// atom:set fenc=utf8 ff=dos ft=asciidoc ts=2 et:
:author: ROSE SWE, Ralph Roth
:doctype: book
:data-uri:
:icons:
:lang: en

= RHBVS: ROSE SWE's Heuristic Based Virus Scanner

  $Id: rhbvs.txt,v 1.84 2019/11/01 10:51:39 ralph Exp $
  Format: UTF8/ISO-8859-15, Windows CR/LF, English (UK), Written in ASCII-DOC

            __________  ___ _________________   _____________
            \______   \/   |   \______   \   \ /   /   _____/
             |       _/    ~    \    |  _/\   Y   /\_____  \
             |    |   \    Y    /    |   \ \     / /        \
             |____|_  /\___|_  /|______  /  \___/ /_______  /
                    \/       \/        \/                 \/

Behaviour based detection mechanisms (also called "Dynamic Detection")


== Introducing RHBVS

RHBVS is a DOS virus scanner for DOS file and hybrid viruses using only
heuristic scan technologies!  Thus RHBVS must not be updated daily as a normal
virus scanner.  RHBVS uses furthermore an intelligent code analyser.
Detection modules for batch viruses, Trojans, malware, scripting viruses like
Coral Draw, VBS, HTML, Windows Batch (WBT), JavaScript, SHS (Windows Shell
Scrap) and IRC (Mirc) script worms are also included!

This is currently/was a unique feature - no other scanner can scan e.g. IRC,
HTML or VBS worms with heuristics!  RHBVS gives you a detailed virus analysis
based on the built-in scan engine.

=== Terms

==== Heuristic (computer science)

In computer science, a heuristic is a technique designed to solve a problem
that ignores whether the solution can be proven to be correct, but which
usually produces a good solution or solves a simpler problem that contains or
intersects with the solution of the more complex problem.

Heuristics are intended to gain computational performance or conceptual
simplicity potentially at the cost of accuracy or precision.

==== Computer Virus

In computer security technology, a virus is a self replicating program that
spreads by inserting copies of itself into other executable code or documents
(for a complete definition: see below). Thus, a computer virus behaves in a
way similar to a biological virus, which spreads by inserting itself into
living cells. Extending the analogy, the insertion of the virus into a program
is termed infection, and the infected file (or executable code that is not
part of a file) is called a host. Viruses are one of the several types of
malware or malicious software. In common parlance, the term virus is often
extended to refer to computer worms and other sorts of malware. This can
confuse computer users, since viruses in the narrow sense of the word are less
common than they used to be, compared to other forms of malware such as worms.
This confusion can have serious consequences, because it may lead to a focus
on preventing one genre of malware over another, potentially leaving computers
vulnerable to future damage. However, a basic rule is that computer viruses
cannot directly damage hardware, only software is damaged directly. The
software in the hardware however may be damaged.

While viruses can be intentionally destructive (for example, by destroying
data), many other viruses are fairly benign or merely annoying. Some viruses
have a delayed payload, which is sometimes called a bomb. For example, a virus
might display a message on a specific day or wait until it has infected a
certain number of hosts. A time bomb occurs during a particular date or time,
and a logic bomb occurs when the user of a computer takes an action that
triggers the bomb. However, the predominant negative effect of viruses is
their uncontrolled self reproduction, which wastes or overwhelms computer
resources.

Today (the trend started round 2005), viruses are somewhat less common due to
the popularity of the Internet - instead malware, ransomware and Trojans
meanwhile dominate.

Malware, short for malicious software, is an umbrella term used to refer to a
variety of forms of hostile or intrusive software, including computer viruses,
worms, Trojan horses, ransomware, spyware, adware, scareware, and other
malicious programs. It can take the form of executable code, scripts, active
content, and other software. Malware is defined by its malicious intent,
acting against the requirements of the computer user and so does not include
software that causes unintentional harm due to some deficiency (e.g. bugs).

== Why?

RHBVS was mainly written to be a test platform for the product VirScan Plus by
ROSE SWE. All improvements done in VirScan Plus improves RHBVS, FindMirc and
vice versa. For this reason RHBVS is limited in flexibility (e.g. checking
boot sectors, Windows system memory or the MBR).


== Requirements

- IBM compatible PC with a 80386 CPU and co-processor!
- 620 KB of free memory and DOS version 5.0 or higher
- Windows 32 bit (RHBVS will not run under Windows 64 bit) or plain DOS


== Options and Switches

Command line options are NOT case sensitive. You can use the slash "/" or the
hyphen "-" to start an option.  Options can be set using the environment
variable RHBVS

                      set RHBVS=...

To disable an option set by setting RHBVS=...  you can use the "-" at the end
of the option!

when you set

                      set RHBVS=/all

than you can disable /all with

                      rhbvs c: -all-

=== Command Line Options

Run RHBVS.EXE with

  /?  to see the current supported options.

Try also

  /?? or /UNDOC to see a list of the advance options.

You can scan as many drives and directories as you want per run.

  /vb Code Analyzer (past the switches /ANALYZE or /ANALYSE)

With this switch RHBVS gives you a detailed description of all the flags the
heuristic scan engines have found.

