::eq129024::000000009060e93d040000db95ad0c335aa9b70388ed0c306c8291e38eed0cb00c554577b1a985ae4de04833be2c6a30b1a9cbb682904833b1a90c333c2c0879f5a95ccc 20020520::4d5a900003::W32/Choke.c.worm::eq11264::4900200063006f006d006500200069006e002000700069006500630065002e002000200020004d00790020006e0061006d00650020006900730020004a0065007200720079 20020520::49545346::VBS/Chick.d@M::eq5120::4848412056657273696f6e20\d2e\d\d2e\d\d\d\d.+564220427269746e657920642e68746d6c.+6f636f736f6674 20020520::49545346::VBS/Chick.a@M::eq5120::4848412056657273696f6e20\d2e\d\d2e\d\d\d\d.+427269746e65792e68746d6c.+427269746e65792d506963.+627269746e65792d70696373 20020514::4d5a900003::W32/Zhangpo@MM::eq267264::7a68616e67706f00582d4d61696c6572 20020514::4d5a500002::W32/Haiku@MM::eq2048::4861696b752047656e657261746f72 20020514::VBS::IRC/Theme.worm.dr::0::4952432d576f726d2e\w+20+5468656d6520576f726d20+4279 20020504::4d5a::W32/GriYo.29A.by::0::436f64656420627920477269596f.+323941 #20020427::4d5a::W95/Elkern.cav.c::gt1024::57716b.+3d757365725875.+5c6578706c6f726572 20020427::4d5a900003::W32/MyLife.j@MM::eq2048::ff010600534841524f4e001993420022 20020427::d0cf11e0a1b11ae1::WM/Cap::0::434150.+4175746f45786563.+4175746f4f70656e.+46696c654f70656e.+46696c6553617665.+4175746f436c6f7365.+46696c65536176654173.+546f6f6c734d6163726f 20020422::7f454c46::Linux/Manpage::eq4096::2f746d702f76697275732e63002f746d702f76696374756d 20020422::d0cf11e0a1b11ae1::X97M/Oblivion::0::6b696c6c6572006b0069006c006c00650072 20020419::4d5a500002::W32/Orez::eq3072::5669727573202d204f72655a52617453205b496b785d2028432920\d\d\d\d 20020419::4d5a900003::W32/Hybrys.gen@MM::eq1024::2e7465787400000000.000000100000..000000020000000000000000000000000000200000e02e726461746100000010000000.00005a00000000.0000000000000000000000000000400000c0 20020419::4d5a900003::W32/BadTrans@MM::gt8192 and le20480::44*6563.+4e*6f76.+4f*6374.+53*6570.+41*7567.+4a*756c.+4d*6179.+46656213615361274672690054687500.9d5bfe576564005475656f172f.+3275 20020419::4d5a900003::W32/Nimda.gen@MM::eq37888::5c496e7465726661636573000000436f6e636570742056697275732843562920562e\d2c20436f70797269676874284329\d\d\d\d.{10,}4d494d452d56657273696f6e3a20312e30 20020419::4d5a900003::W32/Choke.gen.worm::eq10240::430068006f006b00650020002c00200043006f0070007900720069006700680074002000ae00200031003800380036 20020417::4d5a500002::W32/Cervivec@MM::eq159744::56746970.+5769747a.+626c6167.+4a6f6b65.+5a617274 20020417::4d5a900003::W32/MyLife.e@MM::eq3072::7a6172793230+.+40656d61696c2e636f6d 20020417::4d5a900003::W32/Shoho.gen@MM::eq22528::570049004e004c003000470030004e002e004500580045 20020417::4d5a500002::W32/Yarner.gen@MM::eq366592::54726f6a616e65722d496e666f 20020417::4d5a500002::W32/Kitro@MM::gt184320::4b494c54524f202a204d534e5748 20020417::4d5a500002::W32/Warga@MM::gt30720 and lt32768::77617267616d65732e657865 20020417::4d5a500002::W32/Fbound.c@MM::le2048::492d576f726d2e4a6170616e697a65 20020417::4d5a900003::IRC/Girls.worm::0::4769726c73005a6970576f726d00007a6970576f726d 20020417::4d5a900003::W32/Gokar@MM::eq14336::47006f0062006f00.+7400650061006d00760069007200750073.