= FindMirc (F_Mirc) - Virus Scanner

:author: Ralph Roth
:encoding: UTF-8
:show-link-uri:
:toc: right
:doctype: book
:data-uri:
//:icons:
:lang: en

$Id: f_mirc.txt,v 1.99 2020/10/19 17:19:17 ralph Exp $

image::f_mirc.png[align="center"]

Format: Plain text (not yet fully in ASCII-DOC), UTF8,
        Windows CR+LF, 80 chars max. per line

-----------------------------------------------------------------------------

___________.__            .___ _____  .__
\_   _____/|__| ____    __| _//     \ |__|______   ____
 |    __)  |  |/    \  / __ |/  \ /  \|  \_  __ \_/ ___\
 |     \   |  |   |  \/ /_/ /    Y    \  ||  | \/\  \___
 \___  /   |__|___|  /\____ \____|__  /__||__|    \___  >
     \/            \/      \/       \/                \/

-----------------------------------------------------------------------------


== Introduction

=== What is Anti-virus Software?

Anti-virus software helps protect your computer against known viruses, worms,
Trojan horses, and other unwanted invaders that can make your computer "ill".
Computer viruses are much the same as biological viruses, they attach themselves
to programs or hosts and replicate themselves repeatedly, however the hosts take
the form of USB drives, email attachments or files rather than living organisms.
However, in this case, it's worse than the flu. Viruses, worms, Trojans and the
like often perform malicious acts, such as deleting files, accessing personal
data, or using your computer to attack other computers, spread to other
computers or simply replicate and interfere with your system, making it unstable
or more vulnerable to attacks. A program that is able to detect viruses is
called a virus scanner.

FindMirc is both a very fast signature scanner and a so-called heuristics
scanner.  It can detect virus mutations; it will search for Trojans, fun and
joke programs, scripts viruses (VBS, HTML etc.), IRC worms, malware and dropper
programs. FindMirc is able to disassemble and decrypt files using a software
emulator. This generic detection, called heuristic analysis, is a technique that
makes it possible to detect unknown viruses by searching for suspicious command
sequences instead of relying on known signatures. FindMirc is therefore able to
detect suspicious instructions, abnormal sequences and the detection of still
unknown viruses!


== What is FindMirc?

FindMirc is a scanner that is able to detect script viruses, worms, viruses
and malware. This include IRC worms (.INI), batch files (.BAT), Java script
(.JS, .JSE), visual basic script (.VBS, .HTML, .SHS, .VBE), Trojans, backdoor,
mail worms, spy-ware, key loggers, viruses (.EXE, .SHS, .SCR etc.) and other
script worms like .CS and .WBT infectors. FindMirc uses additionally heuristic
scan engines and can find and qualify yet unknown viruses! For example was
FindMirc able to detect the VBS.Love_Letter virus family using the heuristic
scan engines!


=== About/History

Version 2.00 is ported from DOS (16 bit) to Windows (32 bit) allowing FindMirc
to use long file names on all Win32 platforms. Furthermore the code is now
portable and is able to run under Linux (32/64 bit) and other operating systems!
As a trade off of using the new 32 bit compiler, the generated code is slower on
Windows than the DOS 16 bit code! The Linux versions are super fast!

NOTE: Please note that starting with F_Mirc version 7.00 a DOS32 version is no
longer available, only a stripped down DOS16 version as a dual bound
executable (delivered with the Win32 EXE file)!

Version 3.00 is compiled for Pentium MMX CPUs and better and WILL NOT run on a
486 or Pentium CPU without MMX support!

Version 4.00 has the option -log and -logall as well as we added basic
detection for Win32 Trojans, Backdoor and other malware (currently around
250.000 signatures).

Version 4.50: Added the Trojan scan engine from VSP and RHBVS (~4000 viruses).

See below "History for more details"

FindMirc is Freeware by ROSE SWE. All Rights Reserved!


=== Different Operating System

FindMirc is available for different operating system. When you start FindMirc
a banner with the program version, build number and target platform is
printed.

E.g.:

  ----=[ F_Mirc/Win32 7.52-3077 - IRC, VBS & Script Worm Detector ]=-------------
                  ^    ^    ^
  Platform -------/    |    |
  Program version -----/    |
  Build --------------------/


=== Different Computing Platforms

The following platforms are currently supported

- Win32 - Windows console, runs under Win95/98/ME, NT, 2000 & XP etc.,
          Pentium required. Long file names (LFN) supported on all platforms.

- DOS32 - runs under Win32 + DOS, Pentium required, for DOS an DPMI extender
          is required.  Long file names supported under Windows 98, 2000 & XP
          and better. Skipped starting with the 6.52 release, but available
          upon request.

