
 \\\\\\\\\\\\\\\
  RAV/AV History:
 ///////////////

 6.09
 ====

 * Emulator condition which prevented multiple detection of some poly
   viruses was fixed.
 * Added some new macro viruses, and imporved identification of boot viruses.


 6.06
 ====

 * Fixed a problem in the pager
 * Added new macro viruses


 6.05
 ====

 * Finally added clean support for Excel5, Excel97 and Word97
 * Added support for detection and cleaning of all CIH version
 * Improved the Win32 loading engine to deal with some special PE structures
 * Fixed some problems in the error handler code


 6.03
 ====

 * New viruses added.
 * Activated Office97 heuristics.


 6.02
 ====

 * New viruses added.
 * Fixed terrible detection problem in the code emulator.


 6.01
 ====

 * RAV 6.01 is the first RAVAV to include the new RAV6 engines. Lots of
   changes, new macro engine, full Zhengxi mutation engine detection,
   exact boot viruses detection.
 * The RAV6 engine:
   The new RAV6 engine has been rewritten with portability in mind.
   Versions compiled with GCC for Linux are in developement, as well
   as Watcom compiled versions for OS/2, DOS4GW and so on.
 * Detection for ExcelFormula viruses has been added to the macro engine.
 * Clean for Office97 viruses has been included in the macro engine.
 * The new custom OLE2 interface is now used by the macro engine. This should
   fix all the problems caused by buggy OLE2.DLL files
 * Faster code - some of the old routines in the code emulator and the
   paging modules have been carefully optimized for speed. This gives
   a speed boost up to 200% compared to RAV5.
  



 Old revisions: (RAV 5.x)

 5.20
 ====

 * The first RAV/AV version. Uploaded to FTP.ELF.STUBA.SK and FTP.GECAD.RO


 5.21
 ====

 * The AVIRDLL.DLL file distributed in RAV/AV 5.20 was incompletely
   compiled, and produced "crash" messages on some files. This was
   fixed by rebuilding the AVIRDLL project.
 * The RAVAV.EXE file had a problem in the log routine which prevented
   the filenames to be included in the report file RAVAV.REP - Fixed.
 * Included the "HISTORY.TXT" file in the distribution archive.
 * Added /W=filename to change the name of the report file.
 * Added detection for some new viruses.
 * We are working on a new detection routine for Office97 viruses,
   since the current one cannot be used to implement Office97 heuristics.
   The new routine will be included in version 5.23
   The Office97 heuristics will probably be available from 5.25
 * A option to change the heuristics level like in the GUI version of
   RAV for Windows will be included soon, 5.21 is still using the defaults
   of "Medium Heuristic Level" (1) and "Light Emulation" (0).
   In "Deep Emulation" about 2^21 instructions are emulated compared to
   the 5*10^5 limit for the "Light Emulation" mode. The "Deep Emulation"
   mode is required to detect the Zhengxi virus, but it will slow the
   scanning too much to make it default. Some speed-ups required to
   detect Zhengxi in "Light Emulation" are under development, maybe
   they will be included in 5.23


 5.22 (December 1997)
 ====================

 * Increased auto-recovery ability for the AVIRDLL module.
 * Some changes were made to the Macro.Word.Uglykid detection routine in
   order to include detection for some samples that were missed by the
   5.21 and below versions.
 * Some changes were required to the code emulator engine in order to
   correctely decrypt the Cryptor.XXXX viruses.
 * Other features required to detect Zombie.XXXXX viruses using dynamic
   SMART-CRC's were added to the code emulator.
 * Fixed some false positives, and removed a bad signature for Number_1.12032
 * Added RAVESPY, RAVUTIL, RALERT to the package. (check the UTIL/ directory)
 * The OLE2 parser was improved (Word6/7 macro table parser methods added).
   Actually, the whole Word6/7 macro table parser was re-written, now
   it should be able to parse most complex document templates.
 * The boot and MBR load & scan routines were activated. In WindowsNT you
   need administrative privileges to read boot sectors or the MBR.
   In Windows 95, RAV uses RAVBOOT.VXD to read the MBR and boot sectors.
   However, in order to scan the boot sectors in Windows 95, a special
   registry key must be created.