+4b006100720065006e 20020417::4d5a900003::W32/Goner@MM::le4096::70656e7461676f6e65 20020417::4d5a900003::W32/Myparty.b@MM::eq21504::537ff3ffff756e4d6f6e5475655765645468754672695361744a616e4665624dffb776fb617241707205794a26026c4175675365704f63745b81fafd4e6f764465633f545a1b1c747bb7a9ff696d 20020417::4d5a000002::W32/Aliz@MM::eq1024::69776f726d2e61786c387a65 20020417::4d5a420002::W32/Gift.b@MM::0::54686973206973206120492d576f726d20636f6465642062792042756d626c656265655c\d+.210a0a47726574696e677a20746f20616c6c20\d+.206d656d62657273203b29 20020417::4d5a420002::W32/Plage.gen@M::0::5468697320697320506c61676520\d{4}20636f6465642062792042756d626c656265652f\d+.2e00506c61676520\d{4}2041637469766174696f6e 20020404::4d5a::W32/Magistr.b@MM::eq1024::00{2}..00{13}[^00]0000.2e.{5}0000ed[^00](00|01)0000..0000.(00|01)0000..00{13}.0000[^00][^2e] 20020413::d0cf11e0a1b11ae1::W97M/Nitrogen.intd::0::5739372e4e6974726f67656e 20020413::VBS::VBS/Madonna::0::4d61646f6e6e61.+4a6164726171756572204b696c6c6572 20020413::4d5a::W32/Ratter.by::0::5b57696e[^5d]+5d206279205261747465722f\d+ 20020404::d0cf11e0a1b11ae1::IRC/Stages.worm::0::54686520((6d616c65)|(66656d616c65))20737461676573206f66206c696665 20020404::4d5a::W32/HLL.ow.24590::ge7168 and lt8192::4a544d202d2066726f6d20655b61785d20746f20486f6d6572205468612050696c65 20020403::4d5a::W32/GMetaphase.by@MM::0::5b57696e33322e[^5d]+5d20.+2047696761627974652f4d6574617068617365 20020403::4d5a::W32/Donut.dr::gt1024::4e45542e646f744e45542062792042656e6e792f323941 20020403::d0cf11e0a1b11ae1::W97M/Melissa.a@MM::0::574f52442f4d656c69737361207772697474656e206279204b77796a69626f 20020402::4d5a::W32/Giri.dr::gt1024::57696e33322e47697269676174206973206e6f772061637469766521 20020402::4d5a::W32/Blakan::0::57696e[3233353839]{2}2e\w+2e*\w*20627920\w+.+67656e657261*74696f6e20766972757320 #20020402::4d5a::W95/Rekoj.GR::gt1024::4a6f6b6572\d+ 20020402::d0cf11e0a1b11ae1::W97/Thus.gen::0::546875735f\d\d\d #20020327::4d5a::W32/Borges.cmp::0::57494e33322e424f5247455320564952555320\d+2e\d+20627920496e74\d+682f494b58004d61646520696e2050617261677561792c20536f75746820416d6572696361 20020323::d0cf11e0a1b11ae1::W97/Marker.gen::0::3c2d207468697320697320[\w ]+206d61726b657221 20020323::d0cf11e0a1b11ae1::W97/VMPCK1.gen::0::564d50434b2076\d+2e\d+\w*205b[^5d]+5d 20020322::4d5a::W32/Pilsen.cmp.4096::0::57494e33322e50494c53454e20564952555320627920496e743133682f494b58004d61446520694e205061526147754179 20020322::4d5a::W32/PetTick@MM::le4096::492d576f726d2e467269656e647300436f64656420627920506574694b2028632932303031.+546f206d7920667269656e6473204d61796120616e64204c617572656e74 #20020322::4d5a::W95/Miam.dr::gt2048::57696e33322e4e656f205669727573206279205b5469506961582f5644535d004d69616d20212049206c6f76652050452066696c6573203b29 20020320::4d5a::W32/FunLove.4099::gt2048::7e46756e204c6f76696e67204372696d696e616c7e 20020319::MIXVBS::VBS/LoveLetter@MM::0::73756220737072656164746f656d61696c2829.+64696d20782c612c6374726c697374732c637472656e74726965732c6d616c6561642c622c726567656469742c726567762c7265676164.+726567763d726567656469742e526567526561642822484b45595f43555252454e545f555345525c536f6674776172655c4d6963726f736f66745c5741425c22266129 20020316::4d5a::W32/Alcop.gen@MM::le6144::776f726d4977696e67.