- DOS16 - runs under Win32 + DOS, 386 CPU required, no extender required, but
          limited in Trojan/Backdoor detection due to insufficient memory! No
          LFN support at all! Skipped with the 6.xx versions (use DOS32 version
          instead) as a separate/standalone program. See the "dual bound"
          documentation for details and how to use the DOS16 version.

- Linux - runs under 2.6.x and higher kernels. LFN under native Linux and
(32/64)   mounted Win32/FAT/NTFS supported. Requires a Pentium. Fasted platform!
          The 64 bit Linux version needs a COREAVX2 or better CPU and a AVX2
          or better co-processor!


=== Build Schema

The build number is a unique increasing number that is incremented with each
build of FindMirc. A higher build number means a newer program version.


=== Known Bugs/To Do

1.) The command line engine can not handle spaces, e.g. -log="C:\Documents
and Settings\..." will currently NOT work!

2.) DOS Entry Point versus Windows EP may report "Corrupted MS-DOS Header!
Size=10.992, EP=157.686"

3.) List option (-list=filename) was reported to be buggy under Linux


=== Return/Error Codes

  0       all OK, nothing found
  4       One of the signatures files is damaged or the access is denied!
  5       viruses found
  6       can not change to directory
  7       on line help (maybe wrong parameters)
  8       file not found, e.g. virscan.*

  11..18  DOS/Windows error, please report it to ROSE SWE!
  xx      Internal error, please report it to ROSE SWE!


== Command line Parameters

Run F_Mirc with the option -? to see all current supported command line
arguments!

=== Option /CSV

This option logs found malware to a comma separated values file (CSV) in the
current directory named f_mirc-0000.csv

If the file already exists, the next free filename is used by increasing the
filename hexadecimal counter, e.g.  f_mirc-0001.csv, f_mirc-0002.csv etc. until
f_mirc-ffff.csv

=== Notes on parameter usage

Customers familiar with the American or UNIX parameter syntax (minus sign)
instead of the slash ( / ) can also use the minus sign ( - ) to start an option.
Under Linux the use of the minus sign for command line arguments is mandatory!

Example: -all is equivalent to /ALL

NOTE: There must be at least one blank between the individual arguments! The
arguments are not case sensitive.


=== The environment variable F_Mirc

Instead of always calling F_Mirc with arguments, F_Mirc can be controlled with
a so-called environment variable. For example, enter the following at the DOS
prompt:

                     SET F_Mirc=/cde -log

If you start F_Mirc now, F_Mirc reads all required arguments from the
variable. This assumes that the FindMirc binary is named f_mirc.exe

=== Rollback of preset values

Sometimes it might be desired to reset already set options (i.e. set by SET
F_Mirc=...) This can simply be done by a minus sign following the option on
the command line. With this action the option is being switched off.

For example, you have entered the following:

                          SET F_Mirc=/all

Then start F_Mirc with the following argument:

                            F_Mirc c: /all-

In this case the command line option overrides the option set by the
environment variable! Command line always override environment options.


=== Suggested parameters for virus scanner testing

For testing F_Mirc against other virus scanners we suggest the following
options:

  F_Mirc directory_to_scan -all -log=vtc_13062004.log -logall -logdel

NOTE: Long file names in the command line are supported WITHOUT spaces!

== Output when F_Mirc found a virus

TIP: Starting with version 7.30 of F_Mirc the output of found malware was changed
to the following schema:

  /home/.../Koniec.432.A.exact.com  Unknown: Type_FileOpen.D5CA-5769
  /home/.../Konkoor.1844.A.exe      Infection: Konkoor.1844.A
  /home/.../HTML.Phish.BBR.html     Warning: Generic.JScript.Encrypted!
  /home/.../Cracky.596.com          Note: Corrupted MS-DOS Header! Size=596, EP=25.937

* Unknown = Detected by a heuristic detection module. Chances are high that this
            could be a new virus!
* Infection = Detected virus/malware with the name of the malware
* Warning = Unusual file format or obscure file structure
* Note = File is damaged


== Speed

The following tests where made on a Pentium MMX 200 PC with Win-NT 4, SP6a

test bed:       6.969 files, (448 MB)

  Compiler                Files   Found   Time (seconds)
  fpc 1.0.6/win32         6969    337     187
  fpc 1.0.6/dos32         6969    337     550
  tp 6.0/dos16            6969    337     157  (!)
  vpc 2.1/win32           6969    337     176


== Included Files

----
F_Mirc_*.EXE    FindMirc - virus scanner. Win32 console
                version and 32 bit version for DOS (requires a DPMI host).
                Hint: older FindMirc/16 is protected by HackStop 1.28, if you
                encounter problems to execute FindMirc/16 let us know!