You can use the option

  /vbk  then RHBVS waits for a key stroke after every analysis.

Use the additional option

  /log  to save the analysis into a log file.

=== The Option /virsort

A special note about this option.

NOTE: This is one of those "undocumented" switch RHBVS supports. With this
switch you can sort in viruses AVP/FProt/VSP/DrSolly etc. misses. With this
option RHBVS creates a log file suitable for Virsort or Zoo-Sort (utilities
meanwhile deprecated). Take a look at the batch file RZOOSORT.BAT which is
included in the package!

For more "undocumented" switches try also: `rhbvs -??`


== User documentation

This text file, it is written in AsciiDoc and rendered to a nice HTML file.
German users should download the virus scanner "VirScan Plus" (VSPxxxx.*) and
read the documentation there for further understanding.


== Virus classification

RHBVS classifies the different virus types, their code size and the behaviour.

The classification has the following scheme:

      {Virkit:}[Main Class]{.Length{.Minor Class}{.Germs} (Flags)


      -=[ Virkit ]=----------------------------------------------

      Viruses created with a virus kit just like

      + Biological Warfare (BW)
      + DReg
      + Father_Mac
      + GOTH
      + IVP
      + NRLG, Nuke
      + PS-MPC, MPC, G2
      + TPE, MtE, GCAE, RTFM  etc.
      + VCC
      + VCL
      + VLAD


      -=[ Main Class ]=------------------------------------------

      + Backdoor- Backdoor (Trojan)
      + Bat     - DOS Batch file virus or Trojan
      + Boot    - Boot virus and EXE header infector
      + CSC     - Coral script virus
      + Companion - small companion viruses
      + Crypt   - encrypted virus
      + Fast    - fast infector, like Dark Avenger
      + File    - appending file infector
      + HLLx    - High level language viruses
                  x stands for C=companion, O=overwriting, and P=parasitic
      + IIS     - MS Internet Information Server Worm
      + Joke    - Joke/Fun program. This is not a virus.
      + JS      - Java script virus
      + Mini    - larger overwriting file infector
      + MIRC    - MIRC script worm
      + Multi   - Hybrid (multipartite) files and boot infector
      + Poly    - Polymorphic encrypted virus
      + PIRC    - PIRC script worm
      + SillyR  - trivial memory resident file infector
      + Stealth - virus with stealth capabilities (size or file stealth)
      + TSR     - virus stays resident in memory
      + Tiny    - trivial appending file infector (e.g. Danish)
      + Trivial - overwriting file infector (e.g. Trivial.45)
      + WBT     - Windows Batch virus
      + VBS     - Visual Basic Scripting virus
      + VBS+VBS - multiple VBS infections of one host - yes RHBVS can
                  detect multiple infections!
      + Win32,  - Windows platform specific virus or Trojan
      + Win95,98

      + exact virus name, when using the switch /TROJ
      + exact virus name if found by the polymorph decryption engine
        (Hare, MtE, BW, Grief, TPE, Lucky.Gott etc.)


      -=[ Length ]=----------------------------------------------

If possible the virus size. If there is a question mark (e.g.) Virusname.438?
the code analyzer assumes this as the virus size!

      -=[ Germs ]=-----------------------------------------------

If it is a Generation-1 sample.


      -=[ Flags ]=-----------------------------------------------

RHBVS uses the following flags as short cuts:

      A - Anti debugging or anti heuristic code is used
      B - can overwrite the boot sector/MBR (used by the payload or
          by a boot sector infector)
      D - found a decryption routine (virus seems to be encrypted)
      E - Infects EXE headers like Headerbug or Pure
      F - suspicious file access
      H - uses hardware related instructions - common for boot viruses
      I - uses INT 21h calls in a suspicious way
      M - memory resident. Code will remain resident or will control
          some of the DOS functions. Typical for resident file infector
      O - opens files for writing code into it
      R - suspicious relocation code, typical for file infector
      T - checks the date or time (usually used for a payload etc.)
      U - Virus tries to stay resident in UMB (upper memory blocks)
      W - Windows malware or windows shell code

      ! - uses at least FCB and/or directory stealth methods
      # - is encrypted or uses code to confuse a code analyser


      Flags will be "compressed" if more than three flags were found.
      RHBVS will show them as "flag: number of occurrence", e.g.: R:4


=== Some terms

In computer terminology, polymorphic code is code that mutates while keeping
the original algorithm intact.

Polymorphic code was invented in 1992 by the Bulgarian cracker Dark Avenger (a
pseudonym) as a means of avoiding pattern recognition from anti virus
software. This technique is sometimes used by computer viruses, shell code
exploits and computer worms to hide their presence. Most anti virus software
and intrusion detection systems attempt to locate malicious code by searching
through computer files and data packets sent over a computer network. If the
security software finds patterns that correspond to known computer viruses or
worms, it takes appropriate steps to neutralize the threat. Polymorphic
algorithms make it difficult for such software to locate the offending code as
it constantly mutates.