+57696e33322e20496d656c646120746865205642205669727573 20020316::4d5a::W32/Sintesys@MM::gt102400 and le160000::492d576f726d2e53757065724e6f7661 #20020311::4d5a::W32/Enviar.gen@M::0::76656e636520656d20.+7465737465406965672e636f6d2e6272.+696d6572 20020311::4d5a::HLLP.Yap.8421::0::59617021205768617420636f756c642069742042203fa8204974277320592e412e502e202859657420416e6f7468657220506172617369746529 20020309::VBS::VBS/Kristen.A@MM::0::46756e6374696f6e.+466f722049203d203120546f204c656e28[^29]+2920537465702032.+486176652066756e2077697468204b72697374656e 20020309::4d5a::W32/Joss.919::0::5b57696e326b2e4a6f73735d206279205261747465722f\d\d41 20020309::4d5a::W32/Heidi@MM::0::76697275736573.+6578706c6f6974.+706174636820686173206265656e20737570706c6965642077697468207468697320656d61696c20616e642077696c6c206669782074686520736563757269747920686f6c65.+70617463682e657865 20020309::4d5a::W32/Awfull::0::5b57696e33322e4f72616e67652062792045626f6c615d0044656469636174656420746f20746865204e59464420616e64204e5950442e #20020309::4d5a::W32/Javel.512::0::4b52454154495649545920464f52204b415453 20020305::4d5a::MultiDropper-BN::0::687474703a2f2f7777702e6963712e636f6d2f736372697074732f5757504d73672e646c6c3f66726f6d3d\w+2666726f6d656d61696c3d\w+40\w+2e\w+267375626a6563743d50726f6772616d2b657865637574696f6e26626f64793d5468652b706572736f6e2b746861742b73656e742b746869732b70616765722c2b69732b776974682b612b66696c652b67656e6572617465642b62792b4a756e7461646f7226746f3d\d{6,}2673656e643d.+ #20020305::e9::ARCV.Anna.742::0::5b414e4e415d00536c6172746962617274666173742c2041524356204e754b4520746865204672656e6368.+286329204152635620\d\d\d\d202d20456e676c616e64205261696e696e6720416761696e 20020304::VBS::VBS/SST@MM::0::43687228[^29]+29.+4e657874.+456e64.+46756e6374696f6e.+566273776720\d+2e\d+2e?205b4b5d416c616d6172 20020304::VBS::VBS/Eraser.A::0::457261736546696c6573.+46756e6374696f6e.+46696c65546f4572617365.+46696c65546f45726173652e70617468.+457874656e73696f6e.+545854.+444f43 20020304::BAT::BAT/Double_At.B::0::6563686f202e42415420766972757320274040272076\d+2e\d+.+4f522043582c4358.+4a5a20313042.+4d4f562044582c313043.+4d4f562041482c3431.+494e54203231.+494e542033.+4442.+66696e64.+6465627567.+6578697374.+636f7079.+66696e64.+646f2063616c6c.+64656c 20020304::VBS::VBS/Concon.gen::0::5753485368656c6c.+575363726970742e5368656c6c.+484b45595f4c4f43414c5f4d414348494e45.+65786566696c65.+5c636f6e5c636f6e.+57656c636f6d65.+696e74446f4974.+766243616e63656c.+575363726970742e51756974 20020304::VBS::VBS/CoolNote.worm::0::5072696e7a20436861726c65732041726520446965.+546865206e6577657374204d65737361676520666f7220436f6f6c2055736572.+766263726c66.+4c75636b7932303030.+434f4f4c5f4e4f54455041445f44454d4f2e545854.766273 20020304::VBS::W32/CodeBlue.worm::0::576562536572766963652c764c6973742c6974656d2c76466f756e642c7653756244616e2c44616e6765722c764e6577436f756e742c466f756e64537472696e67.+46756e6374696f6e2046696e644d6170706572.+466f756e64.+53747231.+436872.+44656c4d6170706572.+44616e676572.+4172726179.+5363726970744d617073 20020302::4d5a::Win32.Asorl::0::57696e33322f417374726f4769726c20417374726f436f64656420627920612057617a657800596f75722073797374656d20697320696e6665637465642062792057696e33322f417374726f4769726c2076\d+2e\d+.