$Id: f_mirc.txt,v 1.25 2005/03/20 15:03:36 ralproth Exp $

___________.__            .___ _____  .__
\_   _____/|__| ____    __| _//     \ |__|______   ____
 |    __)  |  |/    \  / __ |/  \ /  \|  \_  __ \_/ ___\
 |     \   |  |   |  \/ /_/ /    Y    \  ||  | \/\  \___
 \___  /   |__|___|  /\____ \____|__  /__||__|    \___  >
     \/            \/      \/       \/                \/

Introduction
~~~~~~~~~~~

What is Antivirus Software?

Antivirus software helps protect your computer against known viruses, worms,
Trojan horses, and other unwanted invaders that can make your computer "sick".
Computer viruses are much the same as biological viruses, they attach
themselves to hosts and replicate themselves repeatedly, however the hosts
take the form of diskettes, email attachments or files rather than living
organisms. However, in this case, it's worse than the flu.  Viruses, worms,
Trojans and the like often perform malicious acts, such as deleting files,
accessing personal data, or using your computer to attack other computers,
spread to other computers or simply replicate and interfere with your system,
making it unstable or more vulnerable to attacks. A program that is able to
detect viruses is called a virus scanner.

FindMirc is both a very fast signature scanner and a so-called heuristic
scanner.  It can detect mutants of viruses; it will scan for trojans, jokes,
scripts viruses (VBS, HTML etc.), IRC worms, malware and dropper programs.
FindMirc is able to disassemble and decrypt files using many advanced
approaches and a software emulator. This generic detection, named heuristic
analysis, is a technique that makes it possible to detect unknown viruses by
searching for suspicious instruction sequences rather than relying on any
signature. FindMirc is therefore able to detect suspicious instruction
sequences and to detect yet unknown viruses!

What is FindMirc?
~~~~~~~~~~~~~~~~~

FindMirc is a scanner that is able to detect script viruses, worms, viruses
and malware.  This include IRC worms (.INI), batch files (.BAT), java script
(.JS, .JSE), visual basic script (.VBS, .HTML, .SHS, .VBE), trojans,
backdoors, mailworms, spyware, keyloggers, viruses (.EXE, .SHS, .SCR etc.)
and other script worms like .CS and .WBT infectors.  FindMirc uses
additionally heuristic scan engines and can find and qualify yet unknown
viruses!  For example was FindMirc able to detect the VBS.Love_Letter virus
family using the heuristic scan engines!


About/History
~~~~~~~~~~~~~

Version 2.00 is ported from DOS 16 bit to windows 32 bit allowing FindMirc to
use long file names on all Win32 platforms.  Furthermore the code is now
portable and is able to run under Linux and other operating systems!  As a
tradeoff of using the new 32 bit compiler, the generated code is slower than
the DOS 16 bit code, so if you need speed I suggest the use of the 16 bit
version instead, see Dual_Bound_Executable.txt! Please note that starting
with version 5.00 a DOS16 version is no longer available, only a DOS32 version!

Version 3.00 is compiled for Pentium MMX CPUs and better and WILL NOT run on
a 486 or Pentium CPU without MMX support!

Version 4.00  has the  option -log   and -logall  as well  as we   added
basic  detection  for  Win32  trojans,   Backdoors  and  other   malware
(currently around 2000 signatures).

Version 4.50:  Added the  Trojan scan  engine from  VSP and RHBVS (~4000
viruses), added 180 new viruses.

See "History for more details"

FindMirc is Freeware by ROSE SWE.  All Rights Reserved!


Different Operating System
~~~~~~~~~~~~~~~~~~~~~~~~~~

FindMirc is available for different operating system. When you start FindMirc
a banner with the program version, build number and target platform is printed.

E.g.:
----=[ F-mIRC/Win32 4.52-177 - IRC, VBS & Script Worm Detector ]=-------------
                ^    ^    ^
Platform -------/    |    |
Program version -----/    |
Build --------------------/


Platforms
~~~~~~~~~

The following platforms are currently supported

Win32	- Windows console, runs under Win95/98/ME, NT, 2000 & XP etc.,
	  Pentium required. Long file names (LFN) supported on all platforms.

Dos32   - runs under Win32 + DOS, Pentium required, for DOS an DPMI extender
          is required.  Long file names supported under Windows 98, 2000 & XP

Dos16   - runs under Win32 + DOS, 386 CPU required, no extender required, but
	  limited in Trojan/Backdoor detection due to insufficient memory! No
	  LFN support at all! Skipped with the 6.xx versions (use DOS32 version
	  instead).

Linux	- runs under 2.2.x and higher kernels. LFN under native Linux and
          mounted Win32/FAT supported. Requires Pentium. Fasted platform!


Build
~~~~~

The build number is an unique increasing number that is incremented with
each build of FindMirc. A higher build number means a newer program
version.