F_Mirc.key      License file for FindMirc. FindMirc is free for non commercial
                users. If you want to use FindMirc in a commercial environment,
                please send an email and we will provide you a personal key file
                for 10 Euro.

VIRSCAN.WSM     Signature database to detect VBS/JS viruses (Windows Scripting Malware)
VIRSCAN.IRC     Signature database to detect Batch/ISS/IRC-Worm viruses
VIRSCAN.TRJ     Signature database to detect Trojans, viruses, Backdoor and malware

LINUX\          Ported version for Linux
SRC4LINUX\      Source (and if included object code) for Linux


CONTRIB\
MAKEWORM.BAT    Creates WormList.TXT
WORMLIST.TXT    Sorted and unified list of known (not all) script worms and
                malware to FindMirc


  --------------------------------------------------------------------------
  Files included in older releases - we skipped them in the latest releases
  --------------------------------------------------------------------------

RHBVS.LOG       Log (with full name) of the tested samples (for reference).
                Same output like FindMirc - may be missing due to save some
                space!


\RFW\
FindMirc.DAT     files for RFW (ROSE FILE WEEDER), containing checksums of
 FindMirc.LST     the current samples we have tested.
                 -> RFW c:\mydir -base=FindMirc.dat -all -log   [-del -whatever]

mIRC-worms.html  A short description of script worms in HTML (deprecated)

----

== History
   _   _ _     _
  | | | (_)___| |_ ___  _ __ _   _
  | |_| | / __| __/ _ \| '__| | | |
  |  _  | \__ \ || (_) | |  | |_| |
  |_| |_|_|___/\__\___/|_|   \__, |
                             |___/

In chronological order

----
20.10.2020      7.41    Added 4000 viruses.
16.10.2020      7.40    Added around 64.000 !!! new viruses. Changes on the AVR
                        modules for Mini, Tiny, Silly and Trivial detection.
11.10.2020      7.36    Added hundreds of new viruses. Better exception handling.
02.10.2020      7.35    Added 13.000 viruses. Changes on the heuristic scan engines
22.09.2020      7.33    Changed the option /CSV to create unique log files.
                        Added detection for 1.200 viruses.
19.09.2020      7.32    Added detection for 2.400 viruses. Fixed a few false positives
07.09.2020      7.30    Added detection for 1.100 viruses. Added four new
                        heuristic modules. Found viruses are now logged
                        differently (see above).
                        Added the option -csv to create a comma separated values
                        file "f_mirc.csv".
01.09.2020      7.20    Added detection for 8.200 viruses. Small updates.
06.05.2020      7.19    Added detection for 2.300 viruses. 7.18 = internal release
28.03.2020      7.17    Added detection for 2.100 viruses. Small updates.
04.12.2019      7.16    Added detection for 3.800 viruses. Small updates.
19.08.2019      7.15    Added detection for 1.700 viruses
08.05.2019      7.14    Added detection for 1.000 viruses.
28.03.2019      7.13    Added detection for 3.000 viruses.
25.03.2019      7.12    Added new viruses. Small enhancements.
27.11.2018      7.11    Added 6.000 viruses!
20.09.2018      7.10    Added 24.000 viruses!
24.08.2018      7.06    Added around 1000 viruses. Small enhancements.
20.04.2018      7.05    Added +3500 viruses
17.04.2018      7.04    Added +1400 viruses. Released.
24.03.2018      7.03    Released.
10.02.2018      7.02    Added hundreds of new viruses.
17.12.2017      7.01    Added ~ 13.000 viruses.
29.11.2017      7.00    Added ~ 35.000 viruses. The format of the Trojan
                        database changed and isn't compatible with pre 7.00
                        versions anymore.