+44656469636174656420746f20416e69746120616e64206f75722070656e672d6775696e203b290d 20020207::d0cf11e0a1b11ae1::W97M/Generic::0::57.*4d2e537069726f68657461 20020207::4d5a::W32/Adebar.dr::0::5b694b785d20286329203139393920616c6c207269676874207265736572766564202d2070726573656e7420416c6465426172616e #20020227::4d5a::W32/HLLP.32767.a::0::57696e33322e484c4c502e5a617573686b612e576f726d005a617573686b6100 20020225::4d5a::W32/XTC@MM::0::2e415658656e6372 #20020223::4d5a::W95/Puma::0::eb5a46696e64466972737446696c65410046696e644e65787446696c65410043726561746546696c6541005f6c636c6f73650053657446696c65506f696e746572005265616446696c6500577269746546696c65000b2a2e45584500 20020223::d0cf11e0a1b11ae1::W97M/Hope.gen::0::576f7264323030302e476172476c65 #20020221::e9::Ginger.mp::0::596f752063616e2774206361746368207468652047696e6765726272656164204d616e212195 20020220::474554::W32/CodeRed.c.worm::0::.+436f64655265644949.+ 20020220::474554::W32/CodeRed.a.worm::0::484f53543a7777772e776f726d2e636f6d0a204163636570743a202a2f2a0a436f6e74656e742d6c656e6774683a 20020216::4d5a::W32/Klez.gen@MM::0::0d0a2e0d0a00000044415441200d0a0048454c4f2025730d0a0000003e0d0a004d41494c2046524f4d3a203c000000005243505420544f3a3c00000025640000 20020214::4d5a::W32/MTX.gen@M::0::536f6674776172652070726f76696465206279205b4d41545269585d205658207465616d 20011220::4d5a::BackDoor.arsd::0::14ff56b936dc5abd1b93ebea5f21b835731bfca6dc6f01248b1485b86c280d3bd1740940b3bb954a1a741572e51a890c8b00cfb7904924fe81c3228da5687ab4 20011218::4d5a::W32/Navidad.e@M::0::08b56dea4682326762422b165997cbdb401c02d24340a0996520992a9da121a1a11d550519015755328c41c50801760a430f8187b0da183d422828a880acd2e9 20020304::TEST::EICAR-Test-File::0::58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a File-Scan-1.43/META.yml0000644000175000007640000000044510236172426013661 0ustar wwwadminweb# http://module-build.sourceforge.net/META-spec.html #XXXXXXX This is a prototype!!! It will change in the future!!! XXXXX# name: File-Scan version: 1.43 version_from: Scan.pm installdirs: site requires: distribution_type: module generated_by: ExtUtils::MakeMaker version 6.17 File-Scan-1.43/t/0000755000175000007640000000000010236172426012650 5ustar wwwadminwebFile-Scan-1.43/t/scan.t0000644000175000007640000000021107436662521013763 0ustar wwwadminweb# -*- perl -*- # BEGIN { $| = 1; print "1..1\n"; } END {print "not ok 1\n" unless $loaded;} use File::Scan; $loaded = 1; print "ok 1\n"; File-Scan-1.43/docs/0000755000175000007640000000000010236172426013335 5ustar wwwadminwebFile-Scan-1.43/docs/write_sign_bin.txt0000644000175000007640000001352307736255066017121 0ustar wwwadminwebExemple of writing a signature for binary file: Henrique Dias Last Change: Tue Sep 30 11:24:13 WEST 2003 This document provides suggestions for write signatures for viruses. pico -> editor (you can use vim, emacs or another editor) xxd -> hex dump of a given file -> Change to directory where you have the infected file or virus $ cd virus/W32_Yaha.u_MM $ ls specimen.zip $ unzip specimen.zip $ xxd setup.exe > hex.txt $ more hex.txt -> Get the application signature from the begin of the hex file: application signatures ---------------------- e9 474554 4d534654 49545346 7f454c46 4d5a000002 4d5a420002 4d5a500002 4d5a900003 4d5a930001 d0cf11e0a1b11ae1 ---------------------- application signature | | |----------| 0000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ..........