 5.23 (January 1998)
 ====================

 * The new Office97 engine is working, and included in this version of
   the program. The Office97 heuristics can now be implemented, should
   be available in 5.25
   (NOTE: The Office97 heuristics are implemented in this version, but
   they are beta)
 * The Word 6/7 scanning engine was again redesigned to increase the
   speed. To port the engine under Win 3.1 some other changes were also
   required, but only a part of them was implemented so far.
 * RAVMWD changes:
   A option to create source listing for Office97 templates is now
   available: /SR97
   A file called "*.txt" is created for each Office97 scanned template
   if the /SR97 command line parameter is specified.
   The /VERB option was changed to display more information about the
   scanned files.
   A new option was added: /DUP - Safely create a duplicate sample for
   the scanned macro template document (6+7). It should be very usefull
   for those working with Macro viruses, and who need a way to safely
   create distributable samples. The routine is stil beta, so test it
   to see how it works.
   A new switch was added: /DX - create binary macro dump for each
   scanned file.
 * A new option was added to RAVAV - /DEEP enables deep emulation mode
   to detect advanced polymorphic viruses.
 * A new option was added to RAVAV - /MULTI allows scanning multiple
   floppies.
   

 5.24 (Feb 1998)
 ===============

 (RAV6 technology previews included)
 * We added the ability to scan inside RAR 2.x archives, using UNRAR.DLL
   (freeware). We'll also try to add ZIP (2.x), ARJ, RAX and LHA support, 
   maybe other arhivers too (GZIP & TAR ?).
   (the memory is not an issue under Win32, so we'll add as many unpackers
   as possible)
 * Routines for LZEXE and DIET unpacking are ready - to be included soon.
 * The macro engine has been greately improved. It is now able to use
   CRC's to exactly identify Excel 5 viruses. The old signatures
   used for this task were converted to create a trivial heuristic
   Excel engine. Of course, new signatures were extracted for ALL
   Excel viruses in our database.
 * Again, the Macro engine was redesigned to allow better portability
   under low memory models. However, some major problems are still
   unsolved, maybe we'll fix them until the release of 5.26
   (NOTE: Most of the problems are related to ROLE2, the new 
   custom OLE2.DLL replacement - when this new module is ready,
   we will be able to port the actual scan engine to ROLE2
   without any problems)
 * We added detection for some boot viruses missed in the VB ItW boot
   test. 
 * Detection was added for a some ItW viruses.
 * The new signature database/updates system is ready, and it will
   be included soon. (as beta test version)
   This allows us to provide short update files that can add detection
   and clean support for almost every virus. (except those highly
   advanced polymorphic viruses, including advanced polymorphic
   macro viruses, which require special code modules inside RAV)
 * Support was added for exact identification of macro false positives:
   we are starting to include signatures for all the files that are
   triggering a false alarm. (SCANPROT's etc...) 
 * We are planning to develop a neural network, to improve the
   heuristic detection engine for macro viruses. The NN might
   be added as beta version soon.
 * Exact identification for Office97 viruses is almost ready,
   will be in 5.25 (maybe beta, probably full release)
   The unpacking engine's output is now parsed by a special
   filter, in order to remove spaces, tabs and other chars.
   The output of the filter is run through a standard CRC function.
   (NOTE: The new engine was ready before time, and included in 5.24
   as beta test version)
 * We are working on a custom OLE2 document interface for the MACRO
   engine. This way we will also be able to add exact macro identification
   in the DOS version of RAV too. The new engine is still under
   developement, and it will be ready in a few weeks.
   So far, the new routine seems not only to be faster than
   Microsoft's OLE2.DLL implementation, but it is also crash-proof,
   and uses less memory (the source is only 22k, compiles in about
   9k of real code,(17k obj) and the memory usage is lower than 2k)
   The engine can safely parse extremely complex documents, with
   multiple fat extensions, and large MINIFATs without allocating
   any additional memory. Nice and clean :-)
   We also have the posibility of adding scanning inside password
   encrypted Word6/7 documents, however, that will increase the
   code size a little bit. If after the engine is finished, 
   we still have some spare time, we will also add scanning inside
   password protected docs. 
 * A bug was fixed in the Macro.Word.Uglykid detection routine, now
   RAVMWD should be able to detect it with 100% accuracy.
   (Uglykid is extremely poly, so a special routine is required
   to detect it without parsing AutoText data)
 * Support for dynamic CRCs was added to the RAV Macro engine,
   adding detection for most new polymorphic Word6/7 infectors
   should be trivial. (and available via database updates)
   Also, the algorithmic detection modules for Slow.A/B, Junkface.A/B/C
   and Minimorph.A were replaced by CRC definitions. 
 * The code emulator is now used to decrypt/detect polymorphic boot
   viruses. (such as Moloch or Hare)
 * False positives were fixed for _1054.


 (c) 1997 GeCAD. Romanian AntiVirus is a registered mark of GeCAD, Romania