Encryption is the most commonly used method of achieving polymorphism in code.
However, not all of the code can be encrypted as it would be completely
unusable. A small portion of it is left unencrypted and used to initial start
the encrypted software. Anti virus software targets this small unencrypted
portion of code.

Malicious programmers have sought to protect their polymorphic code from this
strategy by rewriting the unencrypted decryption engine each time the virus or
worm is propagated. Sophisticated pattern analysis is used by anti virus
software to find underlying patterns within the different mutations of the
decryption engine in hopes of reliably detecting such malware.

Stealth: Some viruses try to fool anti virus software by intercepting its
requests to the operating system. A virus can hide itself by ensuring that a
request of anti virus software to read an infected file is passed to the
virus, instead of to the operating system. The virus can then return an
uninfected version of the file to the antivirus software, so that it seems
that the file is "clean". Modern anti virus software employs various
techniques to counter stealth mechanisms of viruses. The only completely
reliable method to avoid stealth is to boot from a medium that is known to be
clean.


== False Positives

A false positive, also called false alarm, exists when a test reports,
incorrectly, that it has found a signal where none exists in reality.
Detection algorithms of all kinds have the tendency to create such false
alarms. For example, optical character recognition (OCR) may detect an 'a'
where there are only some dots that look like an a to the algorithm being
used.

When developing such software there is always a trade-off between false
positives and false negatives (in which an actual match is not detected). In
the language of statistical hypothesis testing, this is a question of
balancing the risk of Type I errors (false positives which reject the null
hypothesis when it is true) against Type II errors (false negatives which fail
to reject the null hypothesis when it is false).

Usually there is some trigger value of how close a match to a given sample
must be achieved before the algorithm reports a match. The higher this trigger
value is, the more similar an object has to be to be detected and the fewer
false positives will be created.

Due to the fact that RHBVS is a rule based virus scanner false positives are
normal. Just send me the executable to verify the false alarm and to improve
the scanner. With standard installations RHBVS triggers no false positives!

=== Known False Positives

Currently RHBVS flags some hacker tools like unHS etc. But no normal user has
such stuff on this drive - so no action is taken to fix it. Other well known
false positives are the memory resident TBAV and FProt anti virus programs.

RHBVS flags them as:

        "D:\WINDOWS\TBAV_WIN\TBSCANX.EXE  Fast.TSR.File (MBIBBMFR)"

This means code to stay resident and to intercept file operation like opening
or execution of executable files.  When looking at the code analyser of RHBVS
we see that TBSCANX stays memory resident (M- flags+TSR),

INT 21h sub functions 3D, 3E & 6C which is typical for a fast infector (Fast)
and INT 13h sub function 02 which is typical for boot viruses (B- flags).  Due
to the fact TBSCANX stays resident it relocates (R-flags) to get its address.

THAT'S ABSOLUTELY RIGHT - SO RHBVS ONLY REPORTS A PROGRAM LOOKING LIKE A
STANDARD FILE VIRUS....  :))


=== False positives causes by third party software

Ralf Borgmann reported that the DSAV.VxD intercept the "Live Bait Test" and
reports an unknown virus. This is a bug and false positive of the DSAV.VxD -
it can be reproduced only by the first start of RHBVS :-))

  >>>>>>> Please send me also viruses RHBVS misses. <<<<<<<<<<


== 8. Error Codes

RHBVS uses the following DOS return codes when terminating.
You can use them in batch files or tools like Skull Check etc.

      Error level |   Meaning
      ------------+-------------------------------------------------
          0       |   RHBVS completed without any error and without
                  |   finding any suspicious program!
          1       |   Misc. errors, like video mode or DOS version!
          2       |   The help screen was invoked.
          3       |   A virus was found in memory (by Quick Memory Scan)
          4       |   One of the signatures files (RHBVS.SIG or
                  |   VIRSCAN.TRJ) is damaged or the access is denied!
          5       |   An error occurred creating the log file (/LOG=).
          6       |   Not used
          7       |   Path specified to scan: Access denied
          8       |   Insufficient memory/not enough memory
          9       |   VirScan.IRC|VirScan.VBS is missing or corrupt
         10       |   One or more suspicious files have been found!
       11..18     |   DOS error, please report it to ROSE SWE!
         xx       |   Internal error, please report it to ROSE SWE!


== Technology

RHBVS uses currently more than 350 modules to detect the different kind of
computer viruses. RHBVS can also emulate and follow a polymorphic hidden jump
to the virus body for example used in the Nostradamus.3584 (a.k.a. Grief)
viruses. All software modules has been taken from the virus scanner VirScan
Plus from ROSE SWE. RHBVS will skip files smaller than 32 bytes.

The scanner even can detect and emulate anti heuristic programmed code! RHBVS
has detection for Trivial and Mini viruses with detection rate above 98% as
well as a detection for boot (images files) and hybrid viruses above approx.
80%.