Known Bugs/ToDo
~~~~~~~~~~~~~~~

1.) The Commandline engine can not handle spaces, e.g. -log="C:\Documents
and Settings\..." will currently NOT work!

2.) DOS EntryPoint versus Windows EP may report "Corrupted MS-DOS Header!
Size=10.992, EP=157.686"



Return/Error Codes
~~~~~~~~~~~~~~~~~~

0	all OK, nothing found
4       One of the signatures files is damaged or the access is denied!
5	viruses found
6	can not change to directory
7	online help (maybe wrong parameters)
8	file not found, e.g. virscan.*

11..18  DOS/Windows error, please report it to ROSE SWE!
xx      Internal error, please report it to ROSE SWE!


Commandline Parameters
~~~~~~~~~~~~~~~~~~~~~~

Run F_Mirc with the option -? to see all current supported commandline arguments!


Notes on parameter usage
------------------------

Customers familiar with the American or UNIX parameter syntax (minus sign)
instead of the slash (' / ') can also use the minus sign (' - ') to start an
option. Under Linux the use off the minus sign for commandline arguments is
mantadory!

 Example: -all is equivalent to /ALL

Note: There must be at least one blank between the individual arguments! The
arguments are not case sensitive.


The environment variable F_Mirc
-------------------------------

Instead of always calling F_Mirc with arguments, F_Mirc can be controlled with a
so-called environment variable.  For example, enter the following at the DOS
prompt:

                     SET F_Mirc=/cde -log

If you start F_Mirc now, F_Mirc reads all required arguments from the variable.


Rollback of preset values
-------------------------

Sometimes it might be desired to reset already set options (i.e.  set by SET
F_Mirc=...) This can simply be done by a minus sign following the option on the
command line.  With this action the option is being switched off.

For example, you have entered the following:

                          SET F_Mirc=/all

Then start F_Mirc with the following argument:

                            F_Mirc c: /all-

In this case the commandline option overrides the option set by the environment
variable! Commandline always override environment options.


Suggested parameters for virus scanner testing
----------------------------------------------

For testing f_mirc against other virus scanners we suggest the following options:

F_Mirc directory_to_scan -all -log=vtc_13062004.log -logall -logdel

Please note: long file names in the commandline are supported WITHOUT spaces!


Speed
~~~~~

The following tests where made on a Pentium MMX 200 PC with Win-NT 4, SP6a

test bed:	6.969 files, (448 MB)

Compiler		Files	Found	Time (seconds)
fpc 1.0.6/win32		6969	337	187
fpc 1.0.6/dos32		6969	337	550
tp 6.0/dos16		6969	337	157  (!)
vpc 2.1/win32		6969	337	176