27.11.2017      6.54    New viruses added. Public release.
07.09.2017      6.53    Added 3951 viruses. Public release.
16.05.2017      6.52    New viruses (also 332 WannaCry variants) added!
16.02.2017      6.50    New viruses (+3400)
08.04.2016      6.46    New viruses.
27.12.2015      6.45    Updates, new viruses.
21.01.2015      6.44    Updates, new viruses etc.
20.12.2013      6.42    New viruses added. Added a heuristic for generic
                        encrypted JavaScript viruses. Expect false positives.
23.10.2013      6.41    viruses added. Enhancements for the Linux64 version
03.03.2013      6.40    +8000 viruses, enhancements, changed home page URL
                6.3x    internal versions, +3000 viruses
19.11.2012      6.28    +7000 viruses, small enhancements e.g. logfile
04.11.2012      6.25    +2100 viruses, small enhancements.
28.05.2011      6.24    +200 viruses, small enhancements.
03.02.2011      6.23    viruses added. Run-time error fixed. Fixes for logfile
                        under Linux.
16.04.2010      6.22    +333 viruses added.
13.04.2010      6.21    +680 viruses added.
04.04.2010      6.20    +300 viruses added. Added a icon to the exe file.
14.03.2010      6.18    Maintenance release. ++1000 viruses added.
20.10.2009      6.16    Maintenance release.
03.04.2009      6.15    Bug fixes and enhancements, scanning speed up.
18.11.2008      6.13    Bug fixes. Enhancements. New viruses added. Dox
                        updated, etc.
11.09.2006      6.12    Updated F_Mirc against current ITW list.
                        Key file changes (.key = keyfile, .ini = settings)
17.11.2005      6.11    Virus database updated.
20.03.2005      6.10    Database format changed. New viruses added.
25.11.2004      6.03    Small enhancements, new viruses
16.09.2004      6.02    Additional "Suspect" warning is issued when F_Mirc
                        had found a virus in a non executable file.
                        Scanning time is now displayed in hh:mm:ss format.
07-08.2004      6.00    Complete redesign of the scanning engines.

13.06.2004      5.72    Added 430 new viruses. Fixed a few bugs in the VBS, IRC
                        and Batch virus detection engine.
11.05.2004      5.70    Added around 400 new viruses.
10.02.2004      5.61    Pressing Escape to stop scanning should now work
                        from "everywhere". Added around 120 new viruses.
20.01.2004      5.58    Fixed -log= & -logall bug. Fixed wrong -file= comment
11.01.2004      5.57    beta releases
09.09.2003      5.56    beta releases for testers. 714 viruses added!
                 ::
06.09.2003      5.50    Ported ten engines to Linux and included them into
                        FindMirc. Changes option -h to -help. Added option
                        -HEUR to enable heuristic mode scanning.
03.09.2003      5.02    31+44 new viruses
12.08.2003      5.01    49 new viruses, especially IWorm.LovSan/MSBlaster
11.08.2003      5.00    added AVR_Mini, AVR_boot, AVR-CryptCom, AVR_FamR,
                        AVR_CallNull etc. to detect small DOS+boot viruses

10.08.2003      4.53    194 new viruses, small enhancements and bug fixes
05.08.2003      4.52    150 new viruses, added Compiler+OS detection unit
23.07.2003      4.51    Bug fixes and new option -logdel
16.07.2003      4.50    Trojan scan engine added
08.07.2003      4.10
27.02.2003      4.00

17.03.2002      2.51
21.04.2002      2.21
11.03.2002      2.11    Linux port
18.01.2001      2.00    Win32 port

----


== Some Scan Tests

Done on my F_Prot collection (no dupes/unique viruses)

  f_mirc . -all -log


  Version                 Files//Detected
  5.50-248                53.262//26.538         (49.8%) ----|
  5.50-251/-HEUR          53.262//36.684         (68.9%)     |
  5.56beta-270            53.262//27.252         (51.2%) <---/  + 714
  5.72                    37.650//19.449         (51.7%)


== Copyright

(C)opyright by ROSE SWE (ALL RIGHTS RESERVED!)


  __________ ________    ____________________   ___________      _____________
  \______   \\_____  \  /   _____/\_   _____/  /   _____/  \    /  \_   _____/
   |       _/ /   |   \ \_____  \  |    __)_   \_____  \\   \/\/   /|    __)_
   |    |   \/    |    \/        \ |        \  /        \\        / |        \
   |____|_  /\_______  /_______  //_______  / /_______  / \__/\  / /_______  /
          \/         \/        \/         \/          \/       \/          \/

 -------------------------------------=-----------------------------------
     ROSE SWE                           See ROSEBBS.TXT for
     Dipl.-Ing. Ralph Roth              full address, FAX and PGP keys.
     http://rose.rult.at
     rose_swe@hotmail.com               All Rights Reserved!
 -------------------------------------=-----------------------------------


== Credits

In alphabetical order

        Alex Pettinger
        Andreas Haak
        Andreas Marx
        Florian Eichelberger
        Joe Hartmann
        Joerg Adinghoff
        Patrick Jansen
        Terry Toh
        tbb (the Byte Bandit)

you?

include::../../../tp/exe/viruses.adoc[Virus Description]