The overall detection is (tested on my virus collection):

         Version [Samples]   0.01          0.10           1.00 /TROJ
      --[Percent]-------------------------------------------------------
      ITW-Test set Germany   30.1 [412]    36.9 [412]     39.3 [412]
      Classified viruses(1)  N/A           64.1 [6037]    66.7 [6119]
      Unclassified viruses   22.4 [1867]   27.5 [1867]    29.5 [2020]
      ------------------------------------------------------------------

         Version [Samples]   1.03 (1)      1.05 (1)       1.07 (1)
      --[Percent]-------------------------------------------------------
      ITW                    60.4 [379]    60.4 [379]     66.8 [373]
      Classified(1)          77.7 [????]   77.3 [6808]    77.9 [8122]
      Unclassified(2)        44.1 [2007]   45.6 [2371]    41.0 [1289]
      ------------------------------------------------------------------


         Version [Samples]   2.00 (1)      2.02 (1)       2.03 (1)
      --[Percent]-------------------------------------------------------
      ITW                    75.3 [402]    80.8 [647]     80.9 [649]
      Classified(1)          82.1 [8122]   84.0 [9284]    84.4 [9215]
      Unclassified(2)        45.3 [1289]   48.8 [1296]    49.6 [1203]
      ------------------------------------------------------------------


         Version [Samples]   2.04 (1)      2.05  (1)      2.10 (1)
      --[Percent]-------------------------------------------------------
      ITW(3)                 81.2 [649]    84.8 [649]     76.3 [2503]
      Classified(1)          84.6 [9301]   85.9 [9408]    85.1 [9553]
      Unclassified(2)        48.2 [1480]   50.1 [2532]    49.4 [1042]
      ------------------------------------------------------------------


         Version [Samples]   2.11 (1)      2.20 (1)       2.22 (1)
      --[Percent]-------------------------------------------------------
      ITW(3)                 84.1 [649]    76.3 [2503]    85.8 [649]
      Classified(1)          84.6 [9301]   85.3 [10181]   79.2 [12409]
      Unclassified(2)        42.8 [998]    42.4 [1962]    55.3 [978]
      ------------------------------------------------------------------


         Version [Samples]   2.30 (4)      2.35
      --[Percent]-------------------------------------------------------
      ITW(3)                 86.2 [1718]
      Classified(1)          76.4 [18329]
      Unclassified(2)        84.5 [1438]   86.8 [795]
      MIRC scripts          100.0 [1018]  100.0 [1082]
      ------------------------------------------------------------------


         Version [Samples]    2.50 (July 1999)        3.01 (Jan 2000)
      --[Percent]-------------------------------------------------------
      FProt, unique(1)        75.8 [19236/25393]
      Unclassified(2)         72.1 [546/757]          88.2 [1871/2122]
      AVP, unique             70.2 [10392/14801]      65.1 [9789/15057]
      Scripts (IRC, VBS, JS) 100.0 [1233/1233]
      ------------------------------------------------------------------


(1) Detectable by F-Prot (includes more than 700 HLL viruses & Trojans!) All
    viruses are unique (Virsort)!

(2) These are REAL viruses in my incoming directories, which are not
    scannable by the newest KAV and F-Prot versions!!!

(3) ITW test set based on Joe Wells ITW lists. Included are all ITW
    file and boot infector Some viruses used by the VTC ITW test bed
    has been added to the RHBVS ITW test bed as well as some RIMC viruses.

(4) With switches /TROJ and /HIGH

Main goal is to increase the overall detection rate as well as reduce the
false positives.


== Bugs & Limits

This program can only handle file names with a maximum of 67+12 chars length
(including paths) because the MS-DOS box of NT. If you have longer file names
(Win95/98/NT: supports IMHO 252 chars) then you have to map your paths.
Detection has been added for LAN-Manager, Netware based networks and Microsoft
compatible networks.

RHBVS is currently not able to scan inside archives (ARJ, ZIP, LHA etc.) as
well as macro and boot viruses!

RHBVS cannot run under some debuggers like Soft Ice due to the HackStop
security envelope.

RHBVS is limited in scanning MS Office documents, boot viruses as well as
Win32 executable (PE/NE).



== Usage & Testing

Testing a virus scanner is not an easy task and should be only done by experts
on a large virus collection!

Suggested Options for Testing

1. File viruses

   rhbvs <path> /all /high /log=c:\temp\vtc.log

                     /trj is default

2. Boot viruses (on disks)

RHBVS is not designed to scan for boot viruses. Use for that task

        VirScan Plus or
        the heuristic boot virus checker ChkPc.


== License

NOTE: RHBVS is distributed as AnyWare. That means, the author (ROSE SWE) holds
the full copyright on the program and documentation. The usage of the program
is for free (just like Freeware).

If you find this program useful and you want to see it improved just send me
anything you think could be helpful, that means Email, viruses, bug, reports
or even money ....  :-)


== History

=== Version 5

      08.12.2019  5.07        Added new viruses. More heuristic detections.

      01.11.2019  5.06        Some internal changes. Added new viruses.

      22.06.2019  5.05        Added new viruses. Documentation update.

      29.12.2018  5.04        Added new viruses. Documentation update.

      20.09.2018  5.03        Added 22.000 viruses.

      28.03.2018  5.02        This documentation was ported to AsciiDoc.

