Today I will dedicate my post to the tool that has been more years around virus collectors: VirSort.
VirSort was written many years ago and it has been rewritten by different people several times.
Let´s start with a lesson of history.
Christian Julius is the father of the virus sorting tool called VirSort. Here we can read the documentation he added to the first package he released:
V I R S O R T 1.1 beta
Why you need Virsort?
You collect virii and the collection growed up to a few thousand samples and each week you get another few hundred samples?
Than you have the problem to analyse and sort them into directories spending hours while doing do.
VIRSORT takes this work away from you. It analyzes a scan list from the popular anti-virus program F-Prot by Fridrik Skulason and compares the incoming virii against your own. After doing so it sorts out the dupes and copies the new virii in separate directories.
How to use:
1. Make an F-Prot list of your virii and don't forget to add the /nowrap command line parameter.
2. Copy this list in the same directory as virsort.exe
3. Type virsort -b
virsort.dat = The database
unsort.log = Suspicious files not identified 100% (sort them in manually
new_vir.log = The new virii
trojans.log = Trojan horses
variants.log = New or modified virii
possible.log = Possibly infected files
4. Type in virsort -s
You can use the -sd switch instead to move the files into the target directory, othwise they'll be copied.
Note: The dupes are not removed. I'll fix this in future versions of my software.
5. You get a new collection?
Make a F-Prot file and type
virsort -c
The output file contains the new virii list in binary format.
Go to step 4 to sort them in.
Virsort asks you for updating your database now.
If you type 'y' the incoming virii are added to your database and the old database is deleted.
I can't garantee that there are no bugs in it, if you recognize some please let me know.
This software is published as Public Domain, so you can spread it to everybody who wants it, but you are not allowed to take a fee for it.
Further and improved versions will be published as Shareware.
Please apologize any spelling mistakes.
Christian Julius
Germany
email: chj@ing.ruhr.de
That´s the information the author included in the first release of the package.
It´s not clear if Brian Burdick (Shadow Seeker) continued coding on that version done by Christian Julius or if he started a new version from scratch. Anyway he initiated the second phase of the development. At some point the project went to Jim Fougeron (Poltergeist) hands.
Polt was in charge of the project for some time but around 1997 more or less he left the trading scene. He sent VirSort source code to Spooky but Spooky never continued with the development. This second release of VirSort was coded in C++.
When it was obvious that Spooky was not going to continue working on the tool Brian started a new version of VirSort (third stage in the history of VirSort). This time Brian coded the tool in Pascal and renamed the tool to VirSort 2000 or just VS2000 as it´s better known nowadays.
After a few releases Brian gave up development, a bit because he had not much time and a bit because he considered the tool already had the required features. This happened in 1998.
I was not satisfied with the features as I wanted more included. I asked him the source code to continue improving it. In that moment I had no idea of Pascal. Brian also sent the source code to Ralph Roth. It was supposed that both Ralph and me would continue with the development but finally I was the only one keeping the updating work And that´s how it has been from 1998 to right now.
In the fourth stage I started improving Brian´s code but at some point I rewritten almost from scratch the tool. Initially the tool was being compiled with Turbo Pascal, after a while with Free Pascal and right now it´s being coded in Delphi.
The amount of features is so big that explaining all them would take lots of space. It´s better if I explain the main features and you learn to use the others as you need them. You can find a manual (a bit outdated but still valid) here.
There are 3 main functions: build a database, compare a log and add new stuff to existing database.
Build a database: -B. Example: VS2000 -B AVP.LOG
Compare a log: -C. Exampe: VS2000 -C OTHER_TRADER.LOG
Add new stuff to your database: -A. Example: VS2000 -A AVP2.LOG
Pretty easy to use.
I didn´t mention it before but VirSort always has been a command line tool.
Many traders I have met in my years in the trading scene prefered GUI tools but I must say that most of the best tools for collecting are usually those ones running at command line.
You can find VS2000 for Win32 here.
I also compiled a version of VS2000 for Linux. You can find it here but Linux version is not supported and it has not been tested deeply.
VS2000 is so professional that even people from antivirus vendors have used it. Some of them asked for the inclusion of support of the reports generated with their antivirus.
Enough about VS2000! You better go and try it!
No hay comentarios:
Publicar un comentario