ÿÿ.. 0000010: b800 0000 0000 0000 4000 0000 0000 0000 ........@....... 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000030: 0000 0000 0000 0000 0000 0000 e000 0000 ............à... 0000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468 ..º....Í!..LÍ!Th 0000050: 6973 2070 726f 6772 616d 2063 616e 6e6f is program canno 0000060: 7420 6265 2072 756e 2069 6e20 444f 5320 t be run in DOS 0000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000 mode....$....... 0000080: d1e9 2b6c 9588 453f 9588 453f 9588 453f Ñé+l..E?..E?..E? 0000090: ee94 493f 9488 453f 1694 4b3f 8588 453f î.I?..E?..K?..E? ... -> Look at the file for a good signature: ... 0009190: 6b6c 6d41 7172 7775 7677 78ff 09fa ff79 klmAqrwuvwxÿ.úÿy 00091a0: 7a30 3132 3334 3536 3738 392b c63c 2f42 z0123456789+Æ.HTML>É< 00091c0: 170b 45fb 76d9 9dc7 300d 4a3c 3c46 4f4e ..EûvÙ.Ç0.J< End 0009220: d764 3755 b8bb 827e bb3d cee4 9e62 9c5d .d7U...~.=Îä.b.] 0009230: 9d0a f681 d66f 0d00 3ee3 bd06 3a26 1e11 ..ö.Öo..>ã..:&.. 0009240: 2220 97eb dd6f 1348 48a1 1973 2748 6cbe " .ëÝo.HH..s'Hl. 0009250: 03be 6401 2c64 0901 2079 0044 6880 6f24 ..d.,d.. y.Dh.o$ 0009260: 4556 4441 5fb1 71ef ffd0 5243 5054 2054 EVDA_.qïÿÐRCPT T 0009270: 4f3a 3c19 3e1e 0180 15d2 fe4c 2046 524f O:<.>....ÒþL FRO ... Signature (you can choose another signature): 91d96f2d383835392db962b844144be8 07ebe9a71525742fad6d777723e13558 2a8f274d4b29a021fa4d494d452d493a cacd5a5aa171aafe2f5a5818ee6d6978 -> Change to File-Scan directory after extract the compressed file: $ cd File-Scan-X.XX -> Now, add the signature to the file signature database. $ pico files/signatures.txt date::app_signature::Virus_Name::Position::signature | | | | | | +----+ | | +--------+ | | | | | 20030730::4d5a900003::W32/Yaha.u@MM::0::91d96f2d383835392db962b844144be807ebe9a71525742fad6d777723e135582a8f274d4b29a021fa4d494d452d493acacd5a5aa171aafe2f5a5818ee6d6978 -> Edit the Makefile.PL and change the value of $debug to 1. $ pico Makefile.PL ---Makefile.PL------------------------------- use strict; my $debug = 0; --> Change to 1 my $bufflen = 1024; --------------------------------------------- $ perl Makefile.PL $ make test $ sudo make install $ make clean -> Scan the infected file with example scanner: $ examples/scan.pl ../../virus/W32_Yaha.u_MM/setup.exe ----------------------------------------------------------------------- ... 31744 32768 33792 34816 35840 36864 37888 <--- Position ../../virus/W32_Yaha.u_MM/setup.exe Infection: W32/Yaha.u@MM Results of virus scanning: -------------------------- Objects scanned: 1 Skipped: 0 Suspicious: 0 Infected: 1 Scan Time: 0 wallclock secs ( 0.01 usr + 0.01 sys = 0.02 CPU) ----------------------------------------------------------------------- $ pico files/signatures.txt -> Now, change the position to the new position: date::app_signature::Virus_Name::Position::signature | | | | | | +----+ | +--+ +-----------+ | | | | | 20030730::4d5a900003::W32/Yaha.u@MM::eq37888::91d96f2d383835392db962b844144be807ebe9a71525742fad6d777723e135582a8f274d4b29a021fa4d494d452d493acacd5a5aa171aafe2f5a5818ee6d6978 Conditions: -------------------------------------------------------- 0 Scan all file lt/le n Scan after read n bytes gt/ge n Scan only before read n bytes eq n Scan if n is equal to the bytes read ne n Scan if n is not equal to the bytes read or logical OR operation and logical AND operation -------------------------------------------------------- $ pico Makefile.PL -> Change again the value of $debug to 0. ---Makefile.PL------------------------------- use strict; my $debug = 1; --> Change to 0 my $bufflen = 1024; --------------------------------------------- $ perl Makefile.PL $ make test $ sudo make install $ make clean -> Test the signature with the example scanner: $ examples/scan.pl ../../virus/W32_Yaha.u_MM/specimen.zip ---Result------------------------------------ /tmp/setup.exe Infection: W32/Yaha.u@MM ../../virus/W32_Yaha.u_MM/specimen.zip ZIP archive Results of virus scanning: -------------------------- Objects scanned: 1 Skipped: 0 Suspicious: 0 Infected: 1 Scan Time: 0 wallclock secs ( 0.02 usr 0.00 sys + 0.00 cusr 0.01 csys = 0.03 CPU) For better virus name look at: http://vil.nai.com/vil/default.asp http://www.antivirus.com/vinfo/virusencyclo/ http://www.viruslist.com/ File-Scan-1.43/Makefile.PL0000644000175000007640000002244010236170370014355 0ustar wwwadminwebuse ExtUtils::MakeMaker; # See lib/ExtUtils/MakeMaker.pm for details of how to influence # the contents of the Makefile that is written. # Last Modification: Wed May 4 12:45:56 WEST 2005 use strict; my $debug = 0; my $bufflen = 1024; my $min_txt_size = 0; my $signs = "files/signatures.txt"; my $susp = "files/suspicious.txt"; my @html_scripting = ("HTMLVBS", "HTMLJS"); my $script_lang = { 'in' => { "HTMLVBS" => "< *script[^>]+language *=[\"' ]*vbscript[\"']*[^>]*\>", "HTMLJS" => "< *script[^>]*(language *=[\"' ]*javascript[\"']*)*[^>]*>", }, 'out' => { "BAT" => "Batch", "JS" => "JavaScript", "VBS" => "VBScript", "TEST" => "Test", }, 'mix' => { "MIXVBS" => "HTMLVBS/VBS", }, }; my $app_signatures = { '4d5a' => { sign => '\x4d\x5a', subtypes => [ { type => '4d5a000000', sign => '\x4d\x5a\x00\x00\x00', }, { type => '4d5a000001', sign => '\x4d\x5a\x00\x00\x01', }, { type => '4d5a000002', sign => '\x4d\x5a\x00\x00\x02', }, { type => '4d5a420002', sign => '\x4d\x5a\x42\x00\x02', }, { type => '4d5a500002', sign => '\x4d\x5a\x50\x00\x02', }, { type => '4d5a900003', sign => '\x4d\x5a\x90\x00\x03', }, { type => '4d5a930001', sign => '\x4d\x5a\x93\x00\x01', }, ], }, '4d534654' => { sign => '\x4d\x53\x46\x54', }, '49545346' => { sign => '\x49\x54\x53\x46', }, 'd0cf11e0a1b11ae1' => { sign => '\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1', }, '474554' => { sign => '\x47\x45\x54', }, 'e9' => { sign => '\xe9', }, '7f454c46' => { sign => '\x7f\x45\x4c\x46', } }; my %conversion = (); my $firstbytes = 32; my $hash = &load_signatures($signs); my $linesusp = load_suspicious($susp); my $code = &get_code($hash); &make_module($code); my @ppd; if ($] >= 5.00503) { @ppd = ( 'AUTHOR' => 'Henrique Dias ', 'ABSTRACT' => 'Extension for Scanning files for Viruses', ); } WriteMakefile( 'NAME' => 'File::Scan', 'DISTNAME' => 'File-Scan', 'VERSION_FROM' => 'Scan.pm', # finds $VERSION 'PREREQ_PM' => {}, # e.g., Module::Name => 1.1 'dist' => { 'COMPRESS' => 'gzip -9f', 'SUFFIX' => 'gz', }, @ppd, ); sub load_suspicious { my $file = shift; my @all = (); my $pattern = '(?) { next if(/^#/); chomp(); my ($txt, $hex) = split(/::/); $hex =~ s/$pattern/\\x$1/og; push(@all, "\/$hex\/s"); } close(FILE); return(join(" ||\n\t\t\t\t\t\t", @all)); } sub load_signatures { my $file = shift; my $pattern = '(?{'in'}})} = (); @script{keys(%{$script_lang->{'out'}})} = (); my $hash = {}; open(FILE, "<$file") or die("Can't open $file: $!"); while() { next if(/^#/); chomp; my @elem = split(/::/); scalar(@elem) == 5 or die("Wrong signature: $_"); $elem[2] =~ s/\@/\\\@/g; $elem[3] =~ s/ +//g; $elem[3] =~ s/eq/\=\=/ig; $elem[3] =~ s/ne/\!\=/ig; $elem[3] =~ s/lt/\/ig; $elem[3] =~ s/ge/\>\=/ig; $elem[3] =~ s/([\=\!\<\>][\=]?\d+)/\$total$1/g; $elem[3] =~ s/or/ \|\| /ig; $elem[3] =~ s/and/ \&\& /ig; if(exists($script{$elem[1]})) { my (@tmp) = ($elem[4] =~ /$pattern/og); my $len = int(length(join("", @tmp))/2); $min_txt_size = $len if($len < $min_txt_size || !$min_txt_size); } $elem[4] =~ s/$pattern/\\x$1/og; $hash->{$elem[1]}->{$elem[3]}->{$elem[2]} = $elem[4]; } close(FILE); return($hash); } sub make_module { my $code = shift; open(BASEFILE, "Scan.pm") or die("Can't open Scan.pm: $!"); while() { s/\$min_txt_size/$min_txt_size/; print PMFILE $_; if(/^__DATA__/) { print PMFILE $code; } } close(PMFILE); close(BASEFILE); } sub get_code { my $patterns = shift; my $today = &string_date(); my $code = < $firstbytes); my $sign = $app_signatures->{$key}->{sign}; if(exists($app_signatures->{$key}->{subtypes})) { $code .= "\t/\^$sign/o and \$_[0] = $c;\n"; my $sc = 0; for my $a (@{$app_signatures->{$key}->{subtypes}}) { $sc++; my $t = $a->{type}; my $s = $a->{sign}; $conversion{$t} = $sc; $code .= "\t/\^$s/o and return(\$_[1] = $sc);\n"; my $n = length($t)/2; $firstbytes = $n if($n > $firstbytes); } } else { $code .= "\t/\^$sign/o and return(\$_[0] = $c);\n"; } } $code .= <{'callback'})) { if(my \$ret = \$self->{'callback'}->(\$file, \$buff) || "") { &ret_callback(\$ret); \$ret and last LINE; } } } study; \$_ = (\$save .= \$buff); unless(\$script) { TEST: { local \$_ = lc(\$save); ENDOFCODE3 for my $sl (@html_scripting) { $code .= "\t\t\t\t/" . $script_lang->{'in'}->{$sl} . "/os and \$script = \"$sl\", last TEST;\n"; } $code .= "\t\t\t}\n\t\t}\n\t\tif(\$script) {\n"; for my $sl (keys(%{$script_lang->{'in'}})) { if(scalar(keys(%{$patterns->{$sl}->{'0'}}))) { $code .= "\t\t\tif(\$script eq \"$sl\") {\n"; while(my($key, $value) = each(%{$patterns->{$sl}->{'0'}})) { $code .= "\t\t\t\t/$value/s and \$virus = \"$key\", last LINE;\n"; } $code .= "\t\t\t}\n"; } } $code .= <]*>/s and \$script = ""; } else { ENDOFCODE4 for my $sl (keys(%{$script_lang->{'out'}})) { while(my($key, $value) = each(%{$patterns->{$sl}->{'0'}})) { $code .= "\t\t\t/$value/s and \$virus = \"$key\", last LINE;\n"; } } $code .