      06.12.2017  5.01        Small enhancements. Major reprogramming
                              of the signature based detection.

      29.11.2017  5.00        Trojan detection is not compatible with pre
                              5.00 releases. New viruses detection added.

=== Version 4

      27.11.2017  4.98        Public release with new viruses detection.

      09.09.2017  4.97        Public release. Enhancements and new viruses.

      15.02.2017  4.96        Enhancements and new viruses.

      22.04.2016  4.93        Public release. Enhancements and new viruses.

      20.04.2015  4.92        Public release. Enhancements and new viruses.

      10.11.2014  4.91        Public release. Enhancements and new viruses.

      30.12.2013  4.90        Generic encrypted script detection added.
                              Enhancements and new viruses.

      30.10.2013  4.84        Enhancements for better detecting Win32 and
                              Win64 viruses. Added new viruses.

      03.03.2013  4.83        5000 viruses added, changed home page URL

      30.09.2012  4.81        Small enhancements, new viruses.

      16.10.2011  4.80        New viruses added, esp. the German
                              "Staatstrojaner" (file+live test).

      07.06.2011  4.79        New viruses added. Enhancements for Win32,
                              Dos32 and Linux console output.

      03.02.2011  4.78        New virus detection added. Fixed an
                              run-time error bug.

      13.08.2010  4.77        Added a lot of windows malware and
                              windows shellcode detection stuff.
                              New viruses added.

      18.06.2010  4.76        Win32.Shellcode handler improved.
                              VBS encrypted detection improved.

      13.04.2010  4.75        New viruses added. New icon for RHBVS.
                              Dox updated.

      19.03.2010              Major update/enhancements added to PeHead.

      14.03.2010  4.73/4.74   Small enhancements and new viruses added.

      19.02.2010  4.70-4.72   Small bug fixes and enhancements. New
                              viruses added.

      30.03.2009  4.68/4.69   Massive enhancements around the /rename
                              function. Bug fixes and new viruses added.

      06.02.2009  4.67        Small enhancements for Windows Vista.
                              New viruses added.

      16.11.2008  4.66        Small bug fixes and enhancements. New
                              viruses added.

      11.01.2007  4.65        Changes on the /Rename functions.

      30.09.2006  4.64        Enhancements, new viruses. Changed
                              virus database.

      09.08.2006  4.63        Small enhancements (e.g. .PNG detection).

      25.04.2005  4.62        Enhanced the docs. Added new signatures
                              to the heuristic scan engines.

      10.03.2005  4.60        Changed and enhanced the internal database.
                              Added new scan engines and viruses.

      06.01.2005  4.51        Enhanced VBS engine. New viruses added.

      13.11.2004  4.50        Added new viruses.

      19.08.2004  4.50-RC2    Added ~600 new viruses. Fixed a few
                              false positives.

      17.08.2004  4.50-RC1    Complete redesign of the script scanning
                              engines (VBS, Script, IRC, Batch etc.).
                              A lot of new viruses added.
                              The signature files (virscan.*) are not
                              compatible with the 4.1x and below
                              releases!

      16.06.2004  4.13        Small fixes, 400 viruses added.

      14.04.2004  4.12        Added QWTC - "Quick Windows Trojan Check"

      21.01.2004  4.11        Bug fixing of the command line handling
                              engine. New viruses added.

      09.09.2003  4.10        Bug fixing, RHBVS now requires a
                              coprocessor.

      07.09.2003  4.05        Added and enhanced some scan engines
                              and added tons of new viruses. Bug fixes.
                              (EXE file is therefore 20 KB bigger!).

      06.09.2003  4.02        Ported and enhanced some of the scan
                              engines to Linux. New viruses added.

      16.07.2003  4.00        New viruses. Changed the internal Trojan
                              and malware engine to run on Linux too.

=== Version 3

      13.05.2003  3.96        Added tons of new viruses.

      25.03.2003  3.95        New and enhanced engines for VBS viruses.

      27.02.2003  3.94        Fixes for HMA/A20 gate check. Added tons
                              of new viruses.

      07.11.2002  3.93        Added tons of new viruses.

      05.11.2002  3.92        Added new viruses, therefore internal hash
                             tables had to be adjusted.

      03.11.2002  3.91        Build 433
      20.08.2002  3.91        Build 423
      18.06.2002  3.91        Documented the switch /OnlyFull. Added
                              new viruses.


      05.05.2002  3.90        New viruses added. Changed the format of
                              Virscan.trj

      25.04.2002  3.81        Added new viruses. Fixed a false positive.
      23.04.2002  3.80        Fixed a bug with Win2000/NT. Changed the
                              signature files.

      19.04.2002  3.73        Added 120 viruses.
      11.04.2002  3.72        Added 300 viruses.

      17.03.2002  3.71        Changed documentation (also renamed from
                              *.DOC to *.TXT). Added new viruses.

      22.01.2002  3.70        New viruses. DOCS changed. Bundled with Win32
                              installer.

      09.01.2002  3.64        New viruses. Added .PIF file for Win9x.

      10.12.2001  3.63        New viruses added. New option -delYN added.

