- Information & Protection database
- Website Hyperlinks
- Comparative tests of antivirus programs
- Antivirus software tutorials
- Tutorials for previous versions
- A-Squared Freeware 4.0.0.46
- AdAware Free Edition 8.0.4
- AntiVir Free Edition 9.0.0.387
- Avast Free Edition 4.8.1335
- AVG Free Edition 8.5.285
- BitDefender Free Edition 10
- ClamWin Freeware 0.95.1
- DriveSentry Freeware 3.3
- MalwareBytes Antimalware Free Edition 1.36
- Spybot Search & Destroy Freeware 1.5
- SuperAntispyware Free Edition 4.15.1000
- ThreatFire Freeware 4.1.0.25
- Polls
- Do you like the new design of virus.gr ?
- Do you use an antivirus program?
- The antivirus you are using is:
- Has your computer even been infected by a virus?
- Exactly how much do you know about computer viruses?
- Which is the best antivirus program, according to your opinion?
- Would you like us to include guides/presentations of freeware antivirus software?
- What do you use in order to protect your computer?
- What is the OS of your computer?
- Where do you store backups of the files in your hard disk?
- Various freeware software
- Virus Collecting: How To's
- Press releases
- Latest Virus Alerts: Articles and Statistics
How to keep your collection in a good shape
Submitted by virusp on Wed, 10/03/2007 - 07:39.
A collectors' guide on how to maintain your vx collection in a good shape
-By VirusP-
When getting new virus samples, we follow this procedure:
1) We change all files' attributes to null.
2) We rename them to .vir and run renexts (both command options).
3) We rename them to their crc32 name.
4) We check them with the avp-packed log to find either .obj files that renexts misses or files wrongly renamed to .obj, and then put them apart in the obj folder.
5) We check to find any dupes in our vx samples.
6) We scan the remaining samples for any fake ones with both fakescanner and fweed.
7) We rename the remaining .vir samples to .com.
8) We put aside the fakes, the possibly-fakes and the .obj files.
9) We unzip, unrar, unace a.s.o. the archive files of our collection, EXCEPT for the .exe ones that were made with a compression program. They are probably a Trojan or a Backdoor virus and need to remain as they are. We look into it thoroughly through the avp log (find / switches). Then we use renexts on the new-unpacked files, then rename them into their crc32 name and check for dupes once again.
10 )We can also use the avp and f-prot logs to rename some .vir vx into their correct extension. These usually have one of the following antivirus report strings:
bat , vbs , worm , irc , macro , unix , linux , script , js , html , archive , IS , dll , sh , csc , pl , php .
From time to time (that is, when there is a new version of avpdos32, f-prot, renexts, fakescanner or fscan), we follow this procedure to preserve our collection in a good condition:
1) We scan the samples with avp and f-prot and remove the ones marked as "ok" or "possibly infected" or "suspicious file" or "could be corrupted file".
2) We scan with the latest version of fakescanner to find new fakes or even files that had been mistaken for fakes with the previous version of fakescanner.
3) We rename all samples to .vir. Then, we scan using the newest version of renexts with both command options. After we put the remaining .vir samples into separate folders, as we did previously, we rename them into .bat for better f-prot scanning results.
4) We scan one more time for dupes, just for safety reasons.
P.S.
The following file types have problems with f-prot identification:
vir, img, doc, xls, vbs, js, bat, php, unix-ones, html, irc-ones, worm-ones, dll, sh, jse, csc, pl.
-
- 8847 reads