= "\t\t}\n"; if(scalar(keys(%{$script_lang->{'mix'}}))) { $code .= "\t\tunless(\$script eq \"HTMLJS\") {\n"; for my $sl (keys(%{$script_lang->{'mix'}})) { while(my($key, $value) = each(%{$patterns->{$sl}->{'0'}})) { $code .= "\t\t\t/$value/s and \$virus = \"$key\", last LINE;\n"; } } $code .= "\t\t}\n"; } $code .= <= $firstbytes) { \$skip = 3; last LINE; } if(exists(\$self->{'callback'})) { if(my \$ret = \$self->{'callback'}->(\$file, \$begin) || "") { &ret_callback(\$ret); \$ret and last LINE; } } &get_app_sign(\$type, \$subtype, \$begin); unless(\$type) { \$skip = 1; last LINE; } } study; \$_ = (\$save .= \$buff); unless(\$suspicious) { local \$_ = lc(\$save); \$suspicious = 1 if($linesusp); } ENDOFCODE7 my $lcode = ""; for my $key (keys(%{$app_signatures})) { my $c = $conversion{$key}; $lcode .= ($lcode) ? "\t\t} els" : "\t\t"; $lcode .= "if(\$type == $c) {\n"; if(exists($app_signatures->{$key}->{subtypes})) { my $stcode = ""; for my $a (@{$app_signatures->{$key}->{subtypes}}) { my $st = $a->{type}; my $c = $conversion{$st}; $stcode .= ($stcode) ? "\t\t\t} els" : "\t\t\t"; $stcode .= "if(\$subtype == $c) {\n"; $stcode .= &subgene($patterns->{$st}, "\t\t\t\t"); } $lcode .= "$stcode\t\t\t\}\n" if($stcode); } $lcode .= &subgene($patterns->{$key}, "\t\t\t"); } $code .= $lcode; $code .= <{$limit}})) { $code .= $tabs . "/$value/s and \$virus = \"$key\", last LINE;\n"; } $code .= "$tab\}\n" if($limit); } return($code); } sub string_date { my ($sec,$min,$hour,$mday,$mon,$year) = localtime(); return sprintf("%04d/%02d/%02d %02d:%02d:%02d", $year + 1900, $mon + 1, $mday, $hour, $min, $sec); } File-Scan-1.43/README0000644000175000007640000000277510236171725013301 0ustar wwwadminwebThis is the README file for the PERL module File::Scan for Version 1.43 File::Scan - Perl extension for Scanning files for Viruses This module is designed to allows users to scan files for known viruses. The purpose is to provide a perl module to make plataform independent virus scanners. To install File::Scan module type the following: % perl Makefile.PL % make % make test % make install Rpm Packages Platform: SuSE 7.3 Author: Pascal Bleser Url: http://guru.unixtech.be/rpm/Projects/File-Scan/ Platform: RedHat 7.2 Author: Michael McLagan Url: ftp://ftp.redhat.com/pub/contrib/noarch/noarch/ To get the most recent version: % examples/latest.pl File::Scan is supported by: AMaViS "Next Generation" http://sourceforge.net/projects/amavis/ MIMEDefang http://www.roaringpenguin.com/mimedefang/ Aegis - a virus scanner for Linux/Unix systems with a simple and intuitive user interface. http://jodrell.net/projects/aegis You can access the File::Scan documentation with perldoc File::Scan For examples look at examples directory (includes a virus scanner). For submitting new virus or virus patterns please send a mail to hdias@aesbuc.pt (please compress the files if they will have virus). Questions, bug reports, useful code bits, and suggestions for File::Scan hould just be sent to me at hdias@aesbuc.pt Copyright (c) 2005 Henrique Dias. All rights reserved. This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.