      08.10.2001  3.62        New viruses added.

      15.08.2001  3.61        New viruses. New generic scan engine for
                              IIS-Worms added. Should find every worm
                              that uses the IIS Backdoor. To scan for
                              such worms, you currently need the option -ALL

      30.07.2001  3.60        Added 300 new batch and script viruses
                              using the new designed scan engines from
                              RHBVS 3.55. Those signatures are stored
                              in the new file "VIRSCAN.IRC".

      26.07.2001  3.55        Added tons of new viruses. Added .LNK as
                              default extension. Introduced a version
                              numbering to VIRSCAN.VBS (needed for new
                              generic script detection). Added generic
                              script detection engine. Added new engines.

      08.06.2001  3.51        New viruses added. Better detection of
                              anti heuristic programmed VBS viruses.

      03.05.2001  3.50        Depending on your machine (386, 486 etc.)
                              and operating system, RHBVS is now up to
                              20 percent faster. New viruses.

      16.03.2001  3.45        Added more than 100 new VBS viruses. Added
                              .JSE, .VBE, .WSH as a default extension.
                              Included on the fly decryption of MS VBS
                              encrypted files (.VBE). New signatures
                              added. VBS scan engine updated.

      17.02.2001  3.41        Update of the VBS scan engine to find
                              VBS.NeueTarife/AnnaKov. New viruses.

      19.01.2001  3.40        New viruses added (of course :). Option
                              -ShowErr added. Statistic enhanced
                              (+ time, + total errors). Some false
                              positives fixed. We have ported parts of
                              the scan engines to win32. As a benefit
                              the scanning is now much faster
                              due to the enhancements we had to do for
                              the porting.

      04.01.2001  3.32        Added four new scan engines, VBS engine
                              was enhanced. 70 new viruses added.

      27.11.2000  3.31        New viruses added.

      14.09.2000  3.30        Added Win32 Stealth Bait test. New
                              viruses added.

      25.07.2000  3.21        Added .VBA as default extension. /RenPE
                              enhanced. New viruses added.

      05.07.2000  3.20        Faster scanning due to rewrite of the VBS
                              and MIRC analyser Add option /NoScript
                              (same as /NoVBS). New viruses. Added 180
                              Trojans. Added MS Mail scanning (MSFT).
                              Added generic VBS detection (construction
                              kits etc.). Added generic Batch file
                              detection.

      22.06.2000  3.11        Added detection for 680 Backdoors. 20 new
                              VBS viruses added. Added .VXD and .SHS as
                              default extensions. Added 70 Trojans. SHS
                              will now be scanned too (VBS.Life_Stages).

      26.05.2000  3.10        Added detection for 250 Win/Win32 Trojans,
                              Backdoor and password stealing programs.
                              Added detection for 20 new VBS viruses.
                              Added .DLL extension as default. New viruses.

      07.05.2000  3.03        Due to the various VBS.Love-Letter variants
                              we added to the virus name additionally the
                              length. When you use RZOOSORT.BAT to sort
                              your Love-Letter variants, they go now in
                              separate directories.

      28.04.2000  3.02        Added MIRC detection in .PIF files. Added
                              option /NoVBS. /NoVBS is also set if
                              VIRSCAN.VBS was not found! New viruses :)
                              Added options /NoTrj and /NoTroj

      29.01.2000  3.01        Added HLP, AVI, CHM, FTS, CNT detection.
                              Added Joke class to RHBVS. New viruses :)
                              Changed the VBS detection engine for the
                              first anti RHBVS specific viruses.

      03.12.1999  3.00        Added ACE and (WAV) Wave detection. Added
                              "T" flag (time/date). Added 750 new viruses.
                              Added new scan engines. Added the options
                              /VB, /VBK (code analyser) and /REPORT.
                              Better Java script detection added. Nicer
                              screen output. The switch /stdout is now
                              obsolete and not supported any longer!

=== Version 2

      01.09.99  2.56          Added ARJ and LZH archive detection.
                              Renamed /ANALYSE to /WHOLE (planed to
                              add switch /ANALYSE[=language.dat]).
                              RHBVS can now handle multiple infections of
                              VBS viruses.

      11.08.99  2.54          New viruses. Tested RHBVS under Win2000b3
                              Server and fixed all bugs.

      24.07.99  2.52          Added new VBS, JS and MIRC viruses using a
                              new detection engine.

      18.07.99  2.51          WBT (Windows Batch) virus class added.
                              New viruses added.

      10.07.99  2.50          HTML, JS, CS and VBS detection added. New
                              viruses and other malware added.

      24.05.99  2.35          Approx. 500 viruses added. Basic PIRC, INF
                              and VBS detection added. Option /COMP
                              (generic companion detection) added.

      17.02.99  2.34          Option /NOMEM added. New viruses.
                              Added detection of HTML, PDF (Adobe Acrobat)
                              and MDB (MS Access) file format.

      15.01.99  2.33          Option /RAW added. Bug with long directories
                              under Win-NT fixed. Tons of new viruses and
                              Trojans added. Added Natas decryption engine
                              from VSP. Enhanced the rhbvscum.awk script.