Included Files
~~~~~~~~~~~~~~

F_Mirc.EXE      FindMirc - virus scanner. Win32 console
                version and 32 bit version for DOS (requires a DPMI host).
                Hint: older FindMirc/16 is protected by HackStop 1.21, if you
                encounter problems to execute FindMirc16.EXE let us know!

F_Mirc.INI	License file for FindMirc. FindMirc is free for non commercial
		users. If you want to use FindMirc in an commercial environment,
		please send an e-mail and we will provide you a personal key file
		for 10 Euro.


mIRC-worms.htm  A short description of script worms in HTML

VIRSCAN.WSM     Signature database to detect VBS/JS viruses (Windows Scripting Malware)
VIRSCAN.IRC	Signature database to detect Batch/ISS/IRC-Worm viruses
VIRSCAN.TRJ	Signature database to detect Trojans, viruses, Backdoor and malware

LINUX\          Ported version for Linux
SRC4LINUX\      Source (and if included object code) for Linux


CONTRIB\
MAKEWORM.BAT    Creates WormList.TXT
WORMLIST.TXT    Sorted and unified list of known (not all) script worms and
		malware to FindMirc


--------------------------------------------------------------------------
Files included in the 1.xx releases - we skipped them in the 2.xx releases
--------------------------------------------------------------------------

RHBVS.LOG       Log (with full name) of the tested samples (for reference).
                Same output like FindMirc - may be missing due to save some
                space!


\RFW\
 FindMirc.DAT     files for RFW (ROSE FILE WEEDER), containing checksums of
 FindMirc.LST     the current samples we have tested.
                 -> RFW c:\mydir -base=FindMirc.dat -all -log   [-del -whatever]

 _   _ _     _
| | | (_)___| |_ ___  _ __ _   _
| |_| | / __| __/ _ \| '__| | | |
|  _  | \__ \ || (_) | |  | |_| |
|_| |_|_|___/\__\___/|_|   \__, |
                           |___/
------------------------------------------------------------------------

17.11.2005      6.11    Virus database updated. 
20.03.2005	6.10	Database format changed. New viruses added.
25.11.2004	6.03	Small enhancements, new viruses
16.09.2004	6.02	Additional "Suspect" warning is issued when F_Mirc
			had found a virus in a non executable file.
			Scanning time is now displayed in hh:mm:ss format.
07-08.2004	6.00	Complete redesign of the scanning engines.
13.06.2004	5.72	Added 430 new viruses. Fixed a few bugs in the VBS, IRC
			and Batch virus detection engine.
11.05.2004	5.70	Added around 400 new viruses.
10.02.2004	5.61	Pressing Escape to stop scanning should now work
			from "everywere". Added around 120 new viruses.
20.01.2004	5.58    Fixed -log= & -logall bug. Fixed wrong -file= comment
11.01.2004	5.57	beta releases
09.09.2003	5.56	beta releases for testers. 714 viruses added!
		 ::
06.09.2003	5.50	Ported ten engines to Linux and included them into
			FindMirc. Changes option -h to -help. Added option
			-HEUR to enable heuristic mode scanning.
03.09.2003	5.02	31+44 new viruses
12.08.2003	5.01	49 new viruses, especially IWorm.LovSan/MSBlaster
11.08.2003	5.00	added AVR_Mini, AVR_boot, AVR-CryptCom, AVR_FamR,
			AVR_CallNull etc. to detect small DOS+boot viruses
10.08.2003	4.53	194 new viruses, small enhancements and bug fixes
05.08.2003	4.52	150 new viruses, added Compiler+OS detection unit
23.07.2003	4.51	Bugfixes and new option -logdel
16.07.2003	4.50	Trojan scan engine added
08.07.2003	4.10
27.02.2003	4.00
17.03.2002	2.51
21.04.2002	2.21
11.03.2002	2.11	Linux port
18.01.2001	2.00	Win32 port


Some Scan Tests
~~~~~~~~~~~~~~~

Done on my F_Prot Collection (no dupes/unique viruses)

f_mirc . -all -log

Version			Files//Detected
5.50-248                53.262//26.538         (49.8%) ----|
5.50-251/-HEUR          53.262//36.684         (68.9%)     |
5.56beta-270		53.262//27.252	       (51.2%) <---/  + 714

5.72			37.650//19.449         (51.7%)

(C)opyright 1987-2005 by ROSE SWE (ALL RIGHTS RESERVED!)


__________ ________    ____________________   ___________      _____________
\______   \\_____  \  /   _____/\_   _____/  /   _____/  \    /  \_   _____/
 |       _/ /   |   \ \_____  \  |    __)_   \_____  \\   \/\/   /|    __)_
 |    |   \/    |    \/        \ |        \  /        \\        / |        \
 |____|_  /\_______  /_______  //_______  / /_______  / \__/\  / /_______  /
        \/         \/        \/         \/          \/       \/          \/

 -------------------------------------=-----------------------------------
     ROSE SWE                           See ROSEBBS.TXT for
     Dipl.-Ing. Ralph Roth              full address, FAX and PGP keys.
     http://come.to/rose_swe
     rose_swe@hotmail.com               All Rights Reserved!
 -------------------------------------=-----------------------------------


Credits
~~~~~~~

in alphabetical order

Alex Pettinger
Andreas Haak
Andreas Marx
Florian Eichelberger
Joe Hartmann
Jrg Adinghoff
Patrick Jansen
Terry Toh
tbb (the Byte Bandit)


you?


FAQ/Deutsch
~~~~~~~~~~~

tbb//12967808: ich hab das doch probiert...du hast bestimmt datumsgetriggerte funktionen drin
ralph.roth: datumsgetriggerte funktionen, nein, nur fr den key, der ist nicht ewig haltbar -> update required

tbb//12967808: ah. wie lange ist der key haltbar?
ralph.roth: steht in der ini

tbb//12967808: was ist der unterschied zwischen sharetime und runtime?
tbb//12967808: hey kann ich aus features auch 8 oder 10 machen? hab ich dann ne 1337 version? lol
ralph.roth: ab sharetime wirst du aufgefordert upzudaten
ralph.roth: ab RunTime ist der Key ungltig
ralph.roth: Features usw. knnen nicht gendert werden, ansonsten ist der Key ungltig!


/end/