      02.01.99  2.32          Command line handling improved. Mirc detection
                              improved. Code analyser and option /Virsort
                              enhanced. New viruses and Trojans added.
                              File sharing handling for Windows enhanced.

      29.12.98  2.31          Fixed some bugs and false positives.
                              Enhanced the Mirc classification. Added
                              the rhbvscum.awk script to the package.

      29.11.98  2.30          Added Mirc script worm detection and
                              heuristics. Improved file handling.
                              Improved /RENAME capabilities. New viruses
                              and Trojans If VIRSCAN.TRJ is found
                              automatically option /TROJ is added!

      20.10.98  2.24/2.25     Non public releases!

      24.08.98  2.23          New viruses and Trojans Added a new
                              Trojan detection. Added new entry point
                              detection. Bug fixes. RHBVS uses now the
                              same "smart renaming" engine like RFW.
                              SYS virus detection added.

      17.05.98  2.22          New viruses. Added new scan engines (VCL,
                              Mini, Trivial etc.).

      07.04.98  2.21          Fixed a lot of minor bugs in the /Rename
                              section. Better Live Bait Test. RZOOSort
                              changed. Added a new internal scan engine.
                              Tons of new viruses added :)

      18.03.98  2.20          /Rename, /Renumber now support more Excel
                              formats (.XLA, .XLS etc.), credits: A. Marx
                              Added advanced check for resident stealth
                              viruses (Stealth Live Bait Test). Added
                              more than 40 boot viruses and more than
                              70 file infector Improved the boot
                              heuristics. Minor bug fixes.
                              Currently I am working on a neural network
                              for RHBVS so it many take a time for the
                              next release :-))

      15.02.98  2.11          Added or fixed the following features:
                              + Added more than 50 new viruses.
                              + Fixed some false positives (R. Borgmann)
                              + More compatible file access. Credits
                                (Christian Ghisler & Ralf Borgmann).
                              + Added new search engines and flags.
                              + RHBVS can now only be aborted with the
                                Escape key (SR by R. Borgmann).
                              + Heuristic flag compression/sorting
                              + /Renumber=Value switch now works
                                correctly (one of those undocumented
                                features :-))

      29.01.98  2.10          Enhanced check for stealth viruses and
                              fast infector added. Added 350 new
                              viruses. Enhanced companion detection.
                              Enhanced boot virus detection. Added new
                              search engines. Improved the statistics.
                              Enhanced code analyser Fixed some false
                              positives. Added the batch file
                              RZOOSORT.BAT to the package. RHBVS does
                              now a much better classification of the
                              virus using his new code analyser.
                              Changed the heuristic to produce less
                              false positives than the 2.05 release.

      28.12.97  2.04          Now the /LOG switch supports file names,
                              e.g. /LOG=C:\TMP\RHBVS.NEW etc. Changed
                              the error level (DOS return codes) and
                              documented them in RHBVS.DOC. New viruses
                              added, fixed some false positives and
                              bugs. New flag "A" added. Added the new
                              virus group "Poly". Added an entry point
                              resolver for the _310 virus. AVR for
                              boot viruses enhanced and improved.
                              Sanity (integrity) self check added!

      13.12.97  2.03          Fixed again some false positives received
                              from Ralf Borgmann. About 230 new viruses
                              added. Now the signatures file RHBVS.SIG
                              also contains flags. Added new search
                              engines. Modified the live bait test to
                              fool the DSAV.VxD.

      21.11.97  2.02          Fixed about 10 false positives (credits
                              Ralf Borgmann). Added new search engines
                              and new viruses. Overall detection ratio
                              is now 84 percent!

      08.11.97  2.01          Fixed two false positives. Added more than
                              20 new scan engines. Enhanced the Mini
                              and Trivial scan engine. Added more than
                              200 viruses! RHBVS now scans also files
                              with the extensions .IMG, .BOT and .BIN.

      01.11.97  2.00          Added the option /LOG to generate a
                              simple log file.
                              Added more than 80 new scan engines -
                              they are the compressed and optimized
                              search strings from VirScan Plus.

=== Version 1

      12.10.97  1.07          Added new viruses. Added a new entry
                              point detection for the _1015 virus.

      20.09.97  1.06          Windows NT compatibility enhanced. Added
                              new viruses.

      09.08.97  1.05          Added some viruses and a new entry point
                              detection engine for the Demo Fraud virus.
                              Windows-NT compatibility enhanced. Added
                              a PIF file for Windows NT 4.0.

      13.07.97  1.04          Added the switch /FILETYPE. Added a check
                              for corrupted files. Added a few new
                              viruses. Fixed some false positives.

      06.07.97  1.03          Enhanced the Mini-AVR module. Added new
                              viruses. Fixed some minor bugs. Added
                              option /HEUR.  Release for SAC ftp etc.

      28.06.97  1.02          Fixed two false positives. Added a few
                              viruses. Changed the help screen.
                              Added one search engine for EXE-Header
                              viruses. Changed access mode for faster
                              accessing write protected discs. Added
                              the 'E'-Flag.

      11.06.97  1.01virnet    Changed some DOCS. Release for Virnet.
      09.06.97  1.01          Added the Option /CONT and /HIGH.
                              Enhanced one search engine to find the
                              Make2 virus.

      07.06.97  1.00          Added the option /TROJ.
                              Improved the Tiny code analyser, added the
                              flags 'H' and '#'.
                              First official release

=== Beta Versions

      29.05.97  0.10          Improved the detection rate more than 5%!

      27.05.97  0.02          Added the option /AUTO and /BEEP.
                              Added RHBVSGER.FAQ, enhanced the DOC.
                              Fixed a bug when redirecting the output
                              using the stdout option (rhbvs -stdout>file)
                              Detection on exe packers added.

      22.05.97  0.01          Initial release



== Credits

People who helped to improve this product or have given feedback.

NOTE: In alphabetical order

      Andreas Haak            code analyser & more
      Andreas Marx            technical consultant :)
      Axel Pettinger          Mirc stuff
      Bert De Rijck           Fam_????
      Carsten Kruse           Mr. "enhancements"
      Christian Ghisler       technical consultant :)
      Claus Vogt
      Frank Ziemann           Backdoor, Trojan and Worm testing
      Hanno Boeck             Mr. "false positives" :)
      Jerry Hodges            CRC32
      Joe Hartmann            Mirc, false positives, RIMC project
      Joerg Abdinghoff        initial idea for /ANALYZE, now /vb or /vbk
      Lukas-Fabian Moser
      Laurent Gerard          new virus
      Mano Schwarz
      Mathias Brunner
      Masterball/codeBreaker  HMA/A20 testing
      Michael Hering          checksum, FP, RHBVS.DOC, easily switches
      Nobert Kirch            stdout bug
      Peter Kosinar           FP, missed viruses
      Ralf Borgmann           Mr. RHBVS beta tester :)
      Robert Flogaus-Faust
      Sebastian Boehm
      Stonehead               Mr. "false positives" :)
      Tjark Auerbach          DOX
      Toralv Dirro            RIMC project
      Valentino Tosatti       Mr. "false positives" :)
      Veit Kannegieser

You? ..


== Files

   CRCHECK.TXT    checksum file of the whole distribution
   ROSEBBS.TXT    the author's address and ROSE support BBS, WWW etc.

   FILE_ID.DIZ    short description of the package
     RHBVS.XXX    checksum file for integrity check
     RHBVS.MSG    Message/language file for switch /vb
     RHBVS.DOC    this documentation
     RHBVS.EXE    the main executable
     RHBVS.PIF    Win 3.1/9x/NT/2000 program interface file :-))

     RHBVS.SIG    some heuristic scan engines and flags
   VIRSCAN.TRJ    signature file for HLL viruses and Trojans
   VIRSCAN.IRC    signature file for script and batch viruses (IRC, BAT...)
   VIRSCAN.WSM    signature file for script viruses (IRC, VBS, JS, CSC...)
                  [windows script malware]

  RHBVSCUM.AWK    AWK script to create statistics reports from RHBVS.LOG
  RZOOSORT.BAT    handy batch file to sort your unknown viruses!


== Miscellaneous

Why is RHBVS.EXE such a small program? Well it is compressed  using a so
called online compressor.  Here are the results finding the best compressor
for RHBVS.EXE

      Original size (10.06.2000) =    342.560 bytes   **
                    (17.07.2003) =    385.120 bytes
                    (09.09.2003) =    396.928 bytes
                    (25.04.2005) =    407.344 bytes
                    (10.02.2007) =    410.944 bytes
                    (13.08.2010) =    413.280 bytes
                    (28.11.2017) =    415.664 bytes (147kb compressed)
                    (28.03.2018) =    416.832 bytes (132kb compressed)


  Compressors (always newest versions, used on the 342 KB executable **)
      UPX --lzma                      1?????  (used)
      UPX -9                          114964
      UPX                             116349
      wwpack 3.05                     133588
      Compack 5.1                     140330
      Ainexe                          142627
      AVPack                          145527
      Diet                            147731
      Pklite 2.01                     150024
      LzEXE                           152456


include::viruses.adoc[Virus Description]

== Copyright

(C)opyright by

  __________ ________    ____________________   ___________      _____________
  \______   \\_____  \  /   _____/\_   _____/  /   _____/  \    /  \_   _____/
  |       _/ /   |   \ \_____  \  |    __)_   \_____  \\   \/\/   /|    __)_
  |    |   \/    |    \/        \ |        \  /        \\        / |        \
  |____|_  /\_______  /_______  //_______  / /_______  / \__/\  / /_______  /
         \/         \/        \/         \/          \/       \/          \/

  -------------------------------------=-----------------------------------
    ROSE SWE                           See ROSEBBS.TXT for
    Dipl.-Ing. Ralph Roth              full address, FAX and PGP keys.
    http://rose.rult.at
    rose_swe@hotmail.com               All Rights Reserved!
  -------------------------------------=-----------------------------------



== End

End of the documentation! Thank you for reading it.